You see the beauty about GSM is that you do not have to be connected to the network at the same time as the recipient because messages are sent to a SMSC which utilises a mechanism called " store and forward". Something that hasn't been covered in the other answers is messages like these are commonly used to check if a phone number is still active. This could easily be part of a large-scale reconnaissance effort. Lots of organizations are doing bad things at scale right now. If they happen to be malicious and you or your employer are useful targets it might be wise not to respond or in the case of iMessage even open/acknowledge the messages. In a nutshell, you get asked something ridiculous like: "Would you like to see an image of me in a sexy panda suit? 'Y' or 'N'?Īnd that response becomes the reply to "A request to wire $10,000.00 to the national bank of hackerland has been requested do you approve this request? Respond with 'Y' or 'N'?" by the nature of you replying back to the spoofed text to the banking app's source number.Īgain this is something of a fictitious example but the combination of insecure SMS systems in some countries combined with some horribly written systems allowing user SMS input something similar to this could potentially be possible.Īrchitecturally SMS was built before security was a concern, it has almost no security controls to speak of and although useful it should not be used for high-trust applications like authorizing wire transfers.Įven if it seems like fun you are technically giving this person/entity data. If an attacker could time things correctly (again this is an unrealistic example) he or she could initiate a few fake texts to you to determine your average text response speed at 3pm or so then send you a well timed question looking for a 'Y' or 'N' response that is in turn being sent back to the spoofed bank number. This is by no means absolute but if they are collecting this information from a large number of targets it will be mostly accurate data.Ī slightly more dangerous and hopefully unrealistic example for conversational purposes, if a Bank were to authenticate a wire transfer via a simple Y or N response from a phone number on file for their poorly written SMS application an SMS could be crafted from a spoofed VoIP number that matches the bank's real source phone number. In a nutshell, if the person sending you these is using a device which supports Apple's iMessage protocol they will in most cases, be able to see if your phone supports iMessage or not giving a very high likelihood of telling the attacker your phone's base OS as being either iOS (iMessage supported) or Android/Other (iMessage not supported). The next thing that may be useful is the words you use and your very personal phrases Things like "Thanks again" "Cheers" "Peace" or "Have a great day" may help an attacker forge e-mails for a phishing campaign that look exactly like text you would actually use in conversation.Īfter that, there is target OS identification. This may give the attacker knowledge of when to best attack you or your employer. If you leave your phone at home when you go jogging or to a meditation class they may be able to determine times at which other entities may not be able to reach you quickly. One useful thing an attacker could gather is what your response time is at different times during the day and also things like your sleep schedule. But when you receive a SMS just pretending to come from a friend and end in paying more than the simple SMS it is robbery.īut as this kind of company hides themselves abroad or vanish as soon as you reclaim to have your money back, it is much better to never send them any overcharged SMS. When you are aware of that, and willingly send an overcharged SMS to participate in the election of the song of the year, all is fine. The cost of mass sending SMS is low, so if they get an acceptable return rate, they will earn some money with it. ![]() So a not so good company could set up a system like that and send tons of SMSs asking for a reply to such an overcharged number - and optionally omit to say that it is overcharged. At the end, either one of the players earns something, or the answers of participants were used for an election (a miss election for example). This is mainly used (legally) for some TV games where each participant pays a little money when calling a special number or sending a SMS. ![]() Some telephone or SMS numbers allow for an additional charge that is automatically recovered by your phone provider and reversed to the owner of the number.
0 Comments
Leave a Reply. |