In this article, I will show you how to spoof text messages! As usual, I will first focus on the theory and then I will show you how it works in action.
We are all well aware that there are multiple security risks associated with emails attachments but that does not seem to be the case with SMS .
What is SMS Spoofing?
SMS spoofing is a technique used to change the sender’s information (sender’s ID/phone number) while sending a text message. This technique is mostly used by companies for the purpose of marketing and convenience to their customers by replacing their long unknown number with a short and easy to remember alphanumeric sender ID(for example Facebook).
While SMS spoofing has so many useful purposes, it can also be used by threat actors for their evil work. The spoofed texts will often include links to phishing sites or malware downloads. Surprisingly, this is not at all hard to execute.
Can These Attacks be Detected?
It’s a bit hard to detect or trace their original source since the sender’s name and number are replaced with a fake name and number of the attacker’s choice.
Posing as popular organizations, friends or family, cybercriminals deploy social engineering techniques to dupe people into handing over certain sensitive information such as bank details or login credentials. People who fall prey to smishing attacks can have their identities stolen, bank balance down to zero or even end up with malware installed on their system.
Now let’s see how this works in action:
You can either use an SMS gateway or use an online service(like twilio) for this part.
How to Register With Twilio?
1. Go to twilio.com, click on signup and fill up the form:
2. Create a new project as shown below:
3. Fill in the details(example):
4. Once done with the registration, you will be redirected to the console window.
5. Now to send text messages, you will have to buy a number from twilio
All you have to do is go to phone numbers and click on buy number(you can use your trial balance).
How to Interact With The API?
You can use any programming language supported by twilio to interact with their API but in this article I will be focusing on python which is my favorite.
First we have to install twilio’s python library using the following command:
pip install twilio
Now you can use the following script to interact with the API. You just have to set the sid, auth_token and the message information and run the script.
Basic python script to interact with twilio:
#!/usr/bin/env python from twilio.rest import Client account_sid = 'TWILIO_ACCOUNT_SID' auth_token = 'TWILIO_AUTH_TOKEN' client = Client(account_sid, auth_token) message = client.messages.create(body='Message', from_='+15017122661', to='+15558675310') print(message.sid)
You can run the script from terminal as follows:
Now Let’s see run some tests and see if the message is getting delivered or not.
As you can see in the above screenshot, the spoofed text is pretending as if its being sent from my father. So here the chances that vashisht will open any attachment is very high.
Here as you can see in the above screenshot, the spoofed text is pretending as if its being sent from Zaid. As you know zaid is the CEO of zSecurity so the chances that vashisht will download & install that application is very high.
Thanks for Reading 🙂
I hope you find it useful. If you have any questions, you can send me an email at [email protected] 🙂
If you really want to learn social engineering, I highly recommend checking out Zaid’s social engineering course here.