67

I routinely receive seemingly harmless SMS messages from unknown people. They're usually simple, like "Hi" or "Hello" or "Are you there?". This happens several times a week, and certainly often enough that it seems to be some sort of organized, ongoing effort to get me to reply. I'm trying to understand why someone (or several someones) would bother sending such messages.

Is this a known hacking/phishing technique? If so, is there useful information that someone can obtain just by sending an SMS message, and what can be determined if the recipient replies (assuming they don't include any personal or security information in the reply)?

Caleb
  • 649
  • 1
  • 5
  • 7
  • 52
    At the very least, it tells a potential scammer that the phone number is (1) valid and (2) owned by someone who is willing to communicate. That opens the door to a variety of social engineering attacks. – tonysdg Mar 03 '17 at 06:19
  • 16
    @tonysdg (1) can be verified even if you don't reply. – Dmitry Grigoryev Mar 03 '17 at 09:48
  • 2
    When you say people are we talking a couple of unknown numbers, five, fifteen? How long have you held this number? It is possible that either someone has incorrectly given your number as theirs to friends which is a digit off, or you have inherited a number which used to belong to someone else. The pattern of the range of numbers sending messages, repeated messages from the same number and content would tend to support or refute this. – pwdst Mar 03 '17 at 17:36
  • @pwdst No, we're not talking about an occasional wrong number. They're too frequent (maybe between 3 and 8 each week), and too uniformly bland ("Hi.") to be a coincidence -- it feels like an orchestrated effort. – Caleb Mar 03 '17 at 19:38
  • 1
    Do you give out the phone number a lot? Fill it in on forms, set it on accounts? – jpmc26 Mar 03 '17 at 21:58
  • @jpmc26 No, I don't give it out widely. I give it out only to people who might have a legitimate need to contact me, and I use it in a few limited cases for two-factor authentication for trustworthy services. I'm used to getting spammy messages on services where sending messages is nearly free, like email or Apple's iMessage, but I'm trying to figure out what the motive is with SMS where there's some cost to send a message. – Caleb Mar 03 '17 at 22:09
  • You guys are paranoid. Someone thinks their phone number is the same as OP's and gave that number to all their friends. – Navin Mar 05 '17 at 14:52
  • @Navin That's what I thought for a while, but in my experience most people don't start a text message conversation with just "Hi" or "Hey," and certainly not several times in a row. A few might, but most people say more, like "Hey, going to movies, join us?" or "Hi, cn u go out 2nite?" or similar. Also, you'd expect these messages to stop or slow down after a few months as the friends discover that it's a wrong number, but that hasn't happened even though I block the numbers pretty quickly. – Caleb Mar 05 '17 at 17:17

4 Answers4

77

Some telephone or SMS numbers allow for an additional charge that is automatically recovered by your phone provider and reversed to the owner of the number. This is mainly used (legally) for some TV games where each participant pays a little money when calling a special number or sending a SMS. At the end, either one of the players earns something, or the answers of participants were used for an election (a miss election for example).

So a not so good company could set up a system like that and send tons of SMSs asking for a reply to such an overcharged number - and optionally omit to say that it is overcharged... The cost of mass sending SMS is low, so if they get an acceptable return rate, they will earn some money with it.

When you are aware of that, and willingly send an overcharged SMS to participate in the election of the song of the year, all is fine. But when you receive a SMS just pretending to come from a friend and end in paying more than the simple SMS it is robbery.

But as this kind of company hides themselves abroad or vanish as soon as you reclaim to have your money back, it is much better to never send them any overcharged SMS.

Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84
  • 9
    Good answer. I think in many locations the type of phone number could be used to see if this is the case. At least where I live those numbers does not start with digits used by regular private phone numbers. – Anders Mar 03 '17 at 08:49
  • 24
    Something worth noting: I don't think iPhone's do it, but my Android will present a dialog box when you try and respond to the message warning you it could cost more. That's saved me a few times. – Sam Weaver Mar 03 '17 at 13:17
  • @SamWeaver is this a built-in, or an app I could download? Does it work for Czech numbers? – John Dvorak Mar 04 '17 at 12:32
  • 3
    @SamWeaver: unsure whether it does not come from the mobile phone provider. My corporate mobile phone refuses for example all calls to overcharged numbers. It is a parameter of the contract. – Serge Ballesta Mar 04 '17 at 17:03
  • It seems to be built into my OS... If it is something by the carrier, it would be applied in a provisioned OTA carrier update and turning on a feature switch in the OS. As for working with Czech numbers, I'm unsure, but I'd assume so. – Sam Weaver Mar 04 '17 at 21:59
  • @JanDvorak Worked for some Slovak numbers, can't remenber for which ones though. – KeyWeeUsr Mar 04 '17 at 23:50
  • 1
    I would say (legally) rather than (correctly) – njzk2 Mar 06 '17 at 04:36
  • @njzk2: I must admit my English is not good enough to find the most appropriate word... Thank you for your comment. – Serge Ballesta Mar 06 '17 at 09:43
33

One useful thing an attacker could gather is what your response time is at different times during the day and also things like your sleep schedule. If you leave your phone at home when you go jogging or to a meditation class they may be able to determine times at which other entities may not be able to reach you quickly. This may give the attacker knowledge of when to best attack you or your employer. So yes even the response time has value.

The next thing that may be useful is the words you use and your very personal phrases Things like "Thanks again" "Cheers" "Peace" or "Have a great day" may help an attacker forge e-mails for a phishing campaign that look exactly like text you would actually use in conversation.

After that, there is target OS identification. In a nutshell, if the person sending you these is using a device which supports Apple's iMessage protocol they will in most cases, be able to see if your phone supports iMessage or not giving a very high likelihood of telling the attacker your phone's base OS as being either iOS (iMessage supported) or Android/Other (iMessage not supported). This is by no means absolute but if they are collecting this information from a large number of targets it will be mostly accurate data.

A slightly more dangerous and hopefully unrealistic example for conversational purposes, if a Bank were to authenticate a wire transfer via a simple Y or N response from a phone number on file for their poorly written SMS application an SMS could be crafted from a spoofed VoIP number that matches the bank's real source phone number.

If an attacker could time things correctly (again this is an unrealistic example) he or she could initiate a few fake texts to you to determine your average text response speed at 3pm or so then send you a well timed question looking for a 'Y' or 'N' response that is in turn being sent back to the spoofed bank number.

In a nutshell, you get asked something ridiculous like: "Would you like to see an image of me in a sexy panda suit? 'Y' or 'N'?

and that response becomes the reply to "A request to wire $10,000.00 to the national bank of hackerland has been requested do you approve this request? Respond with 'Y' or 'N'?" by the nature of you replying back to the spoofed text to the banking app's source number.

Again this is something of a fictitious example but the combination of insecure SMS systems in some countries combined with some horribly written systems allowing user SMS input something similar to this could potentially be possible.

Architecturally SMS was built before security was a concern, it has almost no security controls to speak of and although useful it should not be used for high-trust applications like authorizing wire transfers.

Even if it seems like fun you are technically giving this person/entity data. If they happen to be malicious and you or your employer are useful targets it might be wise not to respond or in the case of iMessage even open/acknowledge the messages.

Lots of organizations are doing bad things at scale right now. This could easily be part of a large-scale reconnaissance effort.

Possibly useful reference: https://en.wikipedia.org/wiki/SMS_spoofing

Trey Blalock
  • 14,099
  • 6
  • 43
  • 49
  • Whilst the attack scenarios are interesting, the initial ideas require an on-going dialogue. Since the "Y" and "N" scenario would both require a fairly rapid response (before the legitimate message came through) and that you could be manipulated into responding in the required format. In that light, presumably replying "Sorry, I think you have the wrong number" to a number once would seem to be safe where it is feasible that a text might have been accidentally misdirected? – pwdst Mar 03 '17 at 17:42
6

Had a similar issue but googled the content of the SMS and saw that it was a hoax. I called my provider and they told me that if you answer to the message by SMS, you get charged with a normal SMS price. The malicious senders aim for you to call them back to find who they are and then you are overcharged.

As other answers described though, you could be charged even when answering via SMS so I guess the best practice would be to not answer to any messages from unknown numbers, especially when they are short like the ones you seem to get and not exlplaining who they are

papakias
  • 225
  • 1
  • 9
5

Something that hasn't been covered in the other answers is messages like these are commonly used to check if a phone number is still active. You see the beauty about GSM is that you do not have to be connected to the network at the same time as the recipient because messages are sent to a SMSC which utilises a mechanism called "store and forward". Therefore the use of SMS messages is an attractive means of communicating with an individual as not only does it guarantee delivery of messages but pretty much everyone uses it.

Even though the person sending the message may not have malicious intent, they are likely to sell any data they can collect about your particular number or/and you as an individual. There are criminal organisations that specialise in these kind of activities and they can profit from carrying out such activities. The purpose of sending a large amounts of SMS messages is to try and encourage you to respond, you are probably getting annoyed with receiving such a large number of messages to the point where you are considering responding to the messages, I would advise you now to just ignore the messages.

So why should you care if data is being sold to x, y or z? Well for the simple fact that you don't know who is selling your data and who they are selling it to. By not replying to the messages makes your data look less valuable therefore organisations/individuals are less likely to purchase your data. This is not to say they won't but in my eyes, someone who replies to a SMS message is more appealing as a target for phishing than someone who doesn't.

Therefore even though replying to the initial message/s may seem like it has little consequences, it may trigger more messages in the future as your phone number will be regarded as active. After this you will start receiving more SMS messages which will employ phishing techniques.

As well as this, replying to a SMS message can also assist in GSM Sniffing but this is dependent on many factors such as the encryption algorithm in which your phone is using.

It would be in your best interest to ignore the messages as eventually the organisation/s will likely determine your number as inactive or will see spamming your number as a cost rather than a benefit.

Us3rname
  • 131
  • 6