Text messages can be redirected by hackers to receive a user’s OTP and other information in a potential SMS attack reported by Joseph Cox of Vice. He wrote in his report that a hacker could gain access to his WhatsApp account as well, apart from Bumble and Postmates accounts.
“Looking down at my phone, there was no sign it had been hacked. I still had reception; the phone said I was still connected to the T-Mobile network. Nothing was unusual there. But the hacker had swiftly, stealthily, and largely effortlessly redirected my text messages to themselves. And all for just $16,” the report read.
In Cox’s case, the hacker Lucky225 had orchestrated the attack with his permission. However, this might not be the case who fall victim to such SMS attacks in real-life. The attack involves rerouting the victim’s messages so that hackers can gain access to personal information such as for instance, log in to social media accounts associated with that phone number.
The report points out that the SMS redirect attack is less technical and easier to pull off than the more complicated SIM swapping and SS7 attacks. For instance, a user completely loses network connectivity when a SIM swapping attack is carried out, giving some indication to users of a possible attack.
However, it looks like the SMS redirect attack is simpler to carry out and victims do not even get a whiff of it. Typically, a user might just blame the network in case an OTP SMS doesn’t come and make another attempt at it without even knowing that their SMS has potentially been redirected to hackers.
The hacker took the help of a service by a company called Sakari, which helps businesses do SMS marketing and mass messaging, according to the report. A $16 monthly plan (roughly Rs 1,600) was used by the hacker to get a Letter of Authorization (LOA) from the company, which gave authority to “switch telephone numbers”.
The report added that the method of attack has not been previously reported in detail and it could have implications for cybercrime. Apart from gaining access to a user’s accounts, hackers could also possibly get a user’s banking or financial details.
To avoid a possible SMS attack, users can restore to 2FA for their social media accounts or link an email id to their account to get OTP or verification code on their email instead of via a text message. Most big platforms such as Twitter, Instagram, and Faceook offer 2-factor authentication (2FA) which requires users to log in to their accounts using a verification code on an authentication app such as Google Authenticator on their phone.
