Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.mobile.android > #154214

Re: SMS spoofing

From "Carlos E. R." <robin_listas@es.invalid>
Newsgroups comp.mobile.android
Subject Re: SMS spoofing
Date 2026-06-18 14:04 +0200
Message-ID <n9i565F6v2gU2@mid.individual.net> (permalink)
References <n9hmvmF3t7sU3@mid.individual.net> <s3crs4nq1d5n.dlg@v.nguard.lh>

Show all headers | View raw

On 2026-06-18 10:36, VanguardLH wrote:
> "Carlos E. R." <robin_listas@es.invalid> wrote:
> 
>> Yesterday I received an SMS from my home insurance company saying that
>> they had registered my claim, go and see it at this link. The URL seems
>> the real one, at least visually.
>>
>> But I had not put any claim, and the site asked for my login/pass. I
>> suspected.
>>
>> Today I entered the insurance site from my records. No claims listed. I
>> saw a chat (computer trouble) and I asked. They said it is probably
>> phising, delete it. Phone the insurance to ask if I have some pending
>> claim if in doubt.
>>
>> So, the thing is they impersonated the sender. I don't know what is
>> wrong in the URL. I have the suspicion that RCS, as it works with
>> certificates, could avoid or signal these troubles.
>>
>> If you a curious, this is the SMS:
>>
>> «Se ha dado de alta su siniestro 01202600362123, si lo desea realice su
>> seguimiento en https://oau.ocaso.es/qmVki-fOZ»
>>
>> www.ocaso.es is the real, actual URL.
> 
> The URL may look correct to your eyes, but it could by using IDN
> (Internationalized Domain Name) encoding, like UTF-8, which allows more
> than the ASCII charset in a URL.  With the IDN charset, there are lots
> of look-alike characters facilitating a homograph attack.  IDN URLs are
> valid, but too often used by scammers to make a URL look like it's
> pointing to a legit domain.

I know.

> https://en.wikipedia.org/wiki/Internationalized_domain_name
> 
> https://en.wikipedia.org/wiki/Punycode
> 
> Chrome and Edge (a Chromium derivative) will show the punycode version
> of an IDN URL to prevent homograph attacks.  In Firefox, you have to
> edit a punycode setting in about:config:
> 
>    network.IDN_show_punycode = true

No such setting.

>    
> Sometimes Firefox will show the punycode version of an IDN URL,
> sometimes not.
> 
> https://wiki.mozilla.org/IDN_Display_Algorithm
> 
> When I used Firefox, I didn't want a guessing game on the URLs.  In set
> the punycode option in about:config to always show punycode.  I'm in the
> uSA, and there is no place I visit that would need to use UTF-8, or
> anything other than ASCII, in its URLs even when visiting sites in other
> countries.  However, you're in Spain, I think, and IDNs are more common
> in other countries.
> 
> Or they used the old trick of look-alike ASCII characters, like 1 (one)
> and l (el) looking similar, especially when inside a string.
> 
> When you copy & paste the suspicious URL, we see what you see, not that
> actual encoding of an IDN URL.
> 
> You mention you got the URL in an SMS text.  I don't recall any SMS or
> e-mail app showing punycode instead of IDN, except with e-mail you might
> be able to look at the raw source.  So, the only way you could tell it
> was a phishing website using IDNs would be to click on the URL to see
> what the address bar shows in the web browser.


It showed the same thing.


cer@Laicolasse:~/Videos/Star Trek TOS> host oau.ocaso.es
oau.ocaso.es has address 195.57.141.20
You have mail in /var/mail/cer
cer@Laicolasse:~/Videos/Star Trek TOS> host ocaso.es
ocaso.es has address 195.57.141.15
ocaso.es mail is handled by 10 alt4.aspmx.l.google.com.
ocaso.es mail is handled by 10 alt3.aspmx.l.google.com.
ocaso.es mail is handled by 5 alt2.aspmx.l.google.com.
ocaso.es mail is handled by 5 alt1.aspmx.l.google.com.
ocaso.es mail is handled by 1 aspmx.l.google.com.
cer@Laicolasse:~/Videos/Star Trek TOS>

cer@Laicolasse:~/Videos/Star Trek TOS> host 195.57.141.20
20.141.57.195.in-addr.arpa is an alias for 20.0.141.57.195.in-addr.arpa.
20.0.141.57.195.in-addr.arpa domain name pointer 
20.red-195-57-141.customer.static.ccgg.telefonica.net.
cer@Laicolasse:~/Videos/Star Trek TOS> host 195.57.141.15
15.141.57.195.in-addr.arpa is an alias for 15.0.141.57.195.in-addr.arpa.
15.0.141.57.195.in-addr.arpa domain name pointer 
15.red-195-57-141.customer.static.ccgg.telefonica.net.
cer@Laicolasse:~/Videos/Star Trek TOS>


The IP is almost valid, like an internal attack


-- 
Cheers,
        Carlos E.R.
        ES🇪🇸, EU🇪🇺;

Back to comp.mobile.android | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

SMS spoofing "Carlos E. R." <robin_listas@es.invalid> - 2026-06-18 10:01 +0200
  Re: SMS spoofing VanguardLH <V@nguard.LH> - 2026-06-18 03:36 -0500
    Re: SMS spoofing "Carlos E. R." <robin_listas@es.invalid> - 2026-06-18 14:04 +0200
      Re: SMS spoofing Andy Burns <usenet@andyburns.uk> - 2026-06-18 13:07 +0100
        Re: SMS spoofing "Carlos E. R." <robin_listas@es.invalid> - 2026-06-18 14:18 +0200
      Re: SMS spoofing VanguardLH <V@nguard.LH> - 2026-06-18 08:40 -0500
        Re: SMS spoofing "Carlos E. R." <robin_listas@es.invalid> - 2026-06-18 19:00 +0200
          Re: SMS spoofing AJL <noemail@none.com> - 2026-06-18 18:08 +0000
            Re: SMS spoofing "Carlos E. R." <robin_listas@es.invalid> - 2026-06-18 20:49 +0200
          Re: SMS spoofing VanguardLH <V@nguard.LH> - 2026-06-19 01:05 -0500
            Re: SMS spoofing Andy Burns <usenet@andyburns.uk> - 2026-06-19 07:46 +0100
              Re: SMS spoofing "Carlos E. R." <robin_listas@es.invalid> - 2026-06-19 12:12 +0200
              Re: SMS spoofing VanguardLH <V@nguard.LH> - 2026-06-20 03:14 -0500
                Re: SMS spoofing "Carlos E. R." <robin_listas@es.invalid> - 2026-06-20 10:25 +0200
            Re: SMS spoofing "Carlos E. R." <robin_listas@es.invalid> - 2026-06-19 12:11 +0200
  Re: SMS spoofing Andy Burns <usenet@andyburns.uk> - 2026-06-18 10:13 +0100
    Re: SMS spoofing "Carlos E. R." <robin_listas@es.invalid> - 2026-06-18 14:05 +0200
  Re: SMS spoofing Theo <theom+news@chiark.greenend.org.uk> - 2026-06-18 11:38 +0100
    Re: SMS spoofing "Carlos E. R." <robin_listas@es.invalid> - 2026-06-18 14:10 +0200
      Re: SMS spoofing Philippe <p.naudin+nntp@free.fr> - 2026-06-18 14:48 +0200
      Re: SMS spoofing VanguardLH <V@nguard.LH> - 2026-06-18 08:57 -0500
        Re: SMS spoofing "Carlos E. R." <robin_listas@es.invalid> - 2026-06-18 19:14 +0200
  Re: SMS spoofing AJL <noemail@none.com> - 2026-06-18 15:56 +0000
  Re: SMS spoofing Jörg Lorenz <hugybear@gmx.net> - 2026-06-19 09:13 +0200
    Re: SMS spoofing "Carlos E. R." <robin_listas@es.invalid> - 2026-06-19 12:13 +0200
      Re: SMS spoofing Jörg Lorenz <hugybear@gmx.net> - 2026-06-19 14:16 +0200
        Re: SMS spoofing Theo <theom+news@chiark.greenend.org.uk> - 2026-06-19 17:22 +0100
          Re: SMS spoofing Jörg Lorenz <hugybear@gmx.net> - 2026-06-19 21:23 +0200
          Re: SMS spoofing "Carlos E. R." <robin_listas@es.invalid> - 2026-06-20 01:17 +0200
        Re: SMS spoofing "Carlos E. R." <robin_listas@es.invalid> - 2026-06-20 01:14 +0200

csiph-web