How to Spoof SMS Messages
Hello everyone,
In this article, I will show you how to spoof text messages! As usual, I will first focus on the theory and then I will show you how it works in action.
We are all well aware that there are multiple security risks associated with emails attachments but that does not seem to be the case with SMS .
What is SMS Spoofing?
SMS spoofing is a technique used to change the sender’s information (sender’s ID/phone number) while sending a text message. This technique is mostly used by companies for the purpose of marketing and convenience to their customers by replacing their long unknown number with a short and easy to remember alphanumeric sender ID(for example Facebook).
While SMS spoofing has so many useful purposes, it can also be used by threat actors for their evil work. The spoofed texts will often include links to phishing sites or malware downloads. Surprisingly, this is not at all hard to execute.
Can These Attacks be Detected?
It’s a bit hard to detect or trace their original source since the sender’s name and number are replaced with a fake name and number of the attacker’s choice.
Posing as popular organizations, friends or family, cybercriminals deploy social engineering techniques to dupe people into handing over certain sensitive information such as bank details or login credentials. People who fall prey to smishing attacks can have their identities stolen, bank balance down to zero or even end up with malware installed on their system.
Now let’s see how this works in action:
You can either use an SMS gateway or use an online service(like twilio) for this part.
How to Register With Twilio?
1. Go toΒ twilio.com, click on signup and fill up the form:
.
.
2. Create a new project as shown below:
.
.
3. Fill in the details(example):
.
.
4. Once done with the registration, you will be redirected to the console window.
.
.
5. Now to send text messages, you will have to buy a number from twilio
All you have to do is go to phone numbers and click on buy number(you can use your trial balance).
How to Interact With The API?
You can use any programming language supported by twilio to interact with their API but in this article I will be focusing on python which is my favorite.
First we have to install twilio’s python library using the following command:
pip install twilio
Now you can use the following script to interact with the API. You just have to set the sid, auth_token and the message information and run the script.
Basic python script to interact with twilio:
#!/usr/bin/env python from twilio.rest import Client account_sid = 'TWILIO_ACCOUNT_SID' auth_token = 'TWILIO_AUTH_TOKEN' client = Client(account_sid, auth_token) message = client.messages.create(body='Message', from_='+15017122661', to='+15558675310') print(message.sid)
.
.
You can run the script from terminal as follows:
python sms_spoof.py
Now Let’s see run some tests and see if the message is getting delivered or not.
Scenario 1:
.
.
As you can see in the above screenshot, the spoofed text is pretending as if its being sent from my father. So here the chances that vashisht will open any attachment is very high.
Scenario 2:
.
.
Here as you can see in the above screenshot, the spoofed text is pretending as if its being sent from Zaid. As you know zaid is the CEO of zSecurity so the chances that vashisht will download & install that application is very high.
Thanks for Reading π
I hope you find it useful. If you have any questions, you can send me an email at [email protected] π
If you really want to learn social engineering, I highly recommend checking out Zaid’s social engineering course here.
Resources:
You may also like
Identifying Domain controller in a network
24 March, 2023
Access Location, Camera & Mic of any Device ππ€ππ·
23 March, 2023
Common Authentication Bypass Techniques
16 March, 2023
Leave A Reply
You must be logged in to post a comment.
11 Comments
Hi,
On free account Twilio said:
Unable to create record: The From phone number DAD is not a valid, SMS-capable inbound phone number or short code for your account.
More information may be available here:
https://www.twilio.com/docs/errors/21606
Did you buy a number from twilio? If you are using a free account, you will have the use the number itself to send sms from.
i did upgrade the account, i ran the script using the actual twilio number and i received the sms perfectly, when i tried to spoof i got this message::
Unable to create record: The From phone number +1(number) is not a valid, SMS-capable inbound phone number or short code for your account.
More information may be available here:
https://www.twilio.com/docs/errors/21606
any clue?
Does it work with alphanumeric sender id?
It seems like you can only buy random numbers. You can’t, for instance, buy your dad’s number to make the SMS look like it’s actually coming from him. Or am I missing something?
Yes that’s right. Like I said, you should use the script above to specify/change your sender’s ID.
First of all , we need to put our number to get code verify it right sir ?
That’s the limitation while using the trial balance from twilio.
Is there any way you can make a tutorial video or give a link to contact you on the tutorial … Sms spoofing is a handy social engineering tools and I’ve spent alot on Zeid courses…. Please make this tutorial more understanding
I think this article should be enough, you should get into the habit of researching and experimenting if you want to be a good hacker.
If you have any questions, you can send me an email at [email protected] π