back to article Spammers unleash DIY phone number slurping web tool

Mobile spammers have released a DIY phone number harvesting tool, but instead of advertising it solely on criminals-only online hangouts, they're trying to flog it out in the open. The availability of the utility turns the simple act of submitting a mobile number to a website something that might lead to the receipt of more …


This topic is closed for new posts.
  1. Valeyard

    sites that display your mobile number without the need for authentication

    do these exist? and if so, why have they any numbers to show?

    I can see it picking up lots of "who calls me" and random number site (type a mobile phone number a few digits off into google and people have just spammed results with every possible combination ever, presumably whether or not they're active)

    There'll be too much noise for anything meaningful I'd say

    1. Fred Flintstone Gold badge

      All you need to do is to tap into SMTP traffic and you'll get lots of phone numbers - everyone's signature.

      The MASSIVE problem with SMS is that it's the perfect captured audience - AFAIK there isn't a single phone on the market that allows you to disable it so the moment someone finds a route to send SMS withou it costing them anything all hell will break loose. This is where iOS has a disadvantage: it doesn't allow non-interactive access to SMS to block spammy Apps, but it also means it is not possible to build a filter for incoming traffic. AFAIK, with Android it is possible to cook up some filter.

      1. Jamie Jones Silver badge
        Thumb Up

        @Fred Flintstone

        Whilst most smtp traffic is sent unencrypted, how do you propose tapping into one of the backbone nets? Or rather, if someone did tap into one, they'd be looking for far greater things than mobile phone numbers.

        Alternatively, an employee of a company could sniff a local lan (assuming the switch had been flooded enough to work as a hub), or an ISP employee could sniff their customers data. But in both these cases, said staff would probably have access to this information via the internal directory / customer database.

        As for SMS, I guess you were referring to a way to disable all incoming SMS?

        Even my cheapo "Tesco Mobo" (£20 including some credit) allows blacklisting of specific numbers for voice or sms or both.

    2. Jamie Jones Silver badge
      Big Brother

      @Valeyard - re "sites that display your mobile number without the need for authentication"

      Do a "whois" on any of my domains, and you'll find my address and mobile number!

      1. Robert Carnegie Silver badge

        Re: whois

        These days, respectable whois providers use CAPTCHA or other means of increasing the labour required to obtain one phone number. And many domain registration services put in -their- contact details instead of yours. Presumably they pass on legitimate inquiries to the domain user?

        BBC News (on strike today incidentally) sometimes asks for a phone number with responses on its web site, in case you say something interesting and they get the urge to talk to you voicewise. But I presume that it's kept secure, not published, and it's optional. Not everyone has one, anyway!

  2. Anonymous Coward
    Anonymous Coward

    I wish I could make SMS pay me...

    Instead of paying to receive SMS(*), I want to make it so people have to pay ME to send me an SMS. If it's somebody I know, I can refund the money to them, but if I don't know them, cha-ching!

    And since, for many of the "free" SMS services (or PAYG cards with lots of SMS on them) the cost of paying me comes out of the carrier's pocket, it is likely the carriers will get their act together on preventing this sort of abuse.

    (*) Since we do SMS bass-ackwards here in the US, and the phone company either wants me to pay a monthly fee for "unlimited" text or pay per text received, with a PITA process to demand refunds for unwanted texts, and since I have an unlimited data plan and proper IM on my phone, I have SMS totally disabled, so my paying for SMS is hypothetical.

    1. Valeyard

      Re: I wish I could make SMS pay me...

      not likely, that's exactly how it works in the UK and it still happens

      paying to receive an SMS? Jesus.. only time that happens to me is if i get caught by the southern irish networks and have forgotten to switch off roaming

      1. Valeyard

        Re: I wish I could make SMS pay me...

        i mean in that the sender pays, not that you get paid

  3. The BigYin

    Woe betide them

    With regards unwanted cold calls/SMS...

    You call me - that's a criminal offence (all my numbers are registered with the TPS)

    You text me - that's a report to 7726 (SPAM)

    You call me from will pay...I have time to burn and it your phone bill.

    1. Fred Flintstone Gold badge

      Re: Woe betide them

      You call me from will pay...I have time to burn and it your phone bill.

      I have unlimited SMS in my package. What was your phone number again? :)

      I don't have this problem. Every time a website asks me for my number I give them the number of some official setup in their country such as an Information Commissioner. They won't be abusing that for long (evil grin).

  4. Anonymous Coward
    Anonymous Coward

    This is happening all the time...

    Voice over IP (IP telephony), bulk purchase of SMS at incredibly low rates, even a disposable phone with a few quids worth of credit could offer thousands or even unlimited texts, blah blah blah.

    The cost of the technology is essentially zero, an open source PBX, dialler, IVR (which could easily target a telco or bank, spoof the CLI and navigate their menu trees and elicit information - even failed calls may tell them something, side channel attack if you like - that could have financial value).

    Next time you call your phone provider or bank or utility company, just think about your experience through technology or people - I am sure that even a stupid person could easily think of exploits that those companies hadn't considered when they put their services together.

This topic is closed for new posts.