Analysis of Swatting Methods and Potential Ways of Complicating Investigations in the Future

     Hello all its been a good long while since I posted any security related ideas or analysis and as such I felt it was time to post something new.

WARNING: I do not condone any types of malware as they are illegal to install on any other persons system, I also don't condone placing any fake/illegitimate calls to the police in order to initiate the prank itself, finally I do not condone anyone using any of the below mentioned techniques this is all simply theoretical and my beliefs on how the future of such calls will be made in order to prevent prosecution of the originating caller themselves. Please do not use either of the below methods or discussed specific ideas for anything other than educational reasons. The below 2 theories are only a hand full of the potential future methods hackers may use to abuse the protective systems of our Police SWAT members.

As most of you are aware a rather new type of commonly used prank has surfaced called "Swatting". This prank relies on 3 main factors.

1. A target for the actual SWAT raid to be used against.
2. A story that an emergency 911 operator can believe.
3. Finally, the call must be made to start the process of the police actually performing the SWAT raid on your target.

What has been used thus far for many of these SWAT incidents are VoIP calling services, or burner phones that are bought with cash and then disposed of as soon as the call is made to the police station.
However, both of the methods used thus far have many issues that can result in the calls being able to be back traced or back logged to the original callers identity.

There is many ways these systems can be backlogged/reviewed to determine the callers identity that is why these methods have led to arrests of people in the past. However, there is other options for how to make such calls without them being backtraced to the actual caller in the first place. I will describe in detail below how a person could make these calls and remove any digital methods of backtracing who initiated the call itself.

Now it should be without saying that any use of a computer at all should be done on a system that has a virtual machine running on it that is encrypted and then deleted following any research or use of the system. Then obviously the physical drives should be wiped and the computer should never be used for any other reason. Also, as it may not seem obvious any IP's hardware addresses, etc should all be spoofed. Using any identifying median is just asking for trouble.
--------------------------------------------------------------------------------------------------------------------------

1st Theory - Using Malware to Create Degrees of Seperation.

A malicious individual who wants to make the call itself seem more legitimate might want to determine the best way to go about writing the malware that would allow this to take place in the first place. The language of the malware is not as important as the need to make it more universal as to the types of machines that it can affect. The potential features of such malware would include the following.

1. A check for whether or not the GEOIP location of the infected machine has been registered as being infected in the past. This is important to limit the targets down to only 1 machine per GEOIP location, this will play into creating more authenticate looking calls to police stations.
2. The backend connection would be made through either the I2P or Tor network to allow a more anonymous and harder to block method of communication. The check for whether a GEOIP location for the IP had been previously infected would be made through this network in a decentralized manner. If the reply back stated it had a machine already infected at that location then the malware would remove itself and take various methods to erase its digital tracks. The GEOIP lookup would be performed in a non-anonymous manner from the infected machine itself to get the public facing IP address location instead of the one I2P or Tor may provide.
3. The malware would exploit a free online service such as https://www.spooftel.com/freecall/ to spoof the callerid and number origin that would initially be seen by 911 operators for the target police station, this would allow the police to take the callers word with more initial belief.
4. The malware would also need to have its own set of default stories to draw from, the malware would want to have a realistic Text-to-Speech backend from one of the many public libraries for Text-to-Speech available.
5. In order be able to launch a targeted attack(phone call to get SWAT to raid a target) the malware would need to perform a lookup every so often(randomized time value to eliminate pattern recognittion detections, however it would need to vary between 10-60 minutes to avoid extensive network traffic.). The lookup would request specifically whether a target had been named yet for the end result phone call, if it had then a secondary check would verify if any other infected host had made a phone call yet to the target phone number. The previous lookup would need to also have an address returned to the malware as to where the target's address is in order to read it off to the operator.
6. The malware would then place the call using the text-to-speech library to read out one of the pre-written stories. The malware would need to monitor the incoming sound to the VoIP call itself in order to recognize if any operator had answered the phone call yet, if it detected that they had then it would begin to read the pre-written story into the VoIP call and then hang up as if the line had been forcibly disconnected by the target mentioned in the call. 
7. Finally, the last step would be the malware would remove itself and any libraries or digital records that could prove that the malware had existed on the machine in the first place.
8. The obfustication needed to bypass most if not all anti-malware detection services would be to use encryption that was based on a unique factor of the infected machine such as its listed mac address, that would be the encryption and decryption key for each section of the malware. The malware would also need to exploit types of file modification that are not able to be seen as malicious by anti-malware companies. An example would be to make changes to the files using packing software used by games and such. This would help bypass de-obfustication techniques while also making it so the anti-virus couldnt detect malicious file actions being taken. This would also make it much harder to deploy updates that could unpack the malware.

The pro's about the above plan are that backtracing the digital footsteps of the call origin would be nearly impossible. Also, the originating call would originate from or near the intended target in the first place to make the call more authentic. A simple check through online distance mapping software would be made for each infected machine before it made the call, this query would be made only if none of the infected machines had the same origin city/state as the target. The reply would be sent only if within lets say 50 miles of the target city or from the same city.

The cons are that first you would need to write the malware that bypassed the anti-virus/anti-malware services available, that bypassed behavior detection techniques(running a script from the origin program can commonly confuse behavior detection techniques, and finally a method of delivering the malware would need to be both very public aswell as appearing to be trustworthy. Also, the time required to infect tens of thousands of machines that had unique GEOIP locations could take a very long time. The person making the call would need to worry about their malware being detected aswell as how they could communicate to the malware in an anonymous manner to initiate the attack in the first place.
--------------------------------------------------------------------------------------------------------------------------
2nd Theory - Using mobile technology as an asset.

Now this theory would be harder to implement in both a reliable and hard to traceback manner. The requirments for this second theory are the following.

1. The malicious caller would need to purchase phones for cash in a much harder to track manner. The ideas would be to travel out of state and purchase a burner phone for cash in a retail environment. The perfect time to do this would be during the winter as you have an excuse for wearing a jacket or coat that would help hide your physical identity.
2. The burner phone would need to be off until the call is to be made against the target. This is to prevent any trackrecords of where and when the phone connected to the networks previous to the call.
3. The call should also be made from a location/area that either has little to no cameras and probably it would be better to be made very early in the morning say 4-5am, this would give time for SWAT to prepare for the raid of the target.
4. The caller should not use their own voice or even their own voice with a voice changer. Again relying on a text-to-speech software would help eliminate being traced back through your voice.
5. All of this combined would make it so your not recognized through your voice, number, physical appearance when the phone was purchased. This would eliminate nearly every method of backtracing the original caller.

The pro's of this method are that the resources required to implement such a solution are very limited and by eliminating all the identifying factor then it should be nearly impossible to trace back to the origin.

The cons are that you would need to wait an extended amount of time before placing the calls after purchasing the phone. In this above example waiting 4-6 months or even a year might be best to eliminate video/audio records of in store cameras and witness statements about who actually bought the phone. If you made the call in a short time after purchasing the phone then people may still remember who and when the phone was purposed since it was a short time before they were questioned.