Texts From AT&T Are Easy To Spoof

This is a text from AT&T:

It’s sent from a short code I’ve never seen, and prompts me to visit a URL that’s not obviously an AT&T site. It looks like phishing, but I’ll bet a lot of AT&T’s customers click on it anyway.

I figured I could send my own.

They’re practically indistinguishable. If you were an AT&T customer that would click on one, would you really know not to click on the other?

Short codes are typically expensive — Twilio charges a couple thousand dollars for them—so they could be seen as an indicator that a message is coming from a business, but a well-funded hacker would have no problem acquiring one, and I was able to find a free trial for 30 days of short code.

I bought attmobilityllc.net for $10.89.

I could prompt for AT&T login to phish for customer credentials or host ads on the page and make a profit on every visit. I could even put invisible iFrames of popular website login pages and let password managers auto-fill the input fields to grab a person’s login information across many sites*.

One problem is that AT&T uses a plethora of short codes to send messages so customers have no way to know if messages are actually coming from an AT&T number. They have no way to distinguish which text messages are genuinely from AT&T and which are from phishers.

Another problem is that AT&T directs customers to URLs like dl.mymobilelocation.com which aren’t obviously associated with AT&T.

Every AT&T text looks like this, so customers learn to trust any text that claims to be from AT&T, no matter on what they’re being asked to click. Customers of AT&T don’t have a good way to know what texts are actually from their cell carrier, making AT&T an easy target to spoof.

There are multiple services online that allow you to look up what carrier a phone number belongs to.

Here’s one. Looking up http://retrosleuth.com/free-phone-carrier-search?phone_number=xxxxxxxxxx#result, replacing the x’s for any ten digit number will tell you if that number belongs to AT&T, Verizon, Sprint or another.

One could programmatically try every ten digit number incrementally, and collect a list of every AT&T provided US number for sending phished text messages to.

The easiest solution is for AT&T to only use URLs that are subdomains or extensions of att.com.

Another possible fix is for AT&T to preload their short codes as phone contacts for AT&T sold devices. That way, customers will know what numbers actually belong to AT&T and which do not.

A third option is for AT&T to communicate through other methods besides text messages. While there is certainly the tradeoff of convenience, emails from @att.com addresses or push notifications through AT&T’s app are alternatives.

I figured I could also be wrong about the first AT&T text — it could also be a phishing attempt.

So I asked.

It’s actually AT&T.

The AT&T customer service rep wouldn’t look up the short code for me to see if it is one of AT&T’s numbers but confirmed that the site belongs to them.