It’s that time of the year again where someone gets slick and gains the attention of the media because of some lame joke. What is it this time? Well, it is “cat facts” which has been heavily documented elsewhere, but basically operates as a little trick your friends may play by spamming your phone with messages you don’t want.
I am blogging about this because my brother started getting spammed with “cat facts” Friday night by some pranksters. Fortunately for him, back at Defcon 17 I did a talk titled “SMS No Longer Your BFF” where I covered Internet to mobile spamming through the use of shortmail and XMPP. A lot has changed since my talk, but one thing still remains, default settings.
XMPP is a bit of a pain to script when it comes to registering rogue accounts, so I went with shortmail. As a little recap, shortmail is essentially an email that can be sent to your phone via SMS. Using the destination number and carrier, you can send these messages at will and in bulk. Some carriers support truncating of the messages, so you could easily send one message that would expand out to several SMS. If you want more data on this, go revisit my talk or shoot me an email.
Back to the spammers. Because the number was unknown to us, we weren’t quite sure of the carrier, so we just decided to throw them all into the script hoping one would hit.
As you can see here, this is a hack. We use the local sendmail SMTP server on the virtual machine to bounce emails from whoever we want to the number provided…forever. After a couple hundred texts being sent out, we stopped hearing from the cat fact folks and went back to the drinking of beers.
The next day my brother had a text in his inbox that read something along the lines of “what did you do?!”. Needless to say, our spammers turned out to be his friends and the little hack of a script did its job of pushing out several hundred messages to the poor friends phone. Moral of the story, don’t cat facts tech people.