This is a text from AT&T:
It’s sent from a short code I’ve never seen, and prompts me to visit a URL that’s not obviously an AT&T site. It looks like phishing, but I’ll bet a lot of AT&T’s customers click on it anyway.
I figured I could send my own.
They’re practically indistinguishable. If you were an AT&T customer that would click on one, would you really know not to click on the other?
Short codes are typically expensive — Twilio charges a couple thousand dollars for them—so they could be seen as an indicator that a message is coming from a business, but a well-funded hacker would have no problem acquiring one, and I was able to find a free trial for 30 days of short code.
I bought attmobilityllc.net for $10.89.
I could prompt for AT&T login to phish for customer credentials or host ads on the page and make a profit on every visit. I could even put invisible iFrames of popular website login pages and let password managers auto-fill the input fields to grab a person’s login information across many sites*.
One problem is that AT&T uses a plethora of short codes to send messages so customers have no way to know if messages are actually coming from an AT&T number. They have no way to distinguish which text messages are genuinely from AT&T and which are from phishers.
Another problem is that AT&T directs customers to URLs like dl.mymobilelocation.com which aren’t obviously associated with AT&T.
Every AT&T text looks like this, so customers learn to trust any text that claims to be from AT&T, no matter on what they’re being asked to click. Customers of AT&T don’t have a good way to know what texts are actually from their cell carrier, making AT&T an easy target to spoof.
There are multiple services online that allow you to look up what carrier a phone number belongs to.
Here’s one. Looking up http://retrosleuth.com/free-phone-carrier-search?phone_number=xxxxxxxxxx#result, replacing the x’s for any ten digit number will tell you if that number belongs to AT&T, Verizon, Sprint or another.
One could programmatically try every ten digit number incrementally, and collect a list of every AT&T provided US number for sending phished text messages to.
The easiest solution is for AT&T to only use URLs that are subdomains or extensions of att.com.
Another possible fix is for AT&T to preload their short codes as phone contacts for AT&T sold devices. That way, customers will know what numbers actually belong to AT&T and which do not.
A third option is for AT&T to communicate through other methods besides text messages. While there is certainly the tradeoff of convenience, emails from @att.com addresses or push notifications through AT&T’s app are alternatives.
I figured I could also be wrong about the first AT&T text — it could also be a phishing attempt.
So I asked.
It’s actually AT&T.
The AT&T customer service rep wouldn’t look up the short code for me to see if it is one of AT&T’s numbers but confirmed that the site belongs to them.