So, we looked into the fake phone call to Mr 10%'s office. We even did a little HOWTO. If you recall, we concluded that you needed a bulk SIP carrier sufficiently unscrupulous or clue-light that they didn't verify the CLI string you passed them, but who hadn't yet offended at least one major telco in good standing. That, and a copy of Asterisk.
Here's something really interesting. The Indian government has just issued a dossier. (Yeah, one of them.) What purports to be a copy is here. In it, it is claimed that the terrorists who attacked Mumbai received calls from a telephone number assigned by a small US SIP provider, which among other things offers a virtual-number service. This essentially forwards calls to that number to any user-defined number, SIP id, or what have you.
According to the Indian side, the person who bought the number stated that they were in India, but the bill was paid in advance with a wire transfer originating in Pakistan. The company in question, interestingly enough, offers numbers in Pakistan; but we know that the call to the Pakistani presidency identified as coming from a number in India. There is more information in this article; apparently they also registered inbound numbers (DIDs) in Austria at the same time.
This looks a lot like a reasonable set up to obfuscate the other parties to the calls, whoever they were. It's also interesting to see that the terrorists made at least one serious mistake; they left a satellite phone on the trawler they used to launch the attack. This is likely to be an important source of information that somebody really should have thrown in the sea.