SMS Spoofing occurs when a sender manipulates address information. Often it is done in order to impersonate a user that has roamed onto a foreign network and is submitting messages to the home network.
Step 1: Fire Up BackTrack & Start Social Engineering Toolkit (SET)
Let’s begin by firing up Backtrack 5 and then navigating to Applications -> Exploitation Tools -> Social Engineering Tools -> Social Engineering Toolkit (SET), then select “set” as I have done in the screenshot below.
This will start the SET opening screen as seen below. SET is capable of numerous social engineering attacks. The one we want this time is “SMS Spoofing Attack Vector.” To begin this attack, Select #7.
In the following screen we are asked whether we want “Perform a SMS Spoofing Attack” or “Create a Social Engineering Template.” Select #1. Once you have made that selection, you will be queried whether you want to spoof a single number or a mass attack. Select #1 for a single number.
Step 2: Set Up a Spoofed Text Message
Here, I want to send a spoofed text message from Mary (my best friend’s girlfriend) to John (my best friend) where she breaks up with him. This should rattle him a bit and give me a few chuckles as he is madly in love with her.
First, enter his phone number where it asks you “Send sms to.” Then select #2 to craft a One-Time Use SMS. Finally, enter her phone number. Make certain both numbers are preceded by the “+”.
Step 3: Craft the Text Message
In our final step, we need to type the message we want sent to John from his girlfriend, Mary.
“I’m so sorry John. I have met another man and he is the love of my life. I hope we can remain friends”
When you are finished typing, exit by hitting Control + C.
Step 4: Send the Message!
This will bring you to the final screen. In this screen, we will need to select the intermediary for the spoofed SMS message. You have four options here. The first is free, and as they say, it is buggy (when I ran it, SET crashed). Then, there are two for-pay options and, finally, the Android emulator.
I chose the third option, SMSGANG. They charge 3 euros for 5 messages, or about $0.65 in U.S. dollars per message. When you pay (they accept credit cards and PayPal) they send you a PIN code. After selecting #3, it will ask you for a “pincode.” Enter the one SMSGANG emailed you and then your text message is sent!
If you are unfamiliar with using backtrack, then you can simply proceed by going to SMSGANG’s official site to use the software or to purchase pin codes