Skip to content

SMS Phishing

Spencer McIntyre edited this page May 6, 2017 · 4 revisions

SMS Overview

King Phisher can be used to to run basic SMS phishing campaign in a similar manner to standard email campaigns. In order to convieniently send SMS messages without prior knowledge of the carrier an external server must be used. For this purpose the Clockwork service can be used. At the time of this writing Clockwork charges 0.06 USD per SMS message sent.

Text messages sent through the Clockwork API will be sent from a 5 digit number.

Creating The Target List

After creating an account and adding the necessary funds to it, an API key needs to be generated. Once an API key has been created it is appended to the target phone numbers to create a standard King Phisher CSV target list. The country code needs to be prefixed to the number, without any + symbol.

Alice,Liddle,12345678900@YOURAPIKEY.clockworksms.com
Calie,Liddle,14327650098@YOURAPIKEY.clockworksms.com

Clockwork API Plugin

A clockwork api plugin is available which, when enabled, will automatically update phone numbers into email addresses suitable for use with the Clockwork API.

Creating The Email

Once the target list has been created an email can be crafted containing the desired text to send to the intended recipients via SMS. The Clockwork SMS email system extracts the SMS message contents from between #STARTSMS# and #ENDSMS# tags.

Users should take care to ensure that their message does not exceed the 160 characters allowed in an SMS message (including any variables that may be expanded). Should a message exceed the 160 characters allowed, the Clockwork API will split the text and send multiple SMS messages to the recipient.

The following is a basic email template that illustrates how the SMS message can be crafted.

<html>
<p>
#STARTSMS#<br />
Please visit {{ url.webserver }}
#ENDSMS#<br />
</p>
</html>

As with any other email template, standard message variables can be used. Additional information on the Clockwork Email to SMS interface is provided by their documentation.

You can’t perform that action at this time.