Recently, I came across some articles online about a couple people who were sending mass text messages to people in the US. Previously, they had used improperly-secured printers to send their message. This time, however, they have a larger audience: every American with a mobile phone.
I looked into what they were doing, and I discovered that their trick is quick, and very simple. I searched for “SMS Gateways” on Google, and found this Wikipedia page. Once I reached the “Email clients” heading, I knew I had found relevant information, because a Wired article mentioned the use of “mailx”, a Unix mailing program.
According to the section on Wikipedia, each major carrier has an email domain (such as msg.fi.google.com), which has a virtual email address for every number that carrier controls. By sending an email to that number, you are essentially sending a text, because the server for that carrier forwards the subject and content of the email to the number specified.
Now, I’ve had experience with this before. Sometimes, people with Android phones will accidentally send an email to me by sending a text. I don’t know the exact process to reproduce this, but I’ve known for some time that somehow, there is a way to get emails converted into texts, and vice-versa.
A few years ago, I made a simple PHP script to spoof emails. It can spoof the “From” address very easily, and most mail clients (besides GMail) don’t even know the difference AFAIK – or at least they don’t notify the user. So, I tried using this simple script to send myself a text. And who would’ve guessed? It works.
So there you have it. Anyone can send you texts and pretend to be someone else. And good luck finding out who sent it! Unlike emails, where you can view the original header information and find the server, with SMS that information would only be available from the carrier. So unless these mobile carriers take action, I bet our hacktivist friends won’t be stopped any time soon.