Can I determine actual origin of spoofed text message?
Can I determine the actual sender of a spoofed text message? I received a text message yesterday that appeared to come from one of my contacts, but he did not send it. I contacted my carrier (Verizon) and they said that because the sender used third party software, they couldn't tell me where it originated. But they did say that the sender had to enter both of our numbers into the software, so we were targeted specifically. We have a rental business and have been threatened recently over evictions we're doing. I'm concerned for security reasons.
Your carrier is definitely able to tell who sent the text, as the sender's carrier's servers obviously connected to your carrier's ones to deliver the message and everything was logged.
They just don't want to go through the effort of diving into log files which would require paying for engineer time because the people who work at their customer service are only trained to sell stuff and don't even know what is a "spoofed SMS" (the incorrect explanation they told you proves it, no matter what software sent the message they should still have a log of where the message came from, whether it's their network or some other carrier).
Your friend should take legal action for identity theft, then the police will force your carrier to disclose any info they have about that SMS, including the origin carrier, from there they contact that carrier and they should be able to give them the identity of the person who sent the text (or at least, some possibly anonymous IP if it's an SMS API provider, but it's still worth a try).
The caller ID or SMS sender is just a string field without any particular meaning, while you can't spoof that using your mobile plan because your carrier always puts your number in that field on their side, you can definitely spoof it if you are a carrier yourself and have direct connections to other carriers, in which case you can pretty much put anything in there and your call/SMS will be delivered just fine with that (spoofed) caller ID/sender. Most SMS APIs offer that as a service so companies can send marketing messages originating from "company name" instead of a phone number, but of course the actual sender is logged on their servers for obvious purposes.
I don't think this is necessarily true. There are several mobile applications that send texts over Wifi. Once its out on the internet, it could really go anywhere before hitting the destination.
Worth adding: Your carrier can tell you more, but there's probably *no point*. You wouldn't normally use a phone to send a spoofed SMS, because it's easier to edit the message with a computer. This means it will likely trace back to some random machine that sends thousands of SMSs a day, and you'd then have to get info from that provider too. When you need that much info on an attack, you are likely to hit at least one person who doesn't move for anything less than a supoena.
@raz the apps you're talking about are the same as the SMS APIs I mentioned, they keep a log of all sent messages and their origin IPs (sure that can be defeated by Tor) but Verizon would at least tell "the SMS came from "that SMS API company", contact them to get the actual IP of the user who used their app to send it".
@raz - The carrier might not know the exact sender, but they will know more. Essentially, they know where to look next, but the whole thing could go on a bit!
@Owen there is point, an user should have the right to know from where a message came from. While the sending carrier may not give out the identity of the user for privacy reasons, Verizon has no benefit from hiding what carrier sent the message, it's just laziness and incompetence.
@AndréDaniel, yeah, granted there's a point, what I'm getting at is the possibility of this just being a series of rabbit holes to dive into. If the sender turns out to CBFSMS.com or something, then you need to ask them, then you get an IP, and need to ask the ISP. Realistically, each one of them is going to try to tell you to stick it, so it may be a fruitless endeavour!
@AndréDaniel In the US anyway, without a court order that SMS API company is under no obligation to divulge private information of their users. And if any anonymous service was used it would be pointless anyway.
@Owen sure there is no way to get the identity of the sender from the SMS API company (and it's fine like that), but at least VZ should tell you whether the message came from a mobile carrier or some SMS API.