“I’m astounded and extremely worried by how easy it is for anyone to use them to spoof the sender’s name in an SMS,” he told CNA. These third-party services are easily found online with the code written up “in mere minutes”, said Mr Lee, who is also a data science instructor. Mr Lee, founder of coding school Upcode Academy, said he became concerned after reading about recent phishing scams and decided to find out for himself how an SMS could be spoofed.īy using a third-party tool he found online, he managed to send a message to himself under the name of “DBS Bank”. The ease at which a fake SMS can be sent has also been documented by Mr ZP Lee, who goes by "Captain Sinkie" on his blog. “Today, the sender information embedded into an SMS is not verified by telcos before being relayed to the recipient … Without any authentication process in place to ensure that SMS spoofs are done only by legitimate senders, phishing attacks via SMS have become easy to launch,” said Mr Lee. The problem lies in the lack of verification by telcos that operate the current SMS system, experts said. These tools are also widely used by legitimate companies for their SMS marketing campaigns, so that customers receive messages from a familiar name instead of an unknown number. There are many SMS spoofing tools currently available online for free, said Mr James Lee, a security solution architect for Asia Pacific, China and Japan at US network security provider F5. “This is actually incredibly easy to spoof since it is just an additional field in an SMS and can be added by attackers using simple API (application programming interface) calls to any SMS service providers,” Mr Hall said. This happened because malicious actors were able to make use of a hidden field within SMS – called the Sender ID – to mask their actual phone numbers and use an alphanumeric identifier instead, said Mr Ian Hall, head of client services for Asia-Pacific at Synopsys Software Integrity Group.īy taking on the name of a bank or any legitimate company, a fake SMS would then be grouped together with those using the same name in the mobile phones of recipients. Nearly 470 people have lost at least S$8.5 million since last December. The message, which contained a link to a fraudulent website mimicking OCBC’s, appeared in the same SMS thread as genuine ones previously sent by the bank. In the recent phishing scam involving OCBC, victims received an SMS from scammers posing as the bank and claiming there were issues with their accounts or credit cards.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |