Other SMS Spoofing Scam

[sevoneone]

Someone is sending text messages to multiple employees at my company impersonating our CEO asking them to go buy gift cards. I know this is a common scam, but what I can't figure out is how they are linking the random phone number they are using to his name. This is not a phone number that has ever been associated with my boss in any way, but almost everyone getting the message on an iPhone is having his name appear as the sender.

Somehow the scammers are associating the number they're using with his info in the recipients' phone. How are they doing this? His legit details show up as found with Siri. Is this some sort of vulnerability tricking siri?



Edit: Couple of other notes. It is SMS not iMessage, so I don't think anyone has hacked his Apple ID/iCloud. Also, checked his contact info in his contacts and in our company GSuite directory.

 

[now i see it]

As I understood it, someone can spoof the number they're actually calling from.
Since the CEO's real number is in every employee's address book, if a spoofer sends a text that spoofs that number, then it will look like its from the CEO. I have no idea how it's done, but I believe its possible.

 

[NoBoMac]

Guess here...

Most carriers have ability to send text via email. Number@carriersoandso.com
Verizon, number@vtext.com

If doing this, MAYBE picking up a spoofed email address.

Or boss's cell account hacked and another line added. Or sim was transferred to a different device.

In the case of email texting, probably an option on the account(s) to disable this feature (ie. You don't want to block ability to send to you that way).

Search on number makes it seem not Google Voice or similar, so, not spoofing via that method.

ADD: SMS spoofing services, software allow you to specify sender name; maybe iOS is doing a "maybe from" like Phone app where name matches what's in Contacts, previous sender info.

 

[sevoneone]

As I understood it, someone can spoof the number they're actually calling from.
Since the CEO's real number is in every employee's address book, if a spoofer sends a text that spoofs that number, then it will look like its from the CEO. I have no idea how it's done, but I believe its possible.

Except the number they are using is not his number not any number he has ever used.

.

ADD: SMS spoofing services, software allow you to specify sender name; maybe iOS is doing a "maybe from" like Phone app where name matches what's in Contacts, previous sender info.

The email to text gateway I had not thought of, though, again, it isn't his phone number so I can't see how the phone would ever associate it with him. The only caller ID info sent on cellular calls and SMS is the source phone number, at least in the US. No name or other info is passed to the recipient phone...

I've seen the 'Maybe: Person' phishing attempts before, but this is not a Maybe. It is saying it is him. The Siri identified number and email are from his real contact info.

It is like the phones are picking up another contact from some where. We're on GSuite and I originally freaked out thinking someone either hacked his account and added the number or, worse, got into our global address list/directory. I've since verified both are clean.

Does Siri querying any databases on unknown numbers like Yelp or or some sort of business directory where this could get pulled from?

 

[NoBoMac]

Does Siri query external databases, not that I know of.

Looking at the screen grab of the "contact", looking to me, seems more and more, using email text to start convo.

The email address and real phone are showing up as "Siri found...", so, the info button does not appear to be pulling up the real contact the recipient might have in their phone (Siri is filling in the blanks, to be "helpful"; doing a "name like Mike xxxx" search).

Not familiar with details on how you can do this with services and or software, but, there are ways to send a text with a name (basically a "from" field). Add in, some cell providers, allow setting of caller id information (I know Verizon allows this as I've configured a family member's account to have names on each of their lines of service).