Texts From AT&T Are Easy To Spoof

Dani Grant

This is a text from AT&T:

It’s sent from a short code I’ve never seen, and prompts me to visit a URL that’s not obviously an AT&T site. It looks like phishing, but I’ll bet a lot of AT&T’s customers click on it anyway.

I figured I could send my own.

They’re practically indistinguishable. If you were an AT&T customer that would click on one, would you really know not to click on the other?

Short codes are typically expensive — Twilio charges a couple thousand dollars for them—so they could be seen as an indicator that a message is coming from a business, but a well-funded hacker would have no problem acquiring one, and I was able to find a free trial for 30 days of short code.

I bought attmobilityllc.net for $10.89.

I could prompt for AT&T login to phish for customer credentials or host ads on the page and make a profit on every visit. I could even put invisible iFrames of popular website login pages and let password managers auto-fill the input fields to grab a person’s login information across many sites*.

One problem is that AT&T uses a plethora of short codes to send messages so customers have no way to know if messages are actually coming from an AT&T number. They have no way to distinguish which text messages are genuinely from AT&T and which are from phishers.

Another problem is that AT&T directs customers to URLs like dl.mymobilelocation.com which aren’t obviously associated with AT&T.

Every AT&T text looks like this, so customers learn to trust any text that claims to be from AT&T, no matter on what they’re being asked to click. Customers of AT&T don’t have a good way to know what texts are actually from their cell carrier, making AT&T an easy target to spoof.

There are multiple services online that allow you to look up what carrier a phone number belongs to.

Here’s one. Looking up http://retrosleuth.com/free-phone-carrier-search?phone_number=xxxxxxxxxx#result, replacing the x’s for any ten digit number will tell you if that number belongs to AT&T, Verizon, Sprint or another.

One could programmatically try every ten digit number incrementally, and collect a list of every AT&T provided US number for sending phished text messages to.

The easiest solution is for AT&T to only use URLs that are subdomains or extensions of att.com.

Another possible fix is for AT&T to preload their short codes as phone contacts for AT&T sold devices. That way, customers will know what numbers actually belong to AT&T and which do not.

A third option is for AT&T to communicate through other methods besides text messages. While there is certainly the tradeoff of convenience, emails from @att.com addresses or push notifications through AT&T’s app are alternatives.

I figured I could also be wrong about the first AT&T text — it could also be a phishing attempt.

So I asked.

It’s actually AT&T.

The AT&T customer service rep wouldn’t look up the short code for me to see if it is one of AT&T’s numbers but confirmed that the site belongs to them.

Dani Grant

Written by

.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade