Beware of email and SMS spoofing: You could be impersonated!
Imagine someone using your number to send out ransom messages for a kidnapping. It can happen!
I recently came across an article about an ‘evil mobile software’ on sale in Pakistan that is being used to send out fake SMS messages using other people’s mobile phone number.
This act is commonly called ‘SMS spoofing’ and has both legitimate uses (setting the company name, your own mobile number or a product name from which the message is being sent) and illegitimate uses (such as impersonating another person, company or product).
The article states that the software is being advertised and sold openly in the market without the notice of any law enforcement authorities. It is being used to send out spam and phishing messages. To my surprise, a small Google search actually reveals that the service is also available for free on the internet through websites such as,
www.smsgang.com, www.spoofsms.net, www.fakemsg.com and many more.
It is also available in the form of an app.
Of course, using a free service being offered by a registered website or app leaves you prone to being caught and so the nominal price of Rs150 for buying the software and keeping your identity safe doesn’t sound too bad.
Interestingly, this article actually reminded me of an incident from my academic life when some students in our class came across a website that allowed people to send out emails using any person’s email address (email spoofing).
We had just finished our exams and were expecting our results which were normally sent out via letters from our institute, or if you were registered for it then by an email or SMS as well. Some of us decided to pull a prank on other students and sent out emails using the aforementioned website to appear as though they had been sent from the official email address of the institute. The email claimed that the institute had placed a CCTV system which was used to monitor students in the examination hall and that the person receiving the email had been observed to be cheating and his/her papers would, therefore, be cancelled.
An innocent prank, surely?
While most of the people who received the email either called a friend or consulted a teacher; on further examination of the email they realised that it was a hoax. Unfortunately, one person showed the email to his mom who started weeping and armed with a copy of the email marched into the administration of the institute demanding an explanation. After all the hue and cry, it was concluded that the email was in fact fake.
Now, our Management Information System (MIS) teacher was tasked to talk some sense into our class and explain to us that the said act was in fact criminal in nature and if it were not Pakistan, then we might have been charged under a cyber crime law.
That lecture scared the perpetrators enough and nobody came forward to accept the responsibility for the prank.
The reason for narrating the above account is two-fold, one that the aforementioned technology is not new and second to emphasise how easy it is to throw anyone off just by using another person’s email address or mobile phone number.
While the technology is mostly used to send out spam, considering the current situation of Pakistan with terrorism and kidnappings on the rise, it becomes even more dangerous. In today’s day and age email addresses and mobile phone numbers are often used to trace the identity and location of criminals, but the fact that these can be tampered with makes me shudder.
Imagine if someone used your mobile number to send out ransom messages for a kidnapping and landed you in a bucket load of trouble, or if you received an SMS from someone you loved saying that they are in trouble but you are not able to trace where they are. Add to that the possibility of the authorities closing down mobile phone networks at the slightest sign of trouble and you may end up having a nervous break-down trying to assess the whereabouts of the message.
The software may also be used for cyber bullying and for perpetrating fraud by tampering the sources of official emails, messages and documents.
Understandably, SMS and email spoofing, unless used for legitimate purposes, are considered cyber crimes and are punishable by a court of law in most countries. However, in Pakistan there is still no working law in place to tackle such crimes. Although, the Pakistan Electronic Crimes Ordinance (PECO) has been in place since 2007, it is yet to be passed as a law.
I remember a joke I once heard about the trial of a cyber-gang in Pakistan where the judge started the proceeding by asking the gang members who among them was ‘Cyber,’ the person under whose name the gang was titled!
I am not sure about the source of authenticity of that joke but the fact that we can actually relate such an anecdote about such a serious matter makes me want to cringe.
Whether or not the authorities will take notice of and crack down on the sale of the SMS spoofing software in the market remains to be seen. However, I believe that there is a dire need for a working cyber crime law to be passed in the country to deal with any complications arising out of the use of such illegal software.
Read more by Faraz here, or follow him on Twitter @eff_eche