SMS is an essential part of the modern world and its value can’t be overstated. Most organizations rely on SMS to deliver notifications, news, warnings and OTPs to customers and employees. How they do that? In a nutshell, they register with a service provider to get these services or in some cases, they deploy their own infrastructure, then they pay for the amount of messages they send. For the organizations to identify themselves to you, they use a name or ID rather than a number, so when you get the message, you see the organization’s name not a random number that you can’t recognize.
The problem? how about someone sending a message with a name that belongs to some other organization? So you when you receive the message it appears as it was sent from that other entity. Yes, unfortunately some service providers or owned-infrastructure allow that! That’s SMS Spoofing.
A critical threat to the end-users and the entities is the threat of SMS Spoofing, this means, an attacker may craft an SMS and send it to victim with a name that belongs to some entity, combined with a crafted social engineering scenario, this could lead to enormous financial damage to organizations and customers. This attack is also known as Smishing.
The possibilities and scenarios that this attack could be abused in are countless. Someone may send you a message with your company’s name with a URL inside mirroring some login portal in your organization in an attempt to steal your credentials, or, someone may send you a message pretending to be your bank and asking you enter your online banking credentials to update your info or prevent account lockout (we’ve seen this targeting Egyptians!)
While spoofing some reputable organization to social engineer people might seem bad, what makes it all more nastier is that the spoofed message actually will be received under the old thread of your communication with the entity! Oh yeah, The message almost always will be received in the same thread in your phone, not a new thread, making this attack close to impossible to detect by end-users.
Does that sound bad enough for you? Sorry, there’s more to it. There’s no simple or single solution to this problem! It’s an international problem actually with telecom companies and law enforcement all over the world working together to mitigate it. In the meantime, if there’s one thing we could do, it’s awareness campaigns to alarm end-users of this attack, notifying them using TV and social media that your bank won’t actually send you a link to enter your credentials, even if it appears to be received from your bank.