More Scans for SMS Gateways and APIs

    Published: 2025-04-29. Last Updated: 2025-04-29 15:25:05 UTC
    by Johannes Ullrich (Version: 1)
    0 comment(s)

    Last week, I wrote about scans for Teltonika Networks SMS Gateways. Attackers are always looking for cheap (free) ways to send SMS messages and gain access to not-blocklisted numbers. So, I took a closer look at similar scans we have seen. 

    There are numerous ways to send SMS messages; using a hardware SMS gateway is probably one of the more fancy ways to do so. Most websites use messaging services. For example, we do see scans for SMS plugins for WordPress:

    These scans look for style sheet files (.css) that are part of the respective plugins. It is fair to assume that if the respective style sheet is present, the attacker will attempt to obtain access to the site:

    /wp-content/plugins/sms-alert/css/admin.css
    /wp-content/plugins/mediaburst-email-to-sms/css/clockwork.css
    /wp-content/plugins/verification-sms-targetsms/css/targetvr-style.css
    /wp-content/plugins/wp-sms/assets/css/admin-bar.css
    /wp-content/plugins/textme-sms-integration/css/textme.css
    /wp-content/plugins/sms-alert/css/admin.css
     

    We also got a few odd, maybe broken, scans like:

    /api/v1/livechat/sms-incoming/%%target%%/wp-content/themes/twentytwentyone/assets/css/print.css
    /api/v1/livechat/sms-incoming/%%target%%/wp-content/themes/twentytwentyone/assets/js/responsive-embeds.js
     

    The "%%target%%" part was likely supposed to be replaced with a directory name.

    And we have scans for some configuration files that may contain credentials for SMS services like:

    /twilio/.config/bin/aws/lib/.env
    /twilio-labs/configure-env
    /twillio_creds.php
    /twilio/.secrets
    /sms_config.json
    /sms/actuator/env
    /sms/env

    And many similar URLs.

    Scans also look for likely API endpoints used to send SMS messages. I am not sure if they are associated with a particular product or software:

    /sms/api/
    /api/v1/livechat/sms-incoming/twilio
    /sms.py
    /Sms_Bomber.exe

    SMS_bomber.exe is a script designed to send mass SMS messages [1]. The scans may attempt to identify copies left behind by other attackers.

    SMS_bomber also suggests the use of a proxy, and we have some scans that are looking for proxies to find websites used to send SMS:

    https://sms-activate.org
     

    Not properly securing SMS gateways or credentials used to connect to SMS services could result in significant costs if an attacker abuses the service. It may also make the phone number unusable, as telecom providers and end users will block it. This may also result in reputational damage, and you will likely have to use a different phone number after it has been abused.

     

    [1] https://github.com/iAditya-Nanda/SMS_Bomber

    ---
    Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
    Twitter|

    Keywords: sms
    0 comment(s)
    ISC Stormcast For Tuesday, April 29th, 2025 https://isc.sans.edu/podcastdetail/9428

      Comments

      Login here to join the discussion.


      Diary Archives