Solution: SMS Spoof - Phishing Websites (Bank of America)Tools Used:
- spoofmytextmessage.com (...? Maybe?)
The Red Herring SolutionIf you google how to do an SMS spoof, likely you will come across a plethora of threads talking about using the Social Engineering Toolkit (SET) in Kali or Backtrack. This is a red herring - a false path to the solution that will lead you nowhere. All those guides will show you how to navigate through the SET menu options, but will leave you hanging on how to send the actual text.
Some will say you can do it for free with the Android Emulator, one of the options in the Social Engineering Toolkit. This is false - you can spoof an SMS to the Android Emulator for demo purposes, but you cannot spoof a text message to the outside world using it.
Some will say you just use one of the other options in the list Social Engineering Toolkit provides. All those options are paid services that require you to enter a code into SET to use them - you can do the exact same thing on their website and bypass using Social Engineering Toolkit at all. The problem (as noted later in this guide) is that most of them don't actually work.
So really, there is no reason to use the Social Engineering Toolkit in this attack.
The 2016 SolutionIn 2016 when I wrote this challenge, I googled "sms spoof" and tried many of the paid services in the top search results. Every single one I tried would send the text message, but instead of appearing as the "From" phone number I specified, it would appear from a random phone number - thus the spoof was unsuccessful. Finally after much searching and wasting of credits, I stumbled upon spoofmytextmessage.com which actually worked! I verified it with a variety of phone numbers (all of which I had permission to do the test with). With that knowledge that it was possible, I wrote this challenge.
Now, in 2018, I attempted to duplicate the challenge solution with spoofmytextmessage.com and found it did not work - the spoof failed, and the messages appeared from a random number again (not the number I specified).
In researching the issue, I found this commit from the Social Engineering Toolkit which had disabled their SMS Spoof module because spoofmytextmessage.com was having issues. I noted many issues filed in their github repo where the author of SET noted that spoofmytextmessage just wasn't working for him anymore - just like me.