Use an SMS Gateway to send spoof messages
Just been playing around with a free trial of an SMS gateway service. There are loads of these services about, all seeming to offer reasonable prices to send and receive SMS messages.
The service I used had a pretty simple HTTP API which I was hacking about with to send RSS stories to my phone. I’ve previously thought about setting up a service like this - providing up to date football scores to fans. The technological costs involved are pretty much non-existent, as all it would take is a few scripts and a database to tie the thing together. However I got scared off by the sales rep’s from PA Sports when I started looking into licensing their data. It all started to look a bit too much like a real business proposition for me to get involved with in my spare time!
One of the interesting things I noticed about the SMS Gateway’s API is that it allows you to set the sender ID, as in the phone number of the message sender. This allowed me to send a message from the gateway that appeared to have originated from my phone. Unlike email spoofing where it is fairly easy to determine the actual originating sender from studying the message header, I could not find any way of detecting this forgery on my mobile!
This technique is known as SMS Spoofing and is fairly commonplace. For example Skype sends messages from its users with the mobile number they registered with. The cool but scary thing is just how easy it is to do using an SMS gateway. Like email spoofing this technique is easily abused, but perhaps SMS spoofing is all the more dangerous due to it being harder to detect and far less prevalent?
mattc
on 28 Sep 2008 at 8:09 amI always thought results & things derived from results like league tables were pretty much free, the information is in the public domain & all PA do is collate it. Maybe there’s a few different data providers?
matth
on 28 Sep 2008 at 7:44 pmThat’s interesting, it’s difficult to believe that there is a charge for syndicating sports results but I had heard bad things about PA pricing before so assumed the worst. It’s probably worth investigating a bit further.
Ted
on 23 Jul 2009 at 2:24 pmCustom senderID is not accepted by USA legislation though american mobile carriers dont allow it.
‘Other world’ operators are OK. Me personally thinks that SMS spoofing is real fun to do with friends or colleagues..
I use SMSGANG.com, its easy and cheap.
linda
on 28 Sep 2009 at 11:10 amSpranked(dot)com is pure fraud. Do NOT use this service. Many times, after purchasing credits, they do not register on your account. There will also be multiple duplicate charges through PayPal that you did not authorize. When disputing through PayPal, Spranked’s pre-meditated defense is that it’s a “Virtual Service” for which there is no recourse.
Francis Rutter
on 20 May 2010 at 4:43 pmI received a spoofed text which I later found out was sent through hoaxMail. It was an April Fools prank and I must admit it did make me laugh, however I imagine there are plenty of bad eggs out there that are using it for less innocent means.