Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.mobile.android > #154210

Re: SMS spoofing

From VanguardLH <V@nguard.LH>
Newsgroups comp.mobile.android
Subject Re: SMS spoofing
Date 2026-06-18 03:36 -0500
Organization Usenet Elder
Message-ID <s3crs4nq1d5n.dlg@v.nguard.lh> (permalink)
References <n9hmvmF3t7sU3@mid.individual.net>

Show all headers | View raw

"Carlos E. R." <robin_listas@es.invalid> wrote:

> Yesterday I received an SMS from my home insurance company saying that 
> they had registered my claim, go and see it at this link. The URL seems 
> the real one, at least visually.
> 
> But I had not put any claim, and the site asked for my login/pass. I 
> suspected.
> 
> Today I entered the insurance site from my records. No claims listed. I 
> saw a chat (computer trouble) and I asked. They said it is probably 
> phising, delete it. Phone the insurance to ask if I have some pending 
> claim if in doubt.
> 
> So, the thing is they impersonated the sender. I don't know what is 
> wrong in the URL. I have the suspicion that RCS, as it works with 
> certificates, could avoid or signal these troubles.
> 
> If you a curious, this is the SMS:
> 
> «Se ha dado de alta su siniestro 01202600362123, si lo desea realice su 
> seguimiento en https://oau.ocaso.es/qmVki-fOZ»
> 
> www.ocaso.es is the real, actual URL.

The URL may look correct to your eyes, but it could by using IDN
(Internationalized Domain Name) encoding, like UTF-8, which allows more
than the ASCII charset in a URL.  With the IDN charset, there are lots
of look-alike characters facilitating a homograph attack.  IDN URLs are
valid, but too often used by scammers to make a URL look like it's
pointing to a legit domain.

https://en.wikipedia.org/wiki/Internationalized_domain_name

https://en.wikipedia.org/wiki/Punycode

Chrome and Edge (a Chromium derivative) will show the punycode version
of an IDN URL to prevent homograph attacks.  In Firefox, you have to
edit a punycode setting in about:config:

  network.IDN_show_punycode = true
  
Sometimes Firefox will show the punycode version of an IDN URL,
sometimes not.

https://wiki.mozilla.org/IDN_Display_Algorithm

When I used Firefox, I didn't want a guessing game on the URLs.  In set
the punycode option in about:config to always show punycode.  I'm in the
uSA, and there is no place I visit that would need to use UTF-8, or
anything other than ASCII, in its URLs even when visiting sites in other
countries.  However, you're in Spain, I think, and IDNs are more common
in other countries.

Or they used the old trick of look-alike ASCII characters, like 1 (one)
and l (el) looking similar, especially when inside a string.

When you copy & paste the suspicious URL, we see what you see, not that
actual encoding of an IDN URL.

You mention you got the URL in an SMS text.  I don't recall any SMS or
e-mail app showing punycode instead of IDN, except with e-mail you might
be able to look at the raw source.  So, the only way you could tell it
was a phishing website using IDNs would be to click on the URL to see
what the address bar shows in the web browser.

Back to comp.mobile.android | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

SMS spoofing "Carlos E. R." <robin_listas@es.invalid> - 2026-06-18 10:01 +0200
  Re: SMS spoofing VanguardLH <V@nguard.LH> - 2026-06-18 03:36 -0500
    Re: SMS spoofing "Carlos E. R." <robin_listas@es.invalid> - 2026-06-18 14:04 +0200
      Re: SMS spoofing Andy Burns <usenet@andyburns.uk> - 2026-06-18 13:07 +0100
        Re: SMS spoofing "Carlos E. R." <robin_listas@es.invalid> - 2026-06-18 14:18 +0200
      Re: SMS spoofing VanguardLH <V@nguard.LH> - 2026-06-18 08:40 -0500
        Re: SMS spoofing "Carlos E. R." <robin_listas@es.invalid> - 2026-06-18 19:00 +0200
          Re: SMS spoofing AJL <noemail@none.com> - 2026-06-18 18:08 +0000
            Re: SMS spoofing "Carlos E. R." <robin_listas@es.invalid> - 2026-06-18 20:49 +0200
          Re: SMS spoofing VanguardLH <V@nguard.LH> - 2026-06-19 01:05 -0500
            Re: SMS spoofing Andy Burns <usenet@andyburns.uk> - 2026-06-19 07:46 +0100
              Re: SMS spoofing "Carlos E. R." <robin_listas@es.invalid> - 2026-06-19 12:12 +0200
              Re: SMS spoofing VanguardLH <V@nguard.LH> - 2026-06-20 03:14 -0500
                Re: SMS spoofing "Carlos E. R." <robin_listas@es.invalid> - 2026-06-20 10:25 +0200
            Re: SMS spoofing "Carlos E. R." <robin_listas@es.invalid> - 2026-06-19 12:11 +0200
  Re: SMS spoofing Andy Burns <usenet@andyburns.uk> - 2026-06-18 10:13 +0100
    Re: SMS spoofing "Carlos E. R." <robin_listas@es.invalid> - 2026-06-18 14:05 +0200
  Re: SMS spoofing Theo <theom+news@chiark.greenend.org.uk> - 2026-06-18 11:38 +0100
    Re: SMS spoofing "Carlos E. R." <robin_listas@es.invalid> - 2026-06-18 14:10 +0200
      Re: SMS spoofing Philippe <p.naudin+nntp@free.fr> - 2026-06-18 14:48 +0200
      Re: SMS spoofing VanguardLH <V@nguard.LH> - 2026-06-18 08:57 -0500
        Re: SMS spoofing "Carlos E. R." <robin_listas@es.invalid> - 2026-06-18 19:14 +0200
  Re: SMS spoofing AJL <noemail@none.com> - 2026-06-18 15:56 +0000
  Re: SMS spoofing Jörg Lorenz <hugybear@gmx.net> - 2026-06-19 09:13 +0200
    Re: SMS spoofing "Carlos E. R." <robin_listas@es.invalid> - 2026-06-19 12:13 +0200
      Re: SMS spoofing Jörg Lorenz <hugybear@gmx.net> - 2026-06-19 14:16 +0200
        Re: SMS spoofing Theo <theom+news@chiark.greenend.org.uk> - 2026-06-19 17:22 +0100
          Re: SMS spoofing Jörg Lorenz <hugybear@gmx.net> - 2026-06-19 21:23 +0200
          Re: SMS spoofing "Carlos E. R." <robin_listas@es.invalid> - 2026-06-20 01:17 +0200
        Re: SMS spoofing "Carlos E. R." <robin_listas@es.invalid> - 2026-06-20 01:14 +0200

csiph-web