Solution: SMS Spoof - Phishing Websites (Bank of America)

Tools Used:

The Red Herring Solution

If you google how to do an SMS spoof, likely you will come across a plethora of threads talking about using the Social Engineering Toolkit (SET) in Kali or Backtrack. This is a red herring - a false path to the solution that will lead you nowhere. All those guides will show you how to navigate through the SET menu options, but will leave you hanging on how to send the actual text.

Some will say you can do it for free with the Android Emulator, one of the options in the Social Engineering Toolkit. This is false - you can spoof an SMS to the Android Emulator for demo purposes, but you cannot spoof a text message to the outside world using it.

Some will say you just use one of the other options in the list Social Engineering Toolkit provides. All those options are paid services that require you to enter a code into SET to use them - you can do the exact same thing on their website and bypass using Social Engineering Toolkit at all. The problem (as noted later in this guide) is that most of them don't actually work.

So really, there is no reason to use the Social Engineering Toolkit in this attack.

The 2016 Solution

In 2016 when I wrote this challenge, I googled "sms spoof" and tried many of the paid services in the top search results. Every single one I tried would send the text message, but instead of appearing as the "From" phone number I specified, it would appear from a random phone number - thus the spoof was unsuccessful. Finally after much searching and wasting of credits, I stumbled upon spoofmytextmessage.com which actually worked! I verified it with a variety of phone numbers (all of which I had permission to do the test with). With that knowledge that it was possible, I wrote this challenge.

Now, in 2018, I attempted to duplicate the challenge solution with spoofmytextmessage.com and found it did not work - the spoof failed, and the messages appeared from a random number again (not the number I specified).

In researching the issue, I found this commit from the Social Engineering Toolkit which had disabled their SMS Spoof module because spoofmytextmessage.com was having issues. I noted many issues filed in their github repo where the author of SET noted that spoofmytextmessage just wasn't working for him anymore - just like me.

The 2018 Solution

At present, I do not have a for sure solution to write up. You could try to find an alternative sms spoof service - back in 2016, some worked, and some didn't. You could also try a new routing option I see on spoofmytextmessage (see image below) - I only confirmed it did not work for me on the "Auto Spoof" route, but it's possible the other routes work (I haven't tested them).



Why include this challenge if it may no longer work?

I confirmed myself it was possible in 2016, and believe it to still be possible - just the tool I used may no longer be functioning. This attack is a very powerful attack, as people tend to trust SMS more than email. It can be combined with all sorts of other attacks - for example, if a CFO receives a spoofed email from his CEO to wire money, AND receives a spoofed text message from the CEO's phone number confirming the request... that's far more powerful than just a spoofed email.

AFTER figuring out how to send a spoofed SMS... we must setup a phishing site to capture the credentials

Follow the same steps from Challenge 12, using ngrok to expose port 80 on your local machine, cloning the site with Social-Engineer Toolkit, and setting up Credential Harvester from Social-Engineer Toolkit.