Amateur Programmer: SMS Spoofing for Malicious Purposes Is Easy

SMS spoofing is not new, researchers having proved in 2010 for BBC’s Watchdog that it could be done. While most of the telecommunications companies are aware of the risks, few have actually done something to prevent it.

Now, an amateur programmer came forward with a simple app to prove that SMS spoofing for malicious purposes is something widely available, and if measures are not taken, a lot of individuals may be exposed to cybercriminal operations.

Richard Burton, a self-described “completely amateur programmer” with less than 2 years’ experience, managed to develop a simple program that could allow anyone to launch social engineering attacks with the purpose of obtaining valuable information and maybe even money.

The whole thing began with a simple web app for smartphones that was designed to play practical jokes on people, but Burton soon realized that this app could be utilized for the wrong reasons, especially since developing it was not difficult at all.

“The part of the program that sends the message is just 5 lines of code. All the networks just accept the message as valid and send it to their customers without question,” he told us. “This should not be possible, let alone simple.”

Knowing how the networks responded when confronted with this issue two years ago, he tried to reach out to some of them to see if anything had been done in the meantime to address the problem.

Unfortunately, their current view of the situation hasn’t changed much, but Burton is determined not to let this go.

“I was always certain that the networks knew this is possible. After all, they have lots of very smart people working for them. However, I was little surprised to hear that Three have known about the problem 'for years' and that Orange just accepts the status quo by saying 'we have no control over its existence',” he added.

Some companies blame their inability to control SMS spoofing on third-party services, relying on the fact that none of their customers complained so far about receiving messages that were designed to dupe them into handing over sensitive information.

“I completely understand that various third-party services need to be able to set where the message has come from. However, those services should be properly policed by the networks. The network should vet each message it receives from them with much more care. Then it would require a much more intelligent person than I to spoof SMSs.”

Telecoms firms may think that at the moment cybercriminals aren’t relying on SMS spoofing to complete their malicious operations, but as we’ve seen a few hours ago the trust factor that exists between friends, and companies and their customers can be easily taken advantage of.

Compromised email accounts are being used by fraudsters to send out distress calls, asking recipients for large amounts of money. The same types of schemes may be even more successful if SMSs were used instead of emails.