AT&T text messages can be faked to send phishing links to its customers

Cyber criminals can easily fake AT&T text messages and hack you

The way AT&T send its consumers presents an easy opportunity for hacker to clone it and make phishing attempts to get your login credentials.ย โ€œThereโ€™s a problem with the way AT&T sends out customer alerts via text message: Theyโ€™re too easy to mimic,โ€ Jose Pagliery reports for CNN.

โ€œWith little effort, a scammer could send you alerts that look just like the real thing. Click on a link and the hacker will grab your login credentials โ€” or fool you into giving up your credit card too,โ€ Pagliery reports. โ€œItโ€™s yet another phishing scheme. But instead of email, hackers can target you with texts.โ€

“The problem stems from AT&T not making its real alerts look legitimate enough,” said Dani Grant, the computerย 150122093604-att-spoof-620xaprogrammer who noticed the flaw. โ€˜If the official texts look like phishing, itโ€™s impossible for the customer to distinguish between whatโ€™s phishing and whatโ€™s not,โ€™ she addedโ€

The main problem is that AT&T doesnt have a standard and uniform short code number. Some of the messages come from a weird four digit short code which can be bought anywhere and AT&T sends the text messages from different numbers each time.

Second problem is that the links in the text also are weird at times. ย Some links point to att.com while others take you to dl.mymobilelocate.com.

Third AT&T doesnt maintain a uniformity in the header title and the text messages dont have a consistent format. Some of the messages start with capital “AT&T FREE MSG,” while others are in lower case, “AT&T Free Msg.”

This looks like a open invitation for cybercriminals to carryout phishing campaigns against the AT&T customers.

To test her theory, Grant set up her own shortcode, bought a legitimate-looking website address and sent a message. Can you tell the difference?

Spoofed AT&T Text Messages

AT&Tย declined to comment on this topic. Grant said she reported it to the company as a security flaw but hasn’t heard back from them.

To be fair, though, AT&T isn’t the only one. Verizon sends out text messages from a 12-digit number that changes depending on the customer, and it sends links to vzwmobile.com or vzw.com.

T-Mobile sends alerts from a three-digit short code (also different for every user) and links to t-mo.co.

SMS text messages are convenient, because they’re reliable. You can get them anywhere, anytime on any phone.

But Grant thinks these companies should opt for email instead, or communicate through a dedicated app. It’s easier for a company to make emails look official. And an app would, in most cases, keep out the bad guys.

Next time you get a SMS from any of these companies do watch out for phishing links.

Read More

Suggested Post