Does SMS spoofing require as much effort as email spoofing?

SMS text message spoofing demands a little more technical knowledge than email spoofing. But not much, says information security threat expert Ed Skoudis. In this Q&A, Skoudis explains how that technical know-how has now been embedded in easy-to-use, Web-based software.

Ed Skoudis, Counter Hack

Why is it easier to fake the sender of an email message than to fake the sender of a message that uses the SMS protocol?

Spoofing an email message sender is trivial. The Simple Mail Transfer Protocol (SMTP) does not include verification of source email addresses. Thus, an attacker can simply telnet to a mail server's TCP port 25 and type in a message using any source address that he or she wants. Most mail servers will dutifully deliver the mail.

Some mail servers do a check with forward and reverse DNS lookups, verifying that the source email address appears...

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please login.

You have exceeded the maximum character limit.

Please provide a Corporate E-mail Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

to be coming from a mail server in that environment. If a message from ed@bogussourcename.com doesn't have a DNS record, and forward and reverse lookups can't match bogussourcename.com with a proper IP address, then the message might be spoofed. Unfortunately, such checks are often inaccurate, and that's why a lot of servers don't perform them.

Short Message Service (SMS) spoofing is more complex, but far from impossible. The various SMS message providers -- typically cell phone service providers -- have integrated their SMS messaging with the Internet, allowing users to send messages by surfing to a Web site and simply typing one in (the user is also allowed to enter a source email address and phone number). Some SMS providers check these numbers to make sure they are accurate, but others do not.

Also, there are flaws in these SMS message-sending Web applications that can easily be exploited to bypass any attempt at verification. In fact, there are both free and commercial software applications available that will generate enormous numbers of spoofed SMS messages. So, SMS spoofing requires a little more technical savvy, but even that technical know-how has been embedded in easy-to-use, Web-based software.

More information:

It's not just SMS text messaging spam that's heading to your mobile devices. See what other mobile malware is on the way.

Learn how to defend mobile devices from viruses and spyware.

This was last published in July 2007

email spoofing

IP Spoofing

Prevent email spoofing from wreaking havoc on contact lists

Email, website and IP spoofing: How to prevent a spoofing attack

Please create a username to comment.

Top 6 cloud security analytics use cases

McAfee: Attacks on cloud accounts up 630% during COVID-19

Use these CCSK practice questions to prep for the exam

MLB uses NetBox automation for network configuration backup

A glossary of home network basics for the networking novice

Cisco acquisition of ThousandEyes has many user benefits

Involve your security team in the decision-making process

5 post cloud migration risks and how CIOs can avoid them

CIO strategies for COVID-19 require new long-term IT planning

New HP hardware directed at remote work

Ivanti updates its unified endpoint management

AMD's Ryzen, Epyc power surge in desktops, laptops, data centers

AWS Marketplace update eases SaaS contract changes

AWS, Microsoft and Google should retire these cloud services

5 ways to reduce cloud costs

Sodinokibi data auctions highlight changing criminal tactics

Lidl Finland speeds up with new local server racks

Security procurement framework goes live for NHS and public sector

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

email spoofing

IP Spoofing

Prevent email spoofing from wreaking havoc on contact lists

Email, website and IP spoofing: How to prevent a spoofing attack

Related Q&A from Ed Skoudis

Start the conversation

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

Please create a username to comment.