Using USB Modems to Phish and Send Malicious SMS Messages

Some USB modems can be leveraged to send malicious SMS messages and carry out spear-phishing attacks – sometimes in conjunction with each other – thanks to a cross site request forgery vulnerability present in the device’s web interfaces.

Some USB modems can be leveraged to send malicious SMS messages and even carry out spear-phishing attacks – sometimes in conjunction with each other – thanks to a cross-site request forgery vulnerability present in the device’s web interfaces.

According to Swedish security researcher Andreas Lindh, who wrote about his findings on 3VILDATA, an information security blog he shares with a fellow Swede, the problem is present in 3G and 4G modems that plug into machines and connect to the Internet through a built-in SIM card.

Lindh claims he hasn’t had time to notify the vendor yet so has held off on naming the specific USB modem used in his exploit but does claim it’s a “high-end one” that is “quite expensive” and “mostly used by corporate custumers.”

The web interface of the USB modem in question allows for configuration. Lindh notes that he can set a PIN, change it, enable it, re-enable it, add a profile, etc. The CSRF vulnerability he found also grants him the ability to send text messages through the modem, using its Web interface, to any phone number. This is done by getting the user to go to a website under his control that he can easily obfuscate the URL.

The vulnerability lets Lindh edit the HTTP POST request method without having to worry about bypassing authentication because there isn’t any–the functionality doesn’t exist.

In the code Lindh posted, the International Mobile Subscriber Identity (IMSI) – or phone number – is blacked out but the msg_content parameter, the function Lindh realized he could supply with text message content and send to users, can be seen:


Lindh slotted some Javascript in the parameter and it replied with a valid value, demonstrating that if an attacker wanted to send text messages using a pricey service under their control, it’d be possible.

Lindh also realized that he could employ the same exploit in a phishing attack.

Using a data URI scheme, Lindh was able to put together a fake Facebook login site. Data URI schemes, supported on most browsers (Chrome, Firefox, Safari, etc.) basically give web developers a way to create the illusion of a legitimate web site; the site data is displayed inline as if it’s coming from external sources but it’s not. Lindh’s scheme has all of its HTML loaded into the address bar – in this case the fake Facebook mockup – and doesn’t have to rely on being attached to a domain or hosted on a server.


Lindh then rigged a way for the fake site to steal user credentials from the log-in form fields after they’re entered and have that information passed along to him in a text message.

To test his exploit he obscured the fake Facebook site’s long URL with TinyURL and sent it along to dummy email account. From there, after clicking through and logging in, the login information was sent to his phone via the modem SMS vulnerability.

Lindh notes in the blogpost that it’s an “attack completely without infrastructure requirements; no web server to host the spoofed website, no server to post the stolen credentials to,” writing that all that’s needed is an “email address or some other way to distribute the URL, and a pre-paid phone to receive the text messages.”

Lindh acknowledges to get the trick to really work, it’d have to be a highly targeted attack but insists it may not be “as unlikely as it may seem at first.”

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.


  • Campbell on

    Am I correct in understanding that a CSRF can be packed into a URI and once executed, will run a fake page with any address as if it were local? The recommendations on the researchers site seem to be legitimate, but have they been verified ?

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.