“Dear customer, your card has been blocked for suspicious activities. To reactivate it, verify your identity: https://www.configuracion-movil.online“. This is the text of an SMS received two days ago by Twitter user @MamaConseja_.
We might think that with that misspelling, the message looks even more suspicious than the ‘activities’ it refers to. However, the user in question clicked the link for a —apparently— good reason…
…the message it was shown to him in the same ‘thread’ of messages as the previous SMS sent by his bank, the BBVA, with the codes necessary to carry out remote banking operations, as can be seen in the following image:
When opening the link in the browser, it was shown a web (which is no longer available) in which you were asked for your online account information. Fortunately for the user, that detail “smelled bad”, and she chose not to complete the data request, preferring to enter the official app:
“[Allí] There was nothing showing that my card was blocked or any suspicious purchase, so I let it be and called BBVA customer service this morning “.
The user continues to report that the operator confirmed that it was a phishing attack that has already been reported by several clients, and that the attacker “has copied their modus operandi to perfection.”
Shortly after, the same BBVA account replied the following:
Hi, thanks for the tip. Our teams are already monitoring this case. We recommend that you delete the message and block the sender. All the best.
– BBVA (@bbva) August 5, 2021
Nobody has hacked BBVA, it is a simple case of ‘spoofing’
But a couple of users replied to this tweet raising a question as legitimate as it was apparently obvious: How are you going to block the sender if, in theory, it is the bank itself? And, if it is not, why does it appear in the SMS list as one more message from the same origin?
But the explanation of how it is possible to carry out an attack like this is simple, and does not differ fundamentally from already known SMS scams, such as the post office customs fees.
Deepak Daswani (co-founder of Hackron, the annual Hacking Congress in Tenerife) explained it like this to Xataka colleagues:
“There are ways to do it, but the easiest thing is to hire an SMS service to shape the ID of the user or sender.”
“There are free services of this type, where you hire an external provider from another country and let you send messages with the sender you want.”
This technique is known as ‘SMS Spoofing’, and fundamentally it allows forging a message sent from an unknown source to make it pass as a trusted one. And you don’t have to be a superhacker to do this: There are many websites that allow forging an SMS from a simple formsometimes even for free.
In the following image we can check that to indicate the sender it is as simple as putting a text in the field ‘Desde’. And if said sender – let’s put, for example, ‘BBVA’ – matches another from whom we have already received notifications via SMS, it will be shown on our mobile as part of the same message thread:
In fact, even legitimate senders make use of this feature to allow all the messages they send us, which do not have to always come from the same number, to be displayed in groups.
So no, no one has impersonated BBVA or “copied their modus operandi to perfection”, as the Customer Service operator said. Simply put, someone has written ‘from: BBVA’ in a web form.