PREFACE: The point of this post is to describe what I did and how it resulted in accomplishing my intended goal. Some of the details in this story have been changed to protect the identity of people who I expect would prefer to remain anonymous.
This begins a fairly interesting situation I found myself in late last week. Towards the middle of the day, my cellphone started ringing multiple times an hour, mostly from different numbers and area codes. Unless I’m expecting a call or recognize the number, I generally ignore incoming calls and let them leave a voicemail. If it’s important, they’ll eventually leave a voicemail.
After the fifth call, I began to wonder if this was being done intentionally out of spite, since there are more than enough people on this planet that both dislike me and are infantile enough to do something like this. Anyways, my voicemails are automatically transcribed (with varying accuracy), so I can read the transcription and usually figure out why someone is calling. When I saw this voicemail transcription, it definitely piqued my curiosity:
Hello, Bob this is Tom with [redacted company name] calling in regards to a transport of your 1950 vehicle you want to transfer from South Carolina to New York. We’re actually coordinating some lowe’s in the area and thought you’d be interested in our services. We’re a 5 star company fully licensed and bonded by the department of transportation. You can reach me at 555 555 5555 again that number is 555 555 5555.
First off, my name isn’t Bob, I’ve never lived in South Carolina, I don’t own a 1950’s vehicle (or any motorized vehicle), and I have no intention of moving to New York. I ended up calling this company back, spoke with Tom, explained that he called me earlier, thinking my name was Bob and I’m looking to move a 1950’s vehicle from South Carolina to New York. I then explained that my name is definitely not Bob, I don’t own any motorized vehicle, and I’d like to know how he obtained my telephone number.
Tom explained to me that he got my phone number from an online web form that someone filled out. Perfect, time for some answers. This is where I put my social engineering skills to use. I proposed that if Tom could email me all the information he has from the web form he mentioned, I would contact whoever provided my phone number, then give that person the contact information for the company he’s calling on behalf of. Tom quickly agreed to this, so I gave him my email address and waited, feeling like I had made some progress.
At this point, I know that a person named Bob from South Carolina is looking to move a 1950s vehicle (likely, a vintage car in good condition) to New York.Twenty minutes and three more telephone calls later, I hadn’t received an email like Tom said he was going to send, so I called the next company that left a voicemail. The second call was essentially the same as the first, though, the email I ended up receiving wasn’t exactly what I was expecting. Instead of the raw data obtained from the web form, what I received was basically an automated email. The person I spoke to replaced the original email address associated with the quote request with mine, then had their system send me a quote.
At first, I thought I hit another dead end until I kept reading the email. Most of it was marketing and PR drivel (and that grammar is terrifying), but it gave me a little bit more information:
Now I know where in South Carolina this person is located and where in New York the car is being shipped to. Further down the email was a URL with an unique key/value query in it. Clicking it brought up a web page with some personal information filled out. Namely, Bob’s last name.
After less than an hour of investigating, I now have the full name, city, and state of the person that has been using my telephone number. Leveraging my advanced Google searching skills, I was able to obtain the home telephone number and address of the person who had requested all these quotes. At this point, the only thing I can do is call them, explain the situation, and convince them to stop. Unfortunately, it wasn’t that easy.
While I did find the correct address and telephone number, it didn’t occur to me that the person who was filling out these web forms with my cellphone number had already moved from South Carolina to New York, which is exactly what happened. The person on the other end of the phone had recently bought the house and had no idea where the old owner was staying or how to contact them, but I wasn’t giving up that easily.
I started trying to cross reference any telephone records with Bob’s last name in the area of NY he moved to, which didn’t pan out. Then it hit me. The simplest explanation for what is happening here is best referred to as ID 10 T error. I also happened to be from New York and still have the same cellphone number that I’ve had for nearly a decade, which shares the same area code as the area of New York that Bob is moving to. Using http://www.411.com/white-pages/, I was able to look up not just the area code, but the top prefixes for that area. Go figure, there are only four and one of them is almost identical to mine, with the exception of the sixth digit. For the visually inclined people reading this, the first six digits of my hypothetical telephone number looks like this:
and one of the top prefixes looks like:
To test my theory, I dialed the similar prefix, using the last four numbers of my cellphone number to meet the required 10 digits. After a couple rings, a woman answered the phone. I replied by asking for Bob, to which I was told “let me see if he’s available”. Score!
Long story short, Bob’s wife had filled out a single web form earlier in the day, which apparently was distributed to an entire network of vehicle moving companies all the way down the eastern seaboard from Massachusetts to Florida. My theory was that since they had just moved into the house, they either weren’t familiar with typing out their new telephone number or absentmindedly hit the wrong number on the keyboard and this was all an honest mistake. Ironically, Bob was wondering why he hadn’t received any calls with quotes. While I’m still receiving the occasional call from moving companies (I received two while typing this story out), I now know why they’re calling me in the first place and I’ve been able to give them the correct number to reach Bob at so they stop continuing to call me.
Moral of the story: make sure you’re entering correct contact information when filling out web forms, especially when requesting quotes for a service. If I were a less than honest person, I could have taken advantage of Bob’s mistake by impersonating a moving company.