Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.mobile.android > #144211 > unrolled thread
| Started by | "Carlos E.R." <robin_listas@es.invalid> |
|---|---|
| First post | 2024-11-23 22:40 +0100 |
| Last post | 2024-11-25 13:28 -0500 |
| Articles | 4 — 3 participants |
Back to article view | Back to comp.mobile.android
Phising via forging the "from" in an SMS message. "Carlos E.R." <robin_listas@es.invalid> - 2024-11-23 22:40 +0100
Re: Phising via forging the "from" in an SMS message. VanguardLH <V@nguard.LH> - 2024-11-23 21:03 -0600
Re: Phising via forging the "from" in an SMS message. "Carlos E.R." <robin_listas@es.invalid> - 2024-11-24 14:35 +0100
Re: Phising via forging the "from" in an SMS message. micky <NONONOmisc07@fmguy.com> - 2024-11-25 13:28 -0500
| From | "Carlos E.R." <robin_listas@es.invalid> |
|---|---|
| Date | 2024-11-23 22:40 +0100 |
| Subject | Phising via forging the "from" in an SMS message. |
| Message-ID | <4nu91lx41l.ln2@Telcontar.valinor> |
Hi, Imagine you normally get SMS messages from the bank, and the from is not a number but a name: BANK OF ME Date: now. You made successfully a payment of 10€ to Mr B. And you have a conversation. You trust those messages in your SMS application. They are legit. One day, you get another SMS in the same conversation: BANK OF ME Date: now. Warning, strange movement, please click here http:\\some.bad.link.com But this last message is a fake. The bad guys convince you, they get your credentials and your money. A case like that was seen recently in court here, and the bank lost. They must do more to ensure security, they did not protect their client properly. (in Spanish: https://www.genbeta.com/seguridad/parecia-imposible-condenan-al-bbva-a-reembolsar-dinero-estafado-via-sms-a-clienta-debe-asumir-su-responsabilidad). Now my question is, how did the bad guys insert a false SMS in the same conversation from the bank. They successfully forged the bank name (there is no phone number). What is the hole in the GSM network that allows this forgery? (I have similarly forged texts in my phone, I have direct first hand proof). -- Cheers, Carlos.
[toc] | [next] | [standalone]
| From | VanguardLH <V@nguard.LH> |
|---|---|
| Date | 2024-11-23 21:03 -0600 |
| Message-ID | <s31odbc8uyue$.dlg@v.nguard.lh> |
| In reply to | #144211 |
"Carlos E.R." <robin_listas@es.invalid> wrote: > Hi, > > Imagine you normally get SMS messages from the bank, and the from is not > a number but a name: > > BANK OF ME > Date: now. > You made successfully a payment of 10€ to Mr B. > > And you have a conversation. You trust those messages in your SMS > application. They are legit. One day, you get another SMS in the same > conversation: > > BANK OF ME > Date: now. > Warning, strange movement, please click here http:\\some.bad.link.com > > But this last message is a fake. The bad guys convince you, they get > your credentials and your money. A case like that was seen recently in > court here, and the bank lost. They must do more to ensure security, > they did not protect their client properly. > > (in Spanish: > https://www.genbeta.com/seguridad/parecia-imposible-condenan-al-bbva-a-reembolsar-dinero-estafado-via-sms-a-clienta-debe-asumir-su-responsabilidad). > > Now my question is, how did the bad guys insert a false SMS in the same > conversation from the bank. They successfully forged the bank name > (there is no phone number). What is the hole in the GSM network that > allows this forgery? > > (I have similarly forged texts in my phone, I have direct first hand proof). Worse is when you get a text that doesn't say who the hell sent it, just some digit string that never identifies the sender. I never respond to those unless their content is something I expect to receive, like the grocer saying their driver is leaving to deliver the goods I ordered. Smishing https://www.ibm.com/topics/smishing https://www.proofpoint.com/us/threat-reference/smishing I don't want to get into the details on how a scammer can spoof the sender ID in an SMS message since that seems an inappropriate "how to smish" enabler to to wannabe aholes. Search on "sms spoofing". Spoofing is not always illegal or with malicious intent. For example, I use Google Voice to receive and make calls. They will remove the sender ID from my outbound call to replace with my GV phone number, so the recipient sees my GV number, not the true number for whatever carrier my cell phone is using. That way, my callees see my number which they recognize or is in their Contacts lists, and they call me back on my GV number which call all my phones in my GV account using simultaneous ring. Callees see my GV number, not my cell phone's carrier-assigned number. https://www.infobip.com/glossary/sms-spoofing You can even find apps that let you spoof your sender ID, but I suspect they incorporate some shady SMS provider that lets the user specify the sender ID differently than is recorded, if anything, at the service. SMS is not a secure communications venue. It's not even encrypted nor has guaranteed delivery, just like e-mail. So, the pretense that sending 2FA codes via SMS or e-mail makes a login more secure (what you know plus what you have) is a lie since insecure and non-guaranteed delivery communication venues are employed. Yep, use insecure communication to secure a login, and all started because users are lazy boobs who don't use strong and *unique* passwords at each domain.
[toc] | [prev] | [next] | [standalone]
| From | "Carlos E.R." <robin_listas@es.invalid> |
|---|---|
| Date | 2024-11-24 14:35 +0100 |
| Message-ID | <mlmb1lxsgi.ln2@Telcontar.valinor> |
| In reply to | #144287 |
On 2024-11-24 04:03, VanguardLH wrote:
> "Carlos E.R." <robin_listas@es.invalid> wrote:
>
>> Hi,
>>
>> Imagine you normally get SMS messages from the bank, and the from is not
>> a number but a name:
>>
>> BANK OF ME
>> Date: now.
>> You made successfully a payment of 10€ to Mr B.
>>
>> And you have a conversation. You trust those messages in your SMS
>> application. They are legit. One day, you get another SMS in the same
>> conversation:
>>
>> BANK OF ME
>> Date: now.
>> Warning, strange movement, please click here http:\\some.bad.link.com
>>
>> But this last message is a fake. The bad guys convince you, they get
>> your credentials and your money. A case like that was seen recently in
>> court here, and the bank lost. They must do more to ensure security,
>> they did not protect their client properly.
>>
>> (in Spanish:
>> https://www.genbeta.com/seguridad/parecia-imposible-condenan-al-bbva-a-reembolsar-dinero-estafado-via-sms-a-clienta-debe-asumir-su-responsabilidad).
>>
>> Now my question is, how did the bad guys insert a false SMS in the same
>> conversation from the bank. They successfully forged the bank name
>> (there is no phone number). What is the hole in the GSM network that
>> allows this forgery?
>>
>> (I have similarly forged texts in my phone, I have direct first hand proof).
>
> Worse is when you get a text that doesn't say who the hell sent it, just
> some digit string that never identifies the sender. I never respond to
> those unless their content is something I expect to receive, like the
> grocer saying their driver is leaving to deliver the goods I ordered.
>
> Smishing
> https://www.ibm.com/topics/smishing
> https://www.proofpoint.com/us/threat-reference/smishing
>
> I don't want to get into the details on how a scammer can spoof the
> sender ID in an SMS message since that seems an inappropriate "how to
> smish" enabler to to wannabe aholes. Search on "sms spoofing".
> Spoofing is not always illegal or with malicious intent. For example, I
> use Google Voice to receive and make calls. They will remove the sender
> ID from my outbound call to replace with my GV phone number, so the
> recipient sees my GV number, not the true number for whatever carrier my
> cell phone is using. That way, my callees see my number which they
> recognize or is in their Contacts lists, and they call me back on my GV
> number which call all my phones in my GV account using simultaneous
> ring. Callees see my GV number, not my cell phone's carrier-assigned
> number.
>
> https://www.infobip.com/glossary/sms-spoofing
>
> You can even find apps that let you spoof your sender ID, but I suspect
> they incorporate some shady SMS provider that lets the user specify the
> sender ID differently than is recorded, if anything, at the service.
>
> SMS is not a secure communications venue. It's not even encrypted nor
> has guaranteed delivery, just like e-mail. So, the pretense that
> sending 2FA codes via SMS or e-mail makes a login more secure (what you
> know plus what you have) is a lie since insecure and non-guaranteed
> delivery communication venues are employed. Yep, use insecure
> communication to secure a login, and all started because users are lazy
> boobs who don't use strong and *unique* passwords at each domain.
The second link you posted, from proofpoint, has some precise information:
Message Delivery: Using SMS gateways, spoofing tools, or infected
devices, the attacker sends out the smishing message to their selected
targets.
It appears they can use email to sms gateways. That's the weak point.
And some shady provider, as you mention.
It could be detected if the message would contain "hidden" tracking
information, like email do. Look at the headers. But SMSs do not contain
that information. At least, even if tap on "details", there is no such info.
--
Cheers, Carlos.
[toc] | [prev] | [next] | [standalone]
| From | micky <NONONOmisc07@fmguy.com> |
|---|---|
| Date | 2024-11-25 13:28 -0500 |
| Message-ID | <f1f9kjljdovlk23tgltv2v0as9a2b0h0j5@4ax.com> |
| In reply to | #144295 |
In comp.mobile.android, on Sun, 24 Nov 2024 14:35:18 +0100, "Carlos E.R." <robin_listas@es.invalid> wrote: >On 2024-11-24 04:03, VanguardLH wrote: >> "Carlos E.R." <robin_listas@es.invalid> wrote: >> >>> Hi, >>> >>> Imagine you normally get SMS messages from the bank, and the from is not >>> a number but a name: >>> >>> BANK OF ME >>> Date: now. >>> You made successfully a payment of 10€ to Mr B. >>> >>> And you have a conversation. You trust those messages in your SMS >>> application. They are legit. One day, you get another SMS in the same >>> conversation: >>> >>> BANK OF ME >>> Date: now. >>> Warning, strange movement, please click here http:\\some.bad.link.com >>> >>> But this last message is a fake. The bad guys convince you, they get Okay, you've convinced me. I've avoid texting but I'll definitely avoid serious or money-related conversations. >>> your credentials and your money. A case like that was seen recently in >>> court here, and the bank lost. They must do more to ensure security, >>> they did not protect their client properly. >>> >>> (in Spanish: >>> https://www.genbeta.com/seguridad/parecia-imposible-condenan-al-bbva-a-reembolsar-dinero-estafado-via-sms-a-clienta-debe-asumir-su-responsabilidad). Fortunately I read Spanish pretty well. When I was in Guatemala in January for 3 weeks, it took me about 4 days to get up to speed but I think I can speak it pretty well too. I don't understand much. If only people wouldn't talk so fast. On my first trip, 53 years ago, a guy came up to me on the street and said "Corazon!" [means heart] I'm bad with faces, and I thought, Maybe we're good friends, or maybe I don't know him and he's gay." Finally he pointed at my watch and I realized he was saying "Que horas son?". >>> Now my question is, how did the bad guys insert a false SMS in the same >>> conversation from the bank. They successfully forged the bank name >>> (there is no phone number). What is the hole in the GSM network that >>> allows this forgery? >>> >>> (I have similarly forged texts in my phone, I have direct first hand proof). >> >> Worse is when you get a text that doesn't say who the hell sent it, just >> some digit string that never identifies the sender. I never respond to >> those unless their content is something I expect to receive, like the >> grocer saying their driver is leaving to deliver the goods I ordered. >> >> Smishing >> https://www.ibm.com/topics/smishing >> https://www.proofpoint.com/us/threat-reference/smishing >> >> I don't want to get into the details on how a scammer can spoof the >> sender ID in an SMS message since that seems an inappropriate "how to >> smish" enabler to to wannabe aholes. Search on "sms spoofing". >> Spoofing is not always illegal or with malicious intent. For example, I >> use Google Voice to receive and make calls. They will remove the sender >> ID from my outbound call to replace with my GV phone number, so the >> recipient sees my GV number, not the true number for whatever carrier my >> cell phone is using. That way, my callees see my number which they >> recognize or is in their Contacts lists, and they call me back on my GV >> number which call all my phones in my GV account using simultaneous >> ring. Callees see my GV number, not my cell phone's carrier-assigned >> number. >> >> https://www.infobip.com/glossary/sms-spoofing >> >> You can even find apps that let you spoof your sender ID, but I suspect >> they incorporate some shady SMS provider that lets the user specify the >> sender ID differently than is recorded, if anything, at the service. >> >> SMS is not a secure communications venue. It's not even encrypted nor >> has guaranteed delivery, just like e-mail. So, the pretense that >> sending 2FA codes via SMS or e-mail makes a login more secure (what you >> know plus what you have) is a lie since insecure and non-guaranteed >> delivery communication venues are employed. Yep, use insecure >> communication to secure a login, and all started because users are lazy >> boobs who don't use strong and *unique* passwords at each domain. > > >The second link you posted, from proofpoint, has some precise information: > > Message Delivery: Using SMS gateways, spoofing tools, or infected >devices, the attacker sends out the smishing message to their selected >targets. > >It appears they can use email to sms gateways. That's the weak point. I've learned to do that and I love it. Don't have to turn on my phone ir hunt and peck with tiny fingers to reach a friend** who is out all day and doesnt' read email until she gets home, but looks at texts. Or my brother or sil who never read their email. **If it's important, I can nag her by sending a text and an eamil at the same time, just by typing 7 more characters. And if she replies, it comes to my email, not my phone!! How great is that! https://www.ipqualityscore.com/free-carrier-lookup This one gives everything (almost) including name of carrier and domain for emailing. https://freecarrierlookup.com/ This one gives a lot less information except it gives two email addresses. SMS was the original texting, and MMS stands for multimedia if you want to include a picture or sound. But MMS will also work if there is only text. [Yes, you guys know this but I'm copying a letter I sent to a friend.] https://www.hlrlookup.com/ This one is just tells which cellphone provider goes with the phone number but you still need to know the suffix, domain, the part after the @ sign. There are other separate pages that will give the domain if you know the carrier, but now I just use the first two on this page. >And some shady provider, as you mention. > >It could be detected if the message would contain "hidden" tracking >information, like email do. Look at the headers. But SMSs do not contain >that information. At least, even if tap on "details", there is no such info. Web bugs are html links, in the hypertext, that display on the screen with 0 length. Do texts even have hypertext?
[toc] | [prev] | [standalone]
Back to top | Article view | comp.mobile.android
csiph-web