SMS-based attacks and leak from SendPulse
During 2021, FluBot, a malware that spreads through SMS messages, infected tens of thousands of Android devices. Attackers send texts telling you that you have:
- a pending parcel delivery
- received a voice mail
- or other variations.
These texts contain a link where you can download what is supposed to be a message for you, but it is actually a malicious app: the FluBot. Once it is installed, it tries to obtain your credit card and banking credentials, as well as uses your phone number to send even more SMS texts, creating a botnet.
Records of FluBot date back to April 2021 and CERT New Zealand wrote about it still being infectious in October the same year, so the virus still exists months later after its initial discovery.
Based on recent information about SendPulse email and sms provider had data leak of users’s credentials, it is very easy to imagine that sending sms on mass scale is more than feasible.
After quick validation by Cooltechzone team, it was concluded that most part of credentials are not valid anymore and it seems that SendPulse already aware of this incident.
In this article, I will show you why SMS is so powerful for cyber attackers, how they use tools for sending messages in their criminal activities, and a few tools that you can use to easily send SMS messages from your PC.
Table of Contents
Disclaimer: The attack shown in this article was done only for demonstration purposes and no outside targets were involved. Do not perform any malicious actions against others without their consent.
Impulse is a free to install app which can be used to perform DoS attacks by flooding the target with SMS messages, a technique called SMS Bombing. It uses Python 3 to run, but it requires no programming knowledge and it can be easily used by only typing a few simple commands.
We performed an attack on us to see if it works. Immediately after launching the attack, we received phone calls and messages on that phone numbers which froze the phone for a few minutes.
On Windows, do the following to install and use Impulse:
- Install Python 3 from here. Make sure to download the latest version of Python 3
- Launch the downloaded installer. During the installation, select “add python to PATH”
- Open Command Prompt and install Impulse by typing:
git clone https://github.com/LimerBoy/Impulse.git
pip install -r requirements.txt
This command installs some open-source libraries that Impulse requires
python impulse.py --method SMS --time 20 --threads 15 --target +
This command runs a DoS attack with the following parameters:
- Method: specifies the type of DDOS attack you want to perform. In this example, I selected SMS, but email or ping attacks can also be performed
- Time (in seconds): the duration of the attack
- Threads: the number of threads you want to use
- Phone number: the target of your attack. Of course, the target can be changed if the method is also changed (you can also provide a socket, an email, or a website)
- You can also use the following command to view more options.
python impulse.py –help
In the next image, you can see an Impulse attack launched to run 5 seconds on 5 threads. You can increase these numbers to send a powerful attack.
The process is similar on Linux machines. Instead of the first three steps, open Terminal and type the following commands:
sudo apt update
sudo apt install python3 python3-pip git -y
git clone https://github.com/LimerBoy/Impulse.git.
So why, in so much time, has no one found a way to eradicate the FluBot?
The answer is that it is very easily transmitted via SMS. Attackers use a technique called SMS Phishing, or Smishing: masquerading as a trusted entity and lurking victims into opening a link where they are either asked for private data or prompted to download a malicious app, masked as something benign.
You may have heard about email phishing, but Smishing can be a much more effective way. According to a trusted source, 9 out of 10 text messages are opened within the first three minutes of being received. Also, while emails can be categorized as junk or spam, SMS has no such protective feature. Victims don’t even need an internet connection to receive the messages.
As presented above with FluBot, a good way to send messages to as many people as possible is to create a botnet: a network of infected devices all controlled by an attacker or by a group of attackers. In this case, the infected phones are used to send even more texts, thus spreading the malware.
Of course, a virus whose only ability is to replicate itself is pretty much useless. One of the ways in which these apps can affect you is that they steal your private data stored in the phone, like confidential messages and photos, and can even act as a keylogger, thus obtaining your passwords and sending them to the attacker.
In other cases, attackers want to temporarily block a victim from using their device. This is done through a Denial of Service (DoS) attack, which here consists of (but generally it is not limited to) a lot of SMS messages being sent at the same time to a phone user.
For example, a trusted source informs us that, a few years ago, a vulnerability in LG Nexus devices allowed attackers to freeze, crash and even reboot by flooding them with SMS messages, possibly interrupting vital communication.
In the first section of this article, I showed you a free tool that you can install on your PC in order to experiment with how a DoS attack works.
The attacker may want to perform a DoS attack, but not have enough resources to make the attack powerful.
In this case, they can first create a botnet, infecting thousands of phones, and using them to flood a target with messages. This is called a Distributed Denial of Service (DDoS) attack and it is much more dangerous than a regular DoS attack since it uses all the infected devices to send texts.
In this section, I will first show you a few easy-to-use apps and tools that you can use to send SMS messages from your PC.
Microsoft offers Windows 10 users the Your Phone app, which connects you to your Android phone. The app is simple to use and allows you to manage not only messages but also calls and photos from your phone.
How to use the app:
- Install the “Your Phone” app on your PC from the Microsoft Store.
- You will also have to get the “Your Phone Companion” app on your phone, which can be easily installed from the Play Store.
- Once the two apps are installed, Your Phone will walk you through pairing your phone with your PC. After a few simple steps, you will be able to manage SMS messages directly from your PC, using the app.
- Select Messages from the left menu, and you will be shown all SMS conversations on your phone. By clicking on one, you can view the conversation history and send and receive new messages.
If you’re an Apple user, a great app that you can use is iMessage. It comes preinstalled on iPhones and you can get it for free on your Mac computer. It can also be used with an iPod Touch or an iPad
iMessage uses Apple’s own messaging network to send messages over the internet, but otherwise, it works and looks exactly like normal SMS messaging.
To use this feature, first, you will have to set up SMS/MMS forwarding from your iPhone to your other Apple device.
Once you do that, here’s how you send messages using iMessage:
- Open the iMessage app on your Mac
- Log in to your iCloud account using your Apple ID. This way, iMessage will sync with the messages on your iPhone
- In the menu on the left, select a conversation to see its messaging history and send new messages.
Image source - apple.com
On Google Chrome (or any other Chrome-based web browser), you can install an extension called “Send Your Email to SMS (text)”, offered by cloudhq.net. It will link to your Gmail account and let you send SMS messages very similar to how you would send an email.
Note that this extension supports only US and Canadian phone numbers.
According to a trusted source, it allows you to send up to 10 free messages per month. For $55 per month, you can upgrade the service and send unlimited messages.
To use the extension, do the following:
- Download the extension here. Install it by clicking the blue button which says “Add to Brave”.
- Open Gmail and start composing a message as you would do with an email.
- Type your message.
- Click on the phone icon next to the “Send” button.
- In the field that appears, type the phone numbers to which you want to send the message.
- Click “Send”.
In this article, I showed you how easy and quick it is to perform a quick DDoS attack on a target only by knowing their phone number and installing a very simple tool from GitHub. You can do it either on Windows or Linux using this simple guide.
Have you ever used any of the tools shown in this article, or similar? If yes, please leave a comment below sharing your experience!