The method of hijacking accounts "wholesale" through access to the services of a cellular operator
Today, just a few hours ago, I discovered a new way of fraud for me: an attempt to gain access to the personal account of my cellular operator.
Upd: Nevertheless, the word “new” was removed from the title, thanks for the criticism. Answers to the main points of criticism placed at the end so that there is no need to read the comments.
A quick search in the network, as well as a survey of familiar IT specialists, showed that no one has yet seen this method in work. The lack of publicity, as well as the obviousness to the inhabitants of all threats to the use of the obtained access makes it more dangerous.
Example of real correspondence:
Naturally, I did not send the code to anyone, pulled the intruder’s time with requests like “send out again, SMS doesn’t come” while I called my friend and asked him to immediately change the password and take action. Unfortunately, it was not possible to find out the exact percentage of victims through it, since The hacked man did not plan to go to VC at all, but immediately changed the password and went back to business, but to my question, “How many people have been caught?”, the answer was “full!”.
A brief survey of 9 inhabitants showed:
Threats to gain access to the personal account were announced as follows:
Points 1, 2 are obvious to everyone, 3–4 are not obvious to the respondents, but they are obvious to more experienced users, but points 5 and 6 are only obvious to the most experienced. Only two people knew about the presence of the whole payment gateway in the MTS personal account, and nobody knew about the possibility of # 7 to send money directly from the MTS account to any card. I discovered it by examining the MTS personal account in order to find ways to exploit the access gained.
For verification, I took the second number and rather quickly, using this scheme, entered the MTS personal account and set up call forwarding.
MTS notifies the old victim number of:
After that, the victim's phone subsides and everything goes to the new number.
NB: Setting voice forwarding does not lead to any notifications from MTS, but in vain.
Then, just using the new phone, I am successful:
When I tried to restore access to my main (red, green, yellow) Internet banks, I was faced with the need to provide additional information, such as passwords, and for recovery, account and card numbers. This complicates the process a bit, or rather slows it down, because if the victim sent the details at least once, then it is easy to find in the history of correspondence, because the messenger and his history have already been stolen.
So, I also successfully entered one of the banks and sent a Card2Card transfer. The amounts were small, the bank did not have any questions, but earlier on large amounts, I never asked anything more complicated than my personal data.
Thus, I assess the risk of financial losses as extremely high. A major financial loss as tangible, although, in my case, the task was facilitated by an easy search for the details in the correspondence, but I think I am not the only one.
I will conclude my “letter to the editor” with the wish of vigilance to you and your loved ones.
The most common complaints of commentators were to the title:
Where is the new way? - in the very first sentence he justified, but not enough, the more accurate word would be “not distributed” or “little known”, however, I removed the word altogether. Novelty, relative, is not in the direct request of money, but in the request of "not financial in nature", which has no direct obvious connection with financial losses. This is an objective rarity - they often ask stupidly for debt, but I’m happy to get acquainted with real statistics. Thanks for understanding the habrovchan who answered the same way in the comments below.
And what is the bulk of such theft? - Indeed, I did not explain, blame, correct. “Wholesale”, in quotation marks, means that the same phone can be the “second factor” of two-factor authorization on many services at once, and obtaining such access can lead to loss of control for several accounts at once, as well as to other losses. I did not invent a better word, but the point is that one key can open more than one obvious door, but several, and it is not known what kind.
Another popular outrage motive:
Normal social engineering! Why is it on Habré? - so it is, but only social engineering is a very broad term that does not say anything specifically. However, it is possible to build a system so that simple user fraud schemes do not work, and fraudulent schemes are all different, and any IT specialist or security person should be aware of the possibility of the existence of illegitimate-enabled redirection. Therefore, in Habré.
Examples:
- we fasten the opportunity to listen to the captcha or code from car audio?
- left a digital number at the gateway for confirming SMS?
We take into account that we can put "zombies" into the system. This is not always obvious. Perhaps after such a restoration of access, you really need to restrict the rights or ask clarifying questions when restoring access.
- do we send some confidential information by SMS or auto dialer?
There is a risk to disclose it to intruders or, for example, to answer under the Federal Law 152 for "Ivan Ivanovich, you have a debt on a loan for such and such a lot of rubles."
- the employee complains that they do not receive SMS from the corporate portal?
We do not send him to hell, but we investigate the situation, perhaps his SMS has gone “to the left”.
In addition, if at least a dozen people once again talk to their surroundings with the rules of the form: “any translations or codes only after a personal call, even if it is not about money at all”, then I did not write for nothing.
Special thanks to trublast for habr.com/ru/post/436774/#comment_19638396 and tcapb1 for habr.com/ru/post/436774/#comment_19637462 , in which they understood and developed my thoughts, brought possible threats and options.
In the end, I will add an answer to comments like "According to my estimates, people with such a level of gullibility have nothing to steal for a long time."
Quite right, there is usually nothing to steal, and this is another important feature that information systems, security protocols and authorization policies must take into account. The fact that many people try to be good, kind, help each other, lose their money, but they work in enterprises. If someone has a computer buggy, and urgently needs to send a letter, they will be allowed, despite the fact that they have access to a completely different level.
The average IT person, still quite paranoid, has a high level of abstract thinking, is able to quickly build chains of reasoning and evaluate probabilities, and he has heard about various deception schemes. And the average person is completely different, he needs to solve his working questions easier and quicker to help himself and a friend, and then he will help you. Any loader, electrician, courier, manager, people not associated with constant contact with information security issues may have access to very private data, expensive products and absolutely do not understand what they are capable of disturbing, the level of risk and the price of potential damage. And even if they are guilty of a loss of millions, there’s nothing to take from them, in general. Therefore, I think it’s the IT people who need to keep in mind all the potential vulnerabilities of each “Ivan Ivanich” and take them into account in the design and maintenance of information systems of enterprises, and also to acquaint people with acquaintances.
Upd: Nevertheless, the word “new” was removed from the title, thanks for the criticism. Answers to the main points of criticism placed at the end so that there is no need to read the comments.
A quick search in the network, as well as a survey of familiar IT specialists, showed that no one has yet seen this method in work. The lack of publicity, as well as the obviousness to the inhabitants of all threats to the use of the obtained access makes it more dangerous.
Attention! This post was written to warn the community about a possible danger and a new form of fraud. Repetition of the actions described in the article, with any accounts other than their own, entails responsibility in accordance with the legislation of the Russian Federation.The main purpose of this article is to quickly acquaint a wide range of specialists and people with a new way to hijack accounts from services that can be authorized or restored via phone. It would also be useful to initiate a discussion of this method and its variations among the experienced community and disseminate information more widely. Therefore, I will be brief and do not pretend to a comprehensive analysis, rather I want to describe a specific case and show possible variations of this example with large strokes.
Description of the method
- Through the hacked account of the VC (like any other network or messenger), an old friend (the attacker) knocks on the victim and describes the “unavailable phone problem”.
- He asks for “help to enter somewhere” by receiving an SMS code, for this he asks to send him a code or a “screen”.
- The victim comes SMS with a confirmation code of one-time access to the services of MTS.
- The victim fulfills the request and thus gives access to his personal account MTS.
Example of real correspondence:
Naturally, I did not send the code to anyone, pulled the intruder’s time with requests like “send out again, SMS doesn’t come” while I called my friend and asked him to immediately change the password and take action. Unfortunately, it was not possible to find out the exact percentage of victims through it, since The hacked man did not plan to go to VC at all, but immediately changed the password and went back to business, but to my question, “How many people have been caught?”, the answer was “full!”.
Preliminary analysis of threats and their perceived "horror"
A brief survey of 9 inhabitants showed:
- in 4 cases in this sequence of actions they do not see a serious threat,
- 5th, he is alarming and they are ready to try to identify the identity of the "old friend".
Threats to gain access to the personal account were announced as follows:
- "Write off money from the phone's account",
- "Connect services paid or mailing",
- "Write money off the autocomplete card",
- "Can transfer money to another phone",
- "Can set up call forwarding and cheat,"
- "They can set up SMS forwarding and hijack accounts of other services."
Points 1, 2 are obvious to everyone, 3–4 are not obvious to the respondents, but they are obvious to more experienced users, but points 5 and 6 are only obvious to the most experienced. Only two people knew about the presence of the whole payment gateway in the MTS personal account, and nobody knew about the possibility of # 7 to send money directly from the MTS account to any card. I discovered it by examining the MTS personal account in order to find ways to exploit the access gained.
Test operation of the stolen access in LC MTS
For verification, I took the second number and rather quickly, using this scheme, entered the MTS personal account and set up call forwarding.
MTS notifies the old victim number of:
- password change,
- entering the MTS services,
- SMS forwarding and SMS Pro services.
After that, the victim's phone subsides and everything goes to the new number.
NB: Setting voice forwarding does not lead to any notifications from MTS, but in vain.
Then, just using the new phone, I am successful:
- made a deposit to another phone account,
- made a money transfer account MTS → bank card (4.3% commission, but not less than 60 rubles),
- restored access to a pair of online accounts,
- received a call-audio test instead of SMS,
- ordered a call back from the store site,
- entered the online bank and sent money to an unknown card, see below.
When I tried to restore access to my main (red, green, yellow) Internet banks, I was faced with the need to provide additional information, such as passwords, and for recovery, account and card numbers. This complicates the process a bit, or rather slows it down, because if the victim sent the details at least once, then it is easy to find in the history of correspondence, because the messenger and his history have already been stolen.
So, I also successfully entered one of the banks and sent a Card2Card transfer. The amounts were small, the bank did not have any questions, but earlier on large amounts, I never asked anything more complicated than my personal data.
Thus, I assess the risk of financial losses as extremely high. A major financial loss as tangible, although, in my case, the task was facilitated by an easy search for the details in the correspondence, but I think I am not the only one.
I will conclude my “letter to the editor” with the wish of vigilance to you and your loved ones.
Upd 02/14/19 - Answers to questions and criticism in the comments
The most common complaints of commentators were to the title:
Where is the new way? - in the very first sentence he justified, but not enough, the more accurate word would be “not distributed” or “little known”, however, I removed the word altogether. Novelty, relative, is not in the direct request of money, but in the request of "not financial in nature", which has no direct obvious connection with financial losses. This is an objective rarity - they often ask stupidly for debt, but I’m happy to get acquainted with real statistics. Thanks for understanding the habrovchan who answered the same way in the comments below.
And what is the bulk of such theft? - Indeed, I did not explain, blame, correct. “Wholesale”, in quotation marks, means that the same phone can be the “second factor” of two-factor authorization on many services at once, and obtaining such access can lead to loss of control for several accounts at once, as well as to other losses. I did not invent a better word, but the point is that one key can open more than one obvious door, but several, and it is not known what kind.
Another popular outrage motive:
Normal social engineering! Why is it on Habré? - so it is, but only social engineering is a very broad term that does not say anything specifically. However, it is possible to build a system so that simple user fraud schemes do not work, and fraudulent schemes are all different, and any IT specialist or security person should be aware of the possibility of the existence of illegitimate-enabled redirection. Therefore, in Habré.
Examples:
- we fasten the opportunity to listen to the captcha or code from car audio?
- left a digital number at the gateway for confirming SMS?
We take into account that we can put "zombies" into the system. This is not always obvious. Perhaps after such a restoration of access, you really need to restrict the rights or ask clarifying questions when restoring access.
- do we send some confidential information by SMS or auto dialer?
There is a risk to disclose it to intruders or, for example, to answer under the Federal Law 152 for "Ivan Ivanovich, you have a debt on a loan for such and such a lot of rubles."
- the employee complains that they do not receive SMS from the corporate portal?
We do not send him to hell, but we investigate the situation, perhaps his SMS has gone “to the left”.
In addition, if at least a dozen people once again talk to their surroundings with the rules of the form: “any translations or codes only after a personal call, even if it is not about money at all”, then I did not write for nothing.
Special thanks to trublast for habr.com/ru/post/436774/#comment_19638396 and tcapb1 for habr.com/ru/post/436774/#comment_19637462 , in which they understood and developed my thoughts, brought possible threats and options.
In the end, I will add an answer to comments like "According to my estimates, people with such a level of gullibility have nothing to steal for a long time."
Quite right, there is usually nothing to steal, and this is another important feature that information systems, security protocols and authorization policies must take into account. The fact that many people try to be good, kind, help each other, lose their money, but they work in enterprises. If someone has a computer buggy, and urgently needs to send a letter, they will be allowed, despite the fact that they have access to a completely different level.
The average IT person, still quite paranoid, has a high level of abstract thinking, is able to quickly build chains of reasoning and evaluate probabilities, and he has heard about various deception schemes. And the average person is completely different, he needs to solve his working questions easier and quicker to help himself and a friend, and then he will help you. Any loader, electrician, courier, manager, people not associated with constant contact with information security issues may have access to very private data, expensive products and absolutely do not understand what they are capable of disturbing, the level of risk and the price of potential damage. And even if they are guilty of a loss of millions, there’s nothing to take from them, in general. Therefore, I think it’s the IT people who need to keep in mind all the potential vulnerabilities of each “Ivan Ivanich” and take them into account in the design and maintenance of information systems of enterprises, and also to acquaint people with acquaintances.
Source: https://habr.com/ru/post/436774/