top of page
Search
  • Writer's pictureotw

Social Engineering Attacks: Creating a Fake SMS Message

Updated: Feb 10, 2023

Welcome back, my aspiring cyber warriors!


Social engineering is a key feature of some of the biggest hacks in history! Many novice hackers are so focused upon mastering the technical aspects of hacking that they ignore at their own peril the power of social engineering. When nation-state actors such as Russia's Sandworm hacking team (one of the most technically advanced hacker organizations) use social engineering to hack Ukraine's electrical grid and the US 2016 Presidential election, that should be a sign that social engineering is important and critical to your hacking toolbox.


In the TV show, Mr. Robot, Elliot and f/society use social engineering to hack Steel Mountain where Evil Corporation stores their backup tapes. Part of that social engineering is an SMS message (sent from a now obsolete feature in the Social Engineering Toolkit (SET)) to a manager that distracts her and enables Elliot to roam free in the facility, eventually leading him to the HVAC system of the vault where the tapes are stored. This is a complex and difficult hack but none of it would be possible without social engineering.


SMS messages or commonly referred to as text messages is a protocol originally developed in the 1980's and first implemented on the European mobile standard GSM in the 1990's. It has since been implemented into nearly every mobile communication protocol. It allows the users to send a short message (SMS is an acronym for short message service) of less than 160 characters from one person to another over the mobile network. It has become a ubiquitous feature of mobile communication in the 21st century.


Let's take a look at how you can send fake SMS messages.


Step #1 Download and Install Fake SMS


If we want to send fake SMS messages from Kali, we can download and install Fake-SMS. It's available on git hub.


kali > sudo git clone https://github.com/machine1337/fake-sms


Once it has been downloaded, navigate to the new directory;


kali > cd fake-sms


Now, give yourself execute permissions on run.sh


kali > sudo chmod 755 run.sh


Now, execute the script


kali > sudo ./run.sh


As you can see above, Fake-SMS opens a screen like that above with a simple menu. To send a SMS message, simply enter 2.


You will now be prompted for a phone number and message as seen below. I found this number among the many scams currently being perpetuated via SMS. This one promises forgiveness of your student loans.


I entered the phone number, hit enter and then was prompted for a message. I then entered "Yes! I want student loan forgiveness!"

As you can see, I was able to send my fake SMS message to the scammers! With this script, we are able to send one fake SMS per day.


We can view the Fake-SMS script with any text editor. In this case, I opened it with a mousepad. When we do so, we can see it is a simple BASH script. When we scroll down to lines 119-120, we can see a curl command to textbelt.com. Apparently, this script simply uses this SMS site to send text messages.


Let's see whether we can bypass this script and work directly with this site.



Step #2: Use the curl command to send Fake SMS


First, we need to open an account at textbelt.com. When we open an account, we can send one fake SMS message per day or we can purchase credits and get an API key to use their service.




Now we can generate our own text messages without the Fake-SMS script directly by creating a curl command in Linux (once you have an API, you can use a variety of scripting languages, but I found this curl command to be the simplest). The syntax for this command is as follows:


curl -X POST https://textbelt.com/text --data-urlencode phone='phone number with country code'


--data-urlencode= message='text message'


-d key=Your API Key



I can then construct a command to send a fake text message as seen below using the same info from above and including my API key (blacked out).




This service responds with a message detailing the success of sending my message and the number of messages left in my quota.


Summary


Although every hacker wants a nice, clean, technically advanced hack similar to EternalBlue, that is usually not possible except for in a limited number of cases. In reality, nearly all hacks today require an element of social engineering. As mentioned above, even the most sophisticated hacking organizations such as Russia's Sandworm have used elements of social engineering for some of their most important hacks in history. Being able to send fake SMS messages might be the critical element to your hack!


For more on social engineering, check out Chapter 17 of my book "Getting Started Becoming a Master Hacker" available here.








46,524 views9 comments

Recent Posts

See All

9 Comments


astriddavina54
astriddavina54
Jan 02, 2023

i know of a very good hacker that can help you with any type of hacking, either phones or computers. My husband was so smooth at hiding his infidelity so I had no proof for months, I was referred to some hacker and decided to give him a try.. the result was incredible because all my cheating husband’s text messages, emails , facebook and even phone conversations was wired directly to my cellphone. Computerguru helped me put a round-the-clock monitoring on him and I got concrete evidence of his escapades..if you think your spouse is an expert at hiding his cheating adventure, you can contact them too at HENRYCLARKETHICALHACKER@GMAIL.COM on whatsapp12622367526.


Like

Hire a professional cell Phone Hacker who has the skills that can grant you remotely access to your spouse cell phone and grant access to cheating spouse cell phone information on their cell phone. He can also use he skills to spy on other people’s cell phones device. It is also known as a cell phone spy who are capable to provide you all you require to infiltrate any type of smartphone and iPhone. I was able to got access to partner iPhone, the job was prefect to the extended he didn’t knowing anything about it, was so prefect you can conatct him via kelvinethicalhacker @ gmail. com. reach to him to help spy on your cheating spouse...

Like

Looks like that github repo was pulled. Is it available somewhere else?

Like

Which number is going to display as a sender in a Receiver phone.??


Thank you for a nice, straight forward tutorial to understand.

Like

Hi everyone... I am Mike Luciano and I’m so addicted to winning the lottery. I’ve just scooped my FOURTH jackpot of $1million – taking my total winnings to $4.6million through the help of one legit spell caster named Dr Amber. My first ever win was $100,000. Last year, I won $500,000 from the Pennsylvania state lottery and I also won $3 million in 2016 bringing the grand total of my winnings to $4.6 million. All my winnings have been made possible with the numbers given to me by Dr Amber. I've been so blessed, winning big three times in my lifetime. His spell casting is unique and safe unlike some fake spell casters that are just after your money without…

Like
bottom of page