Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.mobile.android > #154209 > unrolled thread

SMS spoofing

Back to article view | Back to comp.mobile.android

Contents

  SMS spoofing "Carlos E. R." <robin_listas@es.invalid> - 2026-06-18 10:01 +0200
    Re: SMS spoofing VanguardLH <V@nguard.LH> - 2026-06-18 03:36 -0500
      Re: SMS spoofing "Carlos E. R." <robin_listas@es.invalid> - 2026-06-18 14:04 +0200
        Re: SMS spoofing Andy Burns <usenet@andyburns.uk> - 2026-06-18 13:07 +0100
          Re: SMS spoofing "Carlos E. R." <robin_listas@es.invalid> - 2026-06-18 14:18 +0200
        Re: SMS spoofing VanguardLH <V@nguard.LH> - 2026-06-18 08:40 -0500
          Re: SMS spoofing "Carlos E. R." <robin_listas@es.invalid> - 2026-06-18 19:00 +0200
            Re: SMS spoofing AJL <noemail@none.com> - 2026-06-18 18:08 +0000
              Re: SMS spoofing "Carlos E. R." <robin_listas@es.invalid> - 2026-06-18 20:49 +0200
            Re: SMS spoofing VanguardLH <V@nguard.LH> - 2026-06-19 01:05 -0500
              Re: SMS spoofing Andy Burns <usenet@andyburns.uk> - 2026-06-19 07:46 +0100
                Re: SMS spoofing "Carlos E. R." <robin_listas@es.invalid> - 2026-06-19 12:12 +0200
                Re: SMS spoofing VanguardLH <V@nguard.LH> - 2026-06-20 03:14 -0500
                  Re: SMS spoofing "Carlos E. R." <robin_listas@es.invalid> - 2026-06-20 10:25 +0200
              Re: SMS spoofing "Carlos E. R." <robin_listas@es.invalid> - 2026-06-19 12:11 +0200
    Re: SMS spoofing Andy Burns <usenet@andyburns.uk> - 2026-06-18 10:13 +0100
      Re: SMS spoofing "Carlos E. R." <robin_listas@es.invalid> - 2026-06-18 14:05 +0200
    Re: SMS spoofing Theo <theom+news@chiark.greenend.org.uk> - 2026-06-18 11:38 +0100
      Re: SMS spoofing "Carlos E. R." <robin_listas@es.invalid> - 2026-06-18 14:10 +0200
        Re: SMS spoofing Philippe <p.naudin+nntp@free.fr> - 2026-06-18 14:48 +0200
        Re: SMS spoofing VanguardLH <V@nguard.LH> - 2026-06-18 08:57 -0500
          Re: SMS spoofing "Carlos E. R." <robin_listas@es.invalid> - 2026-06-18 19:14 +0200
    Re: SMS spoofing AJL <noemail@none.com> - 2026-06-18 15:56 +0000
    Re: SMS spoofing Jörg Lorenz <hugybear@gmx.net> - 2026-06-19 09:13 +0200
      Re: SMS spoofing "Carlos E. R." <robin_listas@es.invalid> - 2026-06-19 12:13 +0200
        Re: SMS spoofing Jörg Lorenz <hugybear@gmx.net> - 2026-06-19 14:16 +0200
          Re: SMS spoofing Theo <theom+news@chiark.greenend.org.uk> - 2026-06-19 17:22 +0100
            Re: SMS spoofing Jörg Lorenz <hugybear@gmx.net> - 2026-06-19 21:23 +0200
            Re: SMS spoofing "Carlos E. R." <robin_listas@es.invalid> - 2026-06-20 01:17 +0200
          Re: SMS spoofing "Carlos E. R." <robin_listas@es.invalid> - 2026-06-20 01:14 +0200

Page 2 of 2 — ← Prev page 1 [2]

#154221

"Carlos E. R." <robin_listas@es.invalid> wrote:

> On 2026-06-18 12:38, Theo wrote:
>> Carlos E. R. <robin_listas@es.invalid> wrote:
>>> «Se ha dado de alta su siniestro 01202600362123, si lo desea realice su
>>> seguimiento en https://oau.ocaso.es/qmVki-fOZ»
>>>
>>> www.ocaso.es is the real, actual URL.
>> 
>> The shortcode is interesting - I wonder if it's a redirector that's been
>> hacked in some way.  ie in a similar way that https://bit.ly/abc123 could be a
>> redirect to https://evil.site/, anyone who controls the redirector can
>> forward links to their chosen site.  That part of their website
>> may be less well defended than the part that deals with money.  Maybe it has
>> since been fixed to redirect back to the right place?
>> 
>> Although for me it redirects to:
>> https://clientes.ocaso.es/#/login?utm_source=giso&utm_medium=sms&utm_campaign=alta-siniestro
>> 
>> The utm_ parts are typically a referrer codes used in tracking, for
>> example commissions for advertising.  'alta-siniestro' is 'claim
>> registration' and utm_medium=sms, so it sounds like a genuine link.
>> 
>> Or perhaps somebody in operations had fat fingers and sent SMSes to the
>> wrong people?
> 
> There is an extra data point. I logged to www.ocaso.es from my boomarked 
> link, logged in normally, and then opened the suspect site on another 
> tab. In this situation, the second tab, if genuine, should recognize 
> that I'm already logged in, and proceed. But instead it asked for my 
> login credentials.

Another tab seeing you have the same session ID should not request
another login if the webdev did the proper coding.

As I recall for Firefox to see the session ID, hit F12 -> Storage ->
Cookies.  You could check if the session ID is the same for both tabs.
Session cookies are reusable at the same domain.  I don't know if that
is true for subdomains (www versus oau).  Firefox can purge cookies on
its exit, but you aren't exiting.  An add-on that putzes with cookies,
like expire them instead of the web browser doing that, could interfere
with using session cookies.

If you use Private Browsing, a new session ID gets generated.  That's
how you can use Private  Browsing to log in multiple times to a website.

Did you open 1 tab only in Firefox, navigate to the website, login, open
a 2nd tab in Firefox, and check if you are prompted to login again?

Did you disable all add-ons in Firefox?  If you still get a login prompt
in every tab you open to a website where you already logged in, and
disabling add-ons did not help, use a fresh Firefox profile to eliminate
all add-ons, all about:config tweaks, userchrome.css, or anything else
you've done under your normal profile to modify Firefox.  With a fresh
Firefox profile, test if a 2nd tab still asks for a login when you have
already logged in using the 1st tab.

[toc] | [prev] | [next] | [standalone]

#154224

On 2026-06-18 15:57, VanguardLH wrote:
> "Carlos E. R." <robin_listas@es.invalid> wrote:
> 
>> On 2026-06-18 12:38, Theo wrote:
>>> Carlos E. R. <robin_listas@es.invalid> wrote:
>>>> «Se ha dado de alta su siniestro 01202600362123, si lo desea realice su
>>>> seguimiento en https://oau.ocaso.es/qmVki-fOZ»
>>>>
>>>> www.ocaso.es is the real, actual URL.
>>>
>>> The shortcode is interesting - I wonder if it's a redirector that's been
>>> hacked in some way.  ie in a similar way that https://bit.ly/abc123 could be a
>>> redirect to https://evil.site/, anyone who controls the redirector can
>>> forward links to their chosen site.  That part of their website
>>> may be less well defended than the part that deals with money.  Maybe it has
>>> since been fixed to redirect back to the right place?
>>>
>>> Although for me it redirects to:
>>> https://clientes.ocaso.es/#/login?utm_source=giso&utm_medium=sms&utm_campaign=alta-siniestro
>>>
>>> The utm_ parts are typically a referrer codes used in tracking, for
>>> example commissions for advertising.  'alta-siniestro' is 'claim
>>> registration' and utm_medium=sms, so it sounds like a genuine link.
>>>
>>> Or perhaps somebody in operations had fat fingers and sent SMSes to the
>>> wrong people?
>>
>> There is an extra data point. I logged to www.ocaso.es from my boomarked
>> link, logged in normally, and then opened the suspect site on another
>> tab. In this situation, the second tab, if genuine, should recognize
>> that I'm already logged in, and proceed. But instead it asked for my
>> login credentials.
> 
> Another tab seeing you have the same session ID should not request
> another login if the webdev did the proper coding.

Exactly. That got me convinced it was not legit.

> 
> As I recall for Firefox to see the session ID, hit F12 -> Storage ->
> Cookies.  You could check if the session ID is the same for both tabs.
> Session cookies are reusable at the same domain.  I don't know if that
> is true for subdomains (www versus oau). 

Up to the site programming.

> Firefox can purge cookies on
> its exit, but you aren't exiting.  An add-on that putzes with cookies,
> like expire them instead of the web browser doing that, could interfere
> with using session cookies.
>

But I don't get that trouble with other sites.

> If you use Private Browsing, a new session ID gets generated.  That's
> how you can use Private  Browsing to log in multiple times to a website.
> 
> Did you open 1 tab only in Firefox, navigate to the website, login, open
> a 2nd tab in Firefox, and check if you are prompted to login again?

Ah. Wait.

If I login on https://www.ocaso.es/inicio, I get another tab that ends 
in https://clientes.ocaso.es/inicio. The first tab doesn't notice the 
login, and if I click on login it asks again for credentials.

So they have a programming issue. And... now I see that they show that I 
have a claim running! :-o

It is subtle to find in the web page.

> 
> Did you disable all add-ons in Firefox?  If you still get a login prompt
> in every tab you open to a website where you already logged in, and
> disabling add-ons did not help, use a fresh Firefox profile to eliminate
> all add-ons, all about:config tweaks, userchrome.css, or anything else
> you've done under your normal profile to modify Firefox.  With a fresh
> Firefox profile, test if a 2nd tab still asks for a login when you have
> already logged in using the 1st tab.


-- 
Cheers,
        Carlos E.R.
        ES🇪🇸, EU🇪🇺;

[toc] | [prev] | [next] | [standalone]

#154222

On 6/18/26 1:01 AM, Carlos E. R. wrote:
>
>Yesterday I received an SMS from my home insurance company saying that 
>they had registered my claim, go and see it at this link. The URL seems 
>the real one, at least visually.
>
>But I had not put any claim, and the site asked for my login/pass. I 
>suspected.
>
>Today I entered the insurance site from my records. No claims listed. I 
>saw a chat (computer trouble) and I asked. They said it is probably 
>phising, delete it. Phone the insurance to ask if I have some pending 
>claim if in doubt.
>
>So, the thing is they impersonated the sender. I don't know what is 
>wrong in the URL. I have the suspicion that RCS, as it works with 
>certificates, could avoid or signal these troubles.

These days it is wise NOT to return ANY text, email, or voice calls by using
 the return info listed in the message. Always go to the correct source to
 verify. The news is full of scams using this method...

[toc] | [prev] | [next] | [standalone]

#154233

On 18.06.26 10:01, Carlos E. R. wrote:
> www.ocaso.es is the real, actual URL.

I hope not: It even has no SSL-encryption.


-- 
"Roma locuta, causa finita" (Augustinus)

[toc] | [prev] | [next] | [standalone]

#154236

On 2026-06-19 09:13, Jörg Lorenz wrote:
> On 18.06.26 10:01, Carlos E. R. wrote:
>> www.ocaso.es is the real, actual URL.
> 
> I hope not: It even has no SSL-encryption.
> 
> 
Yes, it has. It is https.

-- 
Cheers,
        Carlos E.R.
        ES🇪🇸, EU🇪🇺;

[toc] | [prev] | [next] | [standalone]

#154237

On 19.06.26 12:13, Carlos E. R. wrote:
> On 2026-06-19 09:13, Jörg Lorenz wrote:
>> On 18.06.26 10:01, Carlos E. R. wrote:
>>> www.ocaso.es is the real, actual URL.
>>
>> I hope not: It even has no SSL-encryption.
>>
>>
> Yes, it has. It is https.

Check you own link by hovering witht the cursor.

-- 
"Roma locuta, causa finita" (Augustinus)

[toc] | [prev] | [next] | [standalone]

#154238

Jörg Lorenz <hugybear@gmx.net> wrote:
> On 19.06.26 12:13, Carlos E. R. wrote:
> > On 2026-06-19 09:13, Jörg Lorenz wrote:
> >> On 18.06.26 10:01, Carlos E. R. wrote:
> >>> www.ocaso.es is the real, actual URL.
> >>
> >> I hope not: It even has no SSL-encryption.
> >>
> >>
> > Yes, it has. It is https.
> 
> Check you own link by hovering witht the cursor.

There was no link, there was just the string www.ocaso.es:

00000600  0a 0a 77 77 77 2e 6f 63  61 73 6f 2e 65 73 20 69  |..www.ocaso.es i|
00000610  73 20 74 68 65 20 72 65  61 6c 2c 20 61 63 74 75  |s the real, actu|
00000620  61 6c 20 55 52 4c 2e 0a  0a 2d 2d 20 0a 43 68 65  |al URL...-- .Che|
00000630  65 72 73 2c 0a 20 20 20  20 20 20 20 20 43 61 72  |ers,.        Car|
00000640  6c 6f 73 20 45 2e 52 2e  0a 20 20 20 20 20 20 20  |los E.R..       |

Usenet is plain text, so there is no markup behind the scenes.  If the OP
didn't write http:// then it wasn't there.

If your client decided to turn that www... string into a http:// link that
your (client's) problem.  Arguably it should turn it into an https:// link
nowadays.

Theo

[toc] | [prev] | [next] | [standalone]

#154239

On 19.06.26 18:22, Theo wrote:
> Jörg Lorenz <hugybear@gmx.net> wrote:
>> On 19.06.26 12:13, Carlos E. R. wrote:
>>> On 2026-06-19 09:13, Jörg Lorenz wrote:
>>>> On 18.06.26 10:01, Carlos E. R. wrote:
>>>>> www.ocaso.es is the real, actual URL.
>>>>
>>>> I hope not: It even has no SSL-encryption.
>>>>
>>>>
>>> Yes, it has. It is https.
>>
>> Check you own link by hovering witht the cursor.
> 
> There was no link, there was just the string www.ocaso.es:
> 
> 00000600  0a 0a 77 77 77 2e 6f 63  61 73 6f 2e 65 73 20 69  |..www.ocaso.es i|
> 00000610  73 20 74 68 65 20 72 65  61 6c 2c 20 61 63 74 75  |s the real, actu|
> 00000620  61 6c 20 55 52 4c 2e 0a  0a 2d 2d 20 0a 43 68 65  |al URL...-- .Che|
> 00000630  65 72 73 2c 0a 20 20 20  20 20 20 20 20 43 61 72  |ers,.        Car|
> 00000640  6c 6f 73 20 45 2e 52 2e  0a 20 20 20 20 20 20 20  |los E.R..       |
> 
> Usenet is plain text, so there is no markup behind the scenes.  If the OP
> didn't write http:// then it wasn't there.

Nonesense. My client is clever enough to interpret certain strings.



-- 
"Roma locuta, causa finita" (Augustinus)

[toc] | [prev] | [next] | [standalone]

#154244

On 2026-06-19 18:22, Theo wrote:
> Jörg Lorenz <hugybear@gmx.net> wrote:
>> On 19.06.26 12:13, Carlos E. R. wrote:
>>> On 2026-06-19 09:13, Jörg Lorenz wrote:
>>>> On 18.06.26 10:01, Carlos E. R. wrote:
>>>>> www.ocaso.es is the real, actual URL.
>>>>
>>>> I hope not: It even has no SSL-encryption.
>>>>
>>>>
>>> Yes, it has. It is https.
>>
>> Check you own link by hovering witht the cursor.
> 
> There was no link, there was just the string www.ocaso.es:
> 
> 00000600  0a 0a 77 77 77 2e 6f 63  61 73 6f 2e 65 73 20 69  |..www.ocaso.es i|
> 00000610  73 20 74 68 65 20 72 65  61 6c 2c 20 61 63 74 75  |s the real, actu|
> 00000620  61 6c 20 55 52 4c 2e 0a  0a 2d 2d 20 0a 43 68 65  |al URL...-- .Che|
> 00000630  65 72 73 2c 0a 20 20 20  20 20 20 20 20 43 61 72  |ers,.        Car|
> 00000640  6c 6f 73 20 45 2e 52 2e  0a 20 20 20 20 20 20 20  |los E.R..       |
> 
> Usenet is plain text, so there is no markup behind the scenes.  If the OP
> didn't write http:// then it wasn't there.
> 
> If your client decided to turn that www... string into a http:// link that
> your (client's) problem.  Arguably it should turn it into an https:// link
> nowadays.

Right. even if I force http://..., my browser goes to https://... instead.

-- 
Cheers,
        Carlos E.R.
        ES🇪🇸, EU🇪🇺;

[toc] | [prev] | [next] | [standalone]

#154243

On 2026-06-19 14:16, Jörg Lorenz wrote:
> On 19.06.26 12:13, Carlos E. R. wrote:
>> On 2026-06-19 09:13, Jörg Lorenz wrote:
>>> On 18.06.26 10:01, Carlos E. R. wrote:
>>>> www.ocaso.es is the real, actual URL.
>>>
>>> I hope not: It even has no SSL-encryption.
>>>
>>>
>> Yes, it has. It is https.
> 
> Check you own link by hovering witht the cursor.
> 

Verified by digicertinc. The site is secure.

-- 
Cheers,
        Carlos E.R.
        ES🇪🇸, EU🇪🇺;

[toc] | [prev] | [standalone]

Page 2 of 2 — ← Prev page 1 [2]

Back to top | Article view | comp.mobile.android

csiph-web