• Home
  • Hacking & Security
    • Network Hacking
    • Web Hacking
    • Social Engineering
    • Kali Linux
    Submit An Article
  • Courses
    • All Courses
    • Bundles
    • Masterclass
    • VIP Membership
    • FAQ

    Popular Courses

  • Shop
    • Hardware Bundles
    • Wireless Adapters
    • Pentesting Tools
    • Security
    • Accessories
    • Clothing
    • Books
    • All
  • Competition
  • Services
    Penetration Testing
    Consulting
    Code Review
    One on one Training
    Online Courses
    VPN
  • Blog
      • Cart

    VIP Membership Masterclass
    Got a question?
    [email protected]
    RegisterLogin
    zSecurity
    • Home
    • Hacking & Security
      • Network Hacking
      • Web Hacking
      • Social Engineering
      • Kali Linux
      Submit An Article
    • Courses
      • All Courses
      • Bundles
      • Masterclass
      • VIP Membership
      • FAQ

      Popular Courses

    • Shop
      • Hardware Bundles
      • Wireless Adapters
      • Pentesting Tools
      • Security
      • Accessories
      • Clothing
      • Books
      • All
    • Competition
    • Services
      Penetration Testing
      Consulting
      Code Review
      One on one Training
      Online Courses
      VPN
    • Blog
        • Cart

      Hacking & Security

      How to Spoof SMS Messages

      • Posted by Vashisht Boodhun
      • Date April 18, 2021
      Hello everyone,
      In this article, I will show you how to spoof text messages! As usual, I will first focus on the theory and then I will show you how it works in action.
      We are all well aware that there are multiple security risks associated with emails attachments but that does not seem to be the case with SMS .

      What is SMS Spoofing?

      SMS spoofing is a technique used to change the sender’s information (sender’s ID/phone number) while sending a text message. This technique is mostly used by companies for the purpose of marketing and convenience to their customers by replacing their long unknown number with a short and easy to remember alphanumeric sender ID(for example Facebook).
      While SMS spoofing has so many useful purposes, it can also be used by threat actors for their evil work. The spoofed texts will often include links to phishing sites or malware downloads. Surprisingly, this is not at all hard to execute.

      Can These Attacks be Detected?

      It’s a bit hard to detect or trace their original source since the sender’s name and number are replaced with a fake name and number of the attacker’s choice.
      Posing as popular organizations, friends or family, cybercriminals deploy social engineering techniques to dupe people into handing over certain sensitive information such as bank details or login credentials. People who fall prey to smishing attacks can have their identities stolen, bank balance down to zero or even end up with malware installed on their system.
      Now let’s see how this works in action:
      You can either use an SMS gateway or use an online service(like twilio) for this part.

      How to Register With Twilio?

      1. Go toΒ twilio.com, click on signup and fill up the form:
      .
      .
      2. Create a new project as shown below:
      .
      .
      3. Fill in the details(example):
      .
      .
      4. Once done with the registration, you will be redirected to the console window.
      .
      .
      5. Now to send text messages, you will have to buy a number from twilio
      All you have to do is go to phone numbers and click on buy number(you can use your trial balance).

      How to Interact With The API?

      You can use any programming language supported by twilio to interact with their API but in this article I will be focusing on python which is my favorite.
      First we have to install twilio’s python library using the following command:
      pip install twilio
      Now you can use the following script to interact with the API. You just have to set the sid, auth_token and the message information and run the script.
      Basic python script to interact with twilio:
      #!/usr/bin/env python
      
      from twilio.rest import Client
      
      account_sid = 'TWILIO_ACCOUNT_SID'
      
      auth_token = 'TWILIO_AUTH_TOKEN'
      
      client = Client(account_sid, auth_token)
      
      message = client.messages.create(body='Message', from_='+15017122661', to='+15558675310')
      
      print(message.sid)
      .
      .
      You can run the script from terminal as follows:
      python sms_spoof.py
      Now Let’s see run some tests and see if the message is getting delivered or not.
      Scenario 1:
      .
      .
      As you can see in the above screenshot, the spoofed text is pretending as if its being sent from my father. So here the chances that vashisht will open any attachment is very high.
      Scenario 2:
      .
      .
      Here as you can see in the above screenshot, the spoofed text is pretending as if its being sent from Zaid. As you know zaid is the CEO of zSecurity so the chances that vashisht will download & install that application is very high.

      Thanks for Reading πŸ™‚

      I hope you find it useful. If you have any questions, you can send me an email at [email protected] πŸ™‚
      If you really want to learn social engineering, I highly recommend checking out Zaid’s social engineering course here.

      Resources:

      • Twilio
      • Twilio Sending Messages
      • Twilio Python
      • Share:
      author avatar
      Vashisht Boodhun

      Vashisht Boodhun is an ethical hacker, a computer scientist and a python programmer. He just loves hacking and breaking the rules. He has tremendous knowledge in ethical hacking and programming in python. Vashisht is currently working in a CyberSecurity company (zSecurity) based in Ireland as a Teaching Assistant.

      Previous post

      The Most Secure OS!
      April 18, 2021

      Next post

      zSecurity Mobile CTF Official Walkthrough
      April 20, 2021

      You may also like

      domain-controllers_370x208
      Identifying Domain controller in a network
      24 March, 2023
      storm-braker_370x208
      Access Location, Camera & Mic of any Device πŸŒŽπŸŽ€πŸ“πŸ“·
      23 March, 2023
      Common-Authentication-Bypass-Techniques_370x208
      Common Authentication Bypass Techniques
      16 March, 2023

        11 Comments

      1. jeamevo
        April 20, 2021
        Log in to Reply

        Hi,
        On free account Twilio said:
        Unable to create record: The From phone number DAD is not a valid, SMS-capable inbound phone number or short code for your account.
        More information may be available here:
        https://www.twilio.com/docs/errors/21606

        • Vashisht Boodhun
          April 23, 2021
          Log in to Reply

          Did you buy a number from twilio? If you are using a free account, you will have the use the number itself to send sms from.

      2. Bruno Cabrera
        May 15, 2021
        Log in to Reply

        i did upgrade the account, i ran the script using the actual twilio number and i received the sms perfectly, when i tried to spoof i got this message::

        Unable to create record: The From phone number +1(number) is not a valid, SMS-capable inbound phone number or short code for your account.

        More information may be available here:

        https://www.twilio.com/docs/errors/21606

        any clue?

        • Vashisht Boodhun
          July 21, 2021
          Log in to Reply

          Does it work with alphanumeric sender id?

      3. Otto
        August 2, 2021
        Log in to Reply

        It seems like you can only buy random numbers. You can’t, for instance, buy your dad’s number to make the SMS look like it’s actually coming from him. Or am I missing something?

        • Vashisht Boodhun
          August 13, 2021
          Log in to Reply

          Yes that’s right. Like I said, you should use the script above to specify/change your sender’s ID.

      4. Tsecurity
        August 8, 2021
        Log in to Reply

        First of all , we need to put our number to get code verify it right sir ?

        • Vashisht Boodhun
          August 13, 2021
          Log in to Reply

          That’s the limitation while using the trial balance from twilio.

      5. nutedHacks
        August 9, 2021
        Log in to Reply

        Is there any way you can make a tutorial video or give a link to contact you on the tutorial … Sms spoofing is a handy social engineering tools and I’ve spent alot on Zeid courses…. Please make this tutorial more understanding

        • Vashisht Boodhun
          August 13, 2021
          Log in to Reply

          I think this article should be enough, you should get into the habit of researching and experimenting if you want to be a good hacker.
          If you have any questions, you can send me an email at [email protected] πŸ™‚

      Leave A Reply Cancel reply

      You must be logged in to post a comment.

      Categories

      • Cryptography
      • Cryptography
      • CTF
      • Forensics
      • Hacking & Security
      • Hardware
      • IOT
      • Kali Linux
      • Network Hacking
      • News
      • OSINT
      • Post Exploitation
      • Post Exploitation
      • Privacy
      • Programming
      • Security
      • Social Engineering
      • Uncategorized
      • Web Hacking

      Popular Posts

      Got a Blank Screen After Importing Kali in Virtual Box ? Here’s How To Fix It
      25Jan2018

      Connect with us

      • Facebook
      • Twitter
      • LinkedIn
      • Instagram
      • Youtube

      β€œEverything related to ethical hacking

      & cyber security in one place.”

      Quick Links

      • Home
      • About Us
      • Hacking & Security
      • Download Custom Kali
      • Contact
      • FAQ

      Services

      • Penetration Testing
      • Consulting
      • Code Review
      • One on one training
      • VPN
      • VIP Membership

      Company

      • About Us
      • Contact
      • Vulnerability Disclosure

      Support

      • FAQ
      • Forums

      Copyright Β© 2022 Z IT SECURITY LTD t/a zSecurity. All rights reserved.

      • Privacy
      • Shipping
      • Refunds
      • Terms

      Contribute

      Share your knowledge with the world

      SUBMIT AN ARTICLE

      Login with your site account

      Lost your password?

      Not a member yet? Register now

      Register a new account


      Are you a member? Login now

      Enroll in this course to access this lesson!

      All of our courses include:

      βœ” Lifetime, unlimited access to course materials & training videos.

      βœ” Watch online or download lectures for offline use.

      βœ” Verifiable certificate of completion from zSecurity, signed by the course instructor, Zaid.

      βœ” Get answers from our Support Team within a maximum of 15 hours.

      βœ” Unlimited Updates.

      Get free 1 month VIP membership per course with:

      βœ” Live mentorship and Q&A session with the course instructor, Zaid.

      βœ” Instant support from community members through our private discord channel.

      βœ” Daily updates with the latest tutorials & news in the hacking world.

      βœ” Daily resources like CTFs, bug bounty programs, onion services and more!

      βœ” Access our VIP community & connect with like-minded people.

      βœ” Discounts on other zSecurity products and services.

      We are using cookies to give you the best experience on our website. This includes but is not limited to:

      • Storing your settings and preferences.
      • Remember your access information
      • Track website performance and make our website more relevant to you.

      You can find out more about which cookies we are using or switch them off in settings.

      Privacy Overview

      This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

      Strictly Necessary Cookies

      Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.

      3rd Party Cookies

      This website uses Google Analytics and Linkedin to collect anonymous information such as the number of visitors to the site, and the most popular pages.

      Keeping this cookies enabled helps us to improve our website.

      Please enable Strictly Necessary Cookies first so that we can save your preferences!

      Powered by  GDPR Cookie Compliance