During the current pandemic the GSM network is used by the states around the globe for sending SMS notifications to the public. Due to a twenty-year-old issue that still plagues online SMS platforms, we believe that this is a first-class opportunity to raise awareness regarding Smishing (SMS Phishing) attempts.
In Greece due to the current quarantine measures, the number 13033 is being used by the state in order for the people residing in Greece to register their movement in advance, while the sender also receives a reply -echo back- as a proof in case (s)he is asked to provide one by the police. Due to the covid-19 pandemic, this process attempts to limit people's unnecessary movements, in an attempt to minimise the spread of the virus.
Given the importance of the pandemic and the necessity of this service, it is mandatory to mention that it is possible to spoof the SEND ID in order to send SMS updates to recipients pretending to be from the original 13033 service number. This action has the potential to trick the recipients in this particular case the general public, in clicking on malicious links, downloading malicious software, or by using Social Engineering and potentially scare tactics to scam recipients into paying a “fine” or something of a similar nature.
For example, you can see the image on the right that shows a spoofed SMS from the 13033 service, asking the receiver to download an app from https://www.twelvesec.com.
Thus, it is our strong belief that it would be universally beneficial if the proper authorities responsible for operating the 13033 service in Greece and everywhere else in the world where similar services are being employed, to promote a media campaign educating as many people as possible regarding the potential threat of smishing.
More specifically, the public should be informed that they should under no circumstances visit any URLs received by the 13033 service and that the 13033 service will not send any messages to them requesting to pay any fines, or asking them to take any action at all; for this purpose, only the GSM alert service would only be used. The public should be aware that in case they receive messages of that nature, these should be ignored and the proper authorities should be informed.
At twelvesec we believe that it is our duty to help out in any way that we can during these scary times. With all of us doing our part we will beat this.
Stay Home, Stay Strong.
10/04/2020 Initial contact with the proper Greek authorities to inform them of the aforementioned issue. No response.
16/04/2020 Follow-up communication regarding the issue, a reminder for the authorities to take action. Read receipt received. No response.
21/04/2020 Final communication informing the Greek authorities that due to concerns for the public TwelveSec is going to responsible disclose the issue in the near future. Read receipt received. No response.
Dimitris Mitrou is a computer security enthusiast and a research associate with TwelveSec. In his spare time, he is also doing web development and mobile application development.
Special thanks to Dr. Grigorios Fragkos for his assistance in this article's editing.