Tag Archives: phishing

Attackers intercept SMS/text messages to drain bank accounts

In early May this year a German newspaper Süddeutsche Zeitung detailed the first documented case where cybercriminals exploited known SS7 (Signalling System version 7)(defined)(PDF) vulnerabilities for their own profit (the attack took place in January 2017).

How did this incident take place?

According to the German newspaper, the attackers first obtained the victim’s credentials for their bank account (by phishing (defined) emails), then used the SS7 flaws to hijack their phone number and receive the transaction confirmation code (within a text message (an SMS (defined) message)) on a mobile phone in use by the attackers. This exploit allowed the attackers to steal users’ mobile transaction authentication numbers (mTAN) and thereby withdraw money from their victim’s accounts.

Currently, carrying out such attacks requires specialized hardware and special codes to interact with other telephony providers. Buying such equipment and the codes isn’t as hard as you believe, and an SS7 hacking rig could cost an attacker a few hundred to a thousand dollars, well below the money they stand to make.

Why should this vulnerability be considered important?

The SS7 (Signalling System No. 7) protocol was developed in the 1980s and is a so-called telephony signalling protocol, used to route calls between different telephony providers.

The protocol has no security features, and its flaws became widely known after talks at the Chaos Communication Congress meetings held in 2010 and 2014. In these two talks, German security researcher Tobias Engel (with Karsten Nohl in 2014) showed how a determined actor could locate and track any person on the planet via SS7, and even manipulate their communications by taking over their phone number.

Moreover in April 2016; the issues surrounding SS7 came back again into the limelight when a CBS reporter with the help of the above mentioned German security researcher (Karsten Nohl) used the same flaws to track US House of Representative’s member Ted Lieu’s whereabouts (with his consent). Indeed; both US Senator Ron Wyden and Representative Lieu have previously called for the FCC to at least look into strengthening the security of SS7. They also wrote an open letter (PDF) to the Homeland Security Secretary John Kelly.

Just one month later (May 2016) security firm Positive Technologies showed how using another technique an attacker could hijack a person’s phone number and receive messages intended for other WhatsApp and Telegram accounts.

How can I protect myself from these vulnerabilities?

Before focusing on the vulnerabilities within SS7, let us first review how the attackers emptied victim’s bank accounts:

They first obtained their victims banking details via phishing emails. Tips to avoid being effected by such emails are provided here.

Following this incident, the affected German mobile network operator made it impossible for call forwarding to be effected by other organizations that have access to the mobile operator’s network. Other German mobile network operators have implemented this change. This should mitigate a similar attack occurring in the future for these mobile operators. All other mobile operators should deploy similar mitigations. Further recommendations to mobile operators e.g. the use of a signalling firewall are provided in this news article. As this article mentions, the successor of SS7, namely Diameter will take time to migrate to and unfortunately suffers from some of the same vulnerabilities.

In 2016 the US National Institute of Standards and Technology (NIST) began recommending not to use SMS messages for two-factor or two-step verification (differences between 2FA and 2SV). Instead they are suggesting the use of tokens (most likely hardware tokens) and cryptographic authenticators (and perhaps at a later time biometric authentication (defined)).  They also encourage software vendors to check for the presence of a VoIP connection (Voice over IP, defined). This is due to some VoIP services allowing the hijacking of SMS messages.

At this time, the use of software authenticators such as the Google and Microsoft authenticators and RSA’s SecurID app are increasing and it favours the eventual phase out of SMS messages. The use of biometrics (perhaps making use of Windows Hello) or USB tokens such as the YubiKey.

Advice for consumers/end-users:

The previously linked to article (above) also contains advice (in the final three paragraphs) which you may find useful.

Thank you.

Punycode makes phishing harder to detect

In mid-April, security researcher Xudong Zheng publicly disclosed (defined) and provided a demonstration of a security vulnerability within popular web browsers e.g. Google Chrome, Mozilla Firefox and Opera which may be used in phishing (defined) attacks.

Why should this vulnerability be considered important?
This vulnerability is not the first of kind, e.g. a similar vulnerability exists in how the DNS protocol resolves device hostnames (defined) (when combined with Service Discovery (SD) provides the capability of network resource distribution beyond the reach of multicast normally limited by the MAC Bridge.
However this vulnerability has the potential to allow an attacker to lead you into clicking a legitimate looking link which may lead to an unexpected website (which an attacker can populate with content of their choice). This may happen since an attacker can send you a highly targeted email (i.e. spear phishing) which you may be expecting and inadvertently click an undesired link or enter login details into a legitimate looking website (following a link from such an email).

Mr. Zheng demonstrates how this vulnerability exploits how web browsers translate letters from other non-Latin languages into Latin letters. For example, he registered the website of apple.com which when visited actually displays the website of xn--80ak6aa92e.com but your web browser will still show apple.com This occurs due to the translation of non-Latin letters into Latin characters making use of Punycode (a recognized standard of the Internet Engineering Task Force).

How can I protect myself from this vulnerability?
While the conventional advice of hovering over any link before clicking to view its actual destination is not redundant it is now significantly less useful.

If you use a password manager which works with your web browser it will not enter your username/password into a website translated from its Punycode. For example, your Apple credentials would not be entered into xn--80ak6aa92e.com

Google has addressed this vulnerability with the release of Chrome version 58. Opera also resolved this issue. Mozilla is currently considering the best means to resolve this vulnerability (Firefox 53 mistakenly shows apple.com) . In the meantime; Mozilla Firefox users can use the steps mentioned at the end of this news article to mitigate this issue.

For any website important to you, please manually type its address into your web browsers address bar to visit the legitimate website. Using encrypted connections where possible is encouraged e.g. https://twitter.com or https://mail.google.com

Thank you.