Monday, July 12, 2004

Phony Crimes: SMS Spoofing


What would you do if you receive a Short Messaging Service (SMS) in your cellphone in the middle of a night from the mobile of your spouse asking you to bring cash as he has met with an accident?

The chances are that you would check the mobile number and if you are sure that the cell is your husband's you would rush out with cash. If this could be your response then the chances are that you are not aware of "Mobile Spoofing."

Using a web-based software, a cyber criminal could send you a message from your husband's cell without even touching his mobile. And mind you, no cellular service provider can say that it was a spoofed or faked one.

This "SMS Spoofing" has been successfully tested by the Pune-based Asian School of Cyber Laws (ASCL), which is the pioneering institute in the field of education, training and consultancy in cyber laws, cyber crime investigations and information security.

The Director of ASCL Rohas Nagpal said that the school conducted an experiment at the national and international levels wherein they were able to successfully spoof SMS messages and make them appear to come from other person's cellular phone.

Nagpal said it has issued a caution note to all law enforcement agencies as well as cell phone users to be careful in relying upon the authenticity of SMS message.

These people were using the GSM-based cellular phone services in various parts of India and other Asian as well as in African countries. The countries that participated in the experiment included USA, Malaysia and India wherein the senior police officials and IT professionals were informed about the experiment which was being carried out.

They were told they could try to verify the authenticity of the spoofed numbers. But none of them could do so. They were told to contact the telecommunication authorities to verify if the number is genuine. But even the authorities were fooled, Nagpal added.

He said using this SMS spoofing it is also possible to send an SMS to anyone on the cell phone without touching it. Thus if the person goes to the reply mode of the phone and write any reply text after receiving the spoofed SMS, it will again come back to the same person.

This is because the spoofed SMS may contain the person's own cell number, he said.

The cyber criminal can send a spoofed SMS from any part of the continent to anybody, Nagpal said.

Explaining how this SMS spoofing can be misused by the criminals, Nagpal said a woman in a foreign country received a SMS that her husband badly needed large amount of cash as he was in deep trouble. Since she recieved the SMS from her husband's cell number she rushed out. The moment, she stepped out of her house, she was attacked and the whole cash was stolen.

Some websites also provide for spoofing facility and therefore the risk of SMS Spoofing is enormous. Unless there is cooperation between the website owners and the administrators of message servers it is very difficult to detect the perpetrator of the crime.

While the scope for misuse of SMS Spoofing is enormous, the ASCL has used it in a positive manner to help the investigating agencies and law enforcing agencies trap terrorists and narcotic dealers. This was done by spoofing the message with the cell number of their acquaintances.

In one case an SMS was sent to the narcotic dealer to bring the drug consignment at a particular place. The dealer mistook the cell number to be that of his acquaintance and went to deliver the drug only to be arrested.

Thus the SMS Spoofing can be very effective tool for the investigating agencies to trap criminals and underworld gangsters by sending SMS in their cell phones.

No comments: