Submitted by BasedSweet t3_10opq9o in technology
despitegirls t1_j6gpxcq wrote
Someone spoofed our CEO's number and sent out phishing texts to corporate officers and VIPs. I traced the number back to Twilio, got on the phone with their support, and the texts stopped within 90 minutes. Not sure what they can do since they're just the provider of telephony and messaging services, but good on them for a quick response.
Edit: Correction here. Around this time there were two groups of texts that were going around, one from our CEO's spoofed number, and another from another number. The content of the text messages was the same. I traced the number that was not spoofed and called Twilio on that number and the texts stopped for both. Last year we had a lot of these phishing emails sent to VIPs in our company. We've since hired a security consultant and expanded our internal security team.
Enxer t1_j6gqxye wrote
We get ceo spoof texts all the time how did you perform the trace?
despitegirls t1_j6guslm wrote
I forget which service I used but it was a free reverse lookup that listed the provider as Twilio.
Edit: This site is a lookup for 800 numbers that I've used: https://www.800forall.com/SearchWhoOwns.aspx
crank1000 t1_j6h9bhv wrote
I don’t understand. How did looking up your ceo’s phone number result in linking it to twilio?
Ancient_Hat_6335 t1_j6h9gi4 wrote
Hey don’t ask the logic. It’s difficult when making up a story.
Greggers42 t1_j6hqlf6 wrote
Our company has 800 employees and half can be fooled by spoof attempts were the email being spoofed is “<corporate persons first initial and last name>@gmail.com” where our domain email is completely missing and replaced with a gmail account. When we explain what phishing is, we get replies like, “but they said they were this person. Here, I’ll forward you the email so you can read it!” 🤦🏼♂️
Spoofing doesn’t have to be good, it just has to work.
okvrdz t1_j6i0ivw wrote
Granted that the email spoof is true, crank100 was asking about the tracing of the CEO’s number. Which is what the previous user mentioned as tracing it back to Twilio. That question remains unanswered AFAIK.
Greggers42 t1_j6i6ew5 wrote
Most companies don’t hand out CEO’s cellphone. So a late night text that ID’s itself as your boss and ask for info is not hard and doesn’t require the amount of suggested work earlier post have given regarding changing the caller ID, etc. Not saying that’s what happened, but having seen this done as well, and amaze me people fell for it, I can see this being an option.
okvrdz t1_j6i7m8b wrote
Yes those are all clues on how to detect a possible spoof text. Yet, what some of us want to know is how tracing back a spoofed number that displays a valid existing number, results in determining that the text originated from Twilo. How does it make that distinction?
Greggers42 t1_j6i8o3b wrote
The poster has corrected it to say there were two numbers. Which seems more sus to me but I’ll give the benefit. Personally, I’ve heard the term spoofed number to apply to any number being used in a spoof attempt. Not necessarily the actual number, so that was where I was going with the forgiveness of the explanation.
WhatTheZuck420 t1_j6hxfkc wrote
>Spoofing doesn’t have to be good, it just has to work.
correct. spoofing is what they are doing
being spoofed is what your employees are doing
typing t1_j6hydh9 wrote
I thought just the CEO was being spoofed, or the real/fake employee. The target employees are being phished.
[deleted] t1_j6hjarf wrote
Spoofing can involve setting up a phone (or email) to look as if it came from someone you know. It's not always stealing their exact phone number or email address.
The number/email itself would be different, but the name and location will show up on the caller ID or in the address book as the person whose identity is being used.
despitegirls t1_j6i0vks wrote
Read my correction above. I traced the non-spoofed number.
Which-Adeptness6908 t1_j6h3wut wrote
What they can do is not allow a number to be used without proof of ownership.
Source; owned a niche Telco.
drawkbox t1_j6hj59v wrote
Worked on a bunch of SMS apps including a big one for samples/notifications and it was insane how the approval process was for the short code and all the support you need around it.
I am always amazed that scammers get around all of that. A weak platform could do that if they were allowed or essentially white listed then play plausible deniability about moderating these.
SMS was built off of the network diagnostic codes/network and so they regulate it heavily. The only way these scams are working is due to piggy backing on something that has the ability to spin up new shortcodes without much oversight.
Intelligent_Series95 t1_j6hj5c5 wrote
Yeah not sure because if I tell my PBX to send an unverified from header my calls through twilio fail. I have to verify any number I use.
frygod t1_j6i8fx5 wrote
I've written appointment reminder software that leverages one of Twilio's competitors (Signalwire) for delivery and they seem to do just fine in things like this. In testing use cases, I have to prove ownership of both sending and receiving phone number. They also require all SMS messaging campaigns to be registered as per FCC requirements. I know they filter it too, because when the FCC rule went into effect I hadn't received notification yet, and my first clue was everything suddenly showing up in the logs as being blocked.
RoboNyaa t1_j6hanpn wrote
Sounds like Twilio takes it seriously then. Meanwhile, Onvoy (Inteliquent) continues selling services to scammers and criminals with virtually no repercussions.
If you report an abusive number, they'll put your number on an "opt out" list. Thus, the scammers continue receiving service while the list of potential victims narrows down to people who don't know it's a scam.
If anyone should be disconnected and prosecuted, it's Onvoy.
nbeaster t1_j6hlrxj wrote
There’s still a lot of carriers out there not complying with stir/shaken but have certified they are. There’s going to be a reckoning, its just coming at a snails pace.
icenoid t1_j6idq6k wrote
At my last job, the CEOs phone number got spoofed. When he texted some of us to tell us we were being laid off, we thought it was another prank. Yeah, it wasn’t.
P0RTILLA t1_j6hwgnk wrote
Holy Shit! We got this too but it was sent to my personal number not my work number which I thought was strange but it’s the number listed in our HR system.
0ogaBooga t1_j6i5hne wrote
>Not sure what they can do since they're just the provider of telephony and messaging services,
They due diligence with kyc regulations in the US?
It's not hard to spot when a customer is making illegal calls. You have lots of every number they've dialed for billing purposes, cross check that against the national DNC list and if there is anything that overlaps it's the customers job to provide proof that the person they dialed agreed.
See? Easy.
Black_Moons t1_j6in7lz wrote
Or just call the number they entered as 'calling from' and if the person who picks up doesn't belong to that business, cancel the spammers service.
Its not rocket science, its just telephone companies make money from scammers and not from stopping them.
SeaweedSorcerer t1_j6k4bp0 wrote
Twilio already requires you to authenticate ownership (or have purchased it directly via twilio) of any caller Id numbers.
rabbit994 t1_j6ifsym wrote
In general with all these companies is how they just let anyone sign up without doing serious amount of checking. FCC should enforce serious Know Your Customer regulations and hand out big fines for failing to do these checks.
YnotBbrave t1_j6hf2cr wrote
They can block outgoing texts with callerid not verified to be owned by the god for their business? Maybe not. Security ruins many use cases. But if they don’t, they are responding
SeaweedSorcerer t1_j6k4f69 wrote
They already do that
Viewing a single comment thread. View all comments