Path: csiph.com!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail From: "Carlos E. R." Newsgroups: comp.mobile.android Subject: Re: SMS spoofing Date: Thu, 18 Jun 2026 19:14:31 +0200 Lines: 85 Message-ID: References: <97F*NkpJA@news.chiark.greenend.org.uk> <7b1hdr2kzzi0.dlg@v.nguard.lh> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Trace: individual.net AggHV25SLo3ooSPHnPsLOgbt58rvMP96IS2XnTWDFiipEoA7aP Cancel-Lock: sha1:UUuUP0qRa+8FHxLdVxrbGKIA9Ds= sha256:sr/VZG1D/rUHxDFvVT7YRETNqikiABh3FCZv1VAhK1g= User-Agent: Mozilla Thunderbird Content-Language: en-GB In-Reply-To: <7b1hdr2kzzi0.dlg@v.nguard.lh> Xref: csiph.com comp.mobile.android:154224 On 2026-06-18 15:57, VanguardLH wrote: > "Carlos E. R." wrote: > >> On 2026-06-18 12:38, Theo wrote: >>> Carlos E. R. wrote: >>>> «Se ha dado de alta su siniestro 01202600362123, si lo desea realice su >>>> seguimiento en https://oau.ocaso.es/qmVki-fOZ» >>>> >>>> www.ocaso.es is the real, actual URL. >>> >>> The shortcode is interesting - I wonder if it's a redirector that's been >>> hacked in some way. ie in a similar way that https://bit.ly/abc123 could be a >>> redirect to https://evil.site/, anyone who controls the redirector can >>> forward links to their chosen site. That part of their website >>> may be less well defended than the part that deals with money. Maybe it has >>> since been fixed to redirect back to the right place? >>> >>> Although for me it redirects to: >>> https://clientes.ocaso.es/#/login?utm_source=giso&utm_medium=sms&utm_campaign=alta-siniestro >>> >>> The utm_ parts are typically a referrer codes used in tracking, for >>> example commissions for advertising. 'alta-siniestro' is 'claim >>> registration' and utm_medium=sms, so it sounds like a genuine link. >>> >>> Or perhaps somebody in operations had fat fingers and sent SMSes to the >>> wrong people? >> >> There is an extra data point. I logged to www.ocaso.es from my boomarked >> link, logged in normally, and then opened the suspect site on another >> tab. In this situation, the second tab, if genuine, should recognize >> that I'm already logged in, and proceed. But instead it asked for my >> login credentials. > > Another tab seeing you have the same session ID should not request > another login if the webdev did the proper coding. Exactly. That got me convinced it was not legit. > > As I recall for Firefox to see the session ID, hit F12 -> Storage -> > Cookies. You could check if the session ID is the same for both tabs. > Session cookies are reusable at the same domain. I don't know if that > is true for subdomains (www versus oau). Up to the site programming. > Firefox can purge cookies on > its exit, but you aren't exiting. An add-on that putzes with cookies, > like expire them instead of the web browser doing that, could interfere > with using session cookies. > But I don't get that trouble with other sites. > If you use Private Browsing, a new session ID gets generated. That's > how you can use Private Browsing to log in multiple times to a website. > > Did you open 1 tab only in Firefox, navigate to the website, login, open > a 2nd tab in Firefox, and check if you are prompted to login again? Ah. Wait. If I login on https://www.ocaso.es/inicio, I get another tab that ends in https://clientes.ocaso.es/inicio. The first tab doesn't notice the login, and if I click on login it asks again for credentials. So they have a programming issue. And... now I see that they show that I have a claim running! :-o It is subtle to find in the web page. > > Did you disable all add-ons in Firefox? If you still get a login prompt > in every tab you open to a website where you already logged in, and > disabling add-ons did not help, use a fresh Firefox profile to eliminate > all add-ons, all about:config tweaks, userchrome.css, or anything else > you've done under your normal profile to modify Firefox. With a fresh > Firefox profile, test if a 2nd tab still asks for a login when you have > already logged in using the 1st tab. -- Cheers, Carlos E.R. ES🇪🇸, EU🇪🇺;