I’ve been getting obviously fake text messages from “Amazon” for the past week. Whether a hack, spam, scam, whatever, I know they aren’t real, but I have wondered where they came from. This news makes me wonder even more: SMS messages can be redirected to hackers for just $16.
Hackers Buy SMS Access
Do you get errant text messages and have no idea where they come from? Companies that you trust may have sold hackers access to your messages, which could include private data.
A Motherboard reporter, Joseph Cox, performed a test on this theory, and the hacker who obtained access to his SMS only paid $16. So perhaps someone paid a few dollars for your SMS as well.
There are companies that manage text messages that appear to be behind this, or at the very least, they are enablers in this scenario. These services silently redirect text messages. Sometimes they are redirecting them right into the hands of attackers.
These companies often don’t even send messages to the account owners to let them know their SMS messages are being redirected to someone they don’t know and haven’t given access to. The attackers gain the ability to not only intercept your messages but reply to them as well. What would they possibly say?
Cox was able to get someone to carry out an attack on his phone number, the one that only cost the attacker $16. He was also able to get SMS redirection services to admit they’d seen these types of attacks before.
This is an exploit on the part of the SMS redirection services. They apparently believe they are selling the access to other legitimate companies. The company that sold Cox’s number has now fixed the exploit.
AT&T and Verizon were asked by The Verge if it was possible for messages to be redirected to hackers. Both companies suggested they contact the wireless industry trade organization, CTIA. CTIA told Motherboard it had “no indication of any malicious activity involving the potential threat or that any customers were impacted.”
These were already other known methods of text messaging interference. The industry has been aware of SMS swapping and SST attacks for a couple of years. Victims of SMS swapping know, however, of the attacks. It won’t be as obvious when your text messages are redirected.
It could get even worse than just access to your SMS messages – it could extend to your other accounts. Think of all the password reset codes that are sent to you via text. With access to your account, an attacker now has access to those reset accounts as well. Login links are sent through text as well. That’s even more accounts that have now been opened to the hackers.
For all these reasons, avoid sending anything security-related through your SMS messages. This includes two-factor authentication. Sometimes you may not have a choice. Just make sure you have an ironclad password.
Was this the source of my fake Amazon texts? It doesn’t appear so, but it’s no less troubling.
Read on to learn how to block your SMS messages from spammers on an iPhone and about some apps to block spam on Android.