Phone number was never meant to be your identity. Now it's time to stop.
New investigation reveals a trivial way to steal your messages.
As if we needed more proof to know that SMS text messages are the weakest link when it comes to securing your accounts online.
Not only are phone numbers prone to SIM-swapping attacks, allowing fraudsters to hijack one-time codes and such, a new investigation has shown that it's devastatingly simple to intercept and reroute messages for as cheap as $16.
And this involves no SIM swapping trickery or bribing employees at mobile stores into porting a phone number to a SIM under an attacker's control.
Rather, security researcher "Lucky225" worked with Vice's Joseph Cox to intercept his incoming text messages by using a SMS marketing and mass messaging tool from Sakari.
Sakari allows businesses to import their own phone number for sending SMS messages, in turn, making making possible to send and receive texts through the platform. In other words, it forwards text messages associated with a phone number to a different device, but aimed primarily at companies that want to use the SMS system for customer contact or marketing purposes.
But what's problematic here is that a malicious party can abuse this tool by signing up with the phone number of a victim and get access to messages originally meant for the target. With this access in place, it's then easy for an attacker to break into a number of online accounts, once again highlighting how the telecommunications infrastructure is open to trivial exploitation.
Following the investigation, major carriers in the U.S. like Verizon, T-Mobile, and AT&T have "made a significant change to how SMS messages are routed to prevent hackers being able to easily reroute a target's texts."
Given the impact of cybercriminals abusing such weaknesses in the mobile ecosystem to completely subvert the security of SMS-based communications and multi-factor authentication, it goes without saying that phone numbers can no longer be deemed a trustworthy means to identify users.
The only takeaway here is to unlink phone numbers from online accounts wherever possible (sadly, banks still heavily rely on SMS) and avoid SMS or phone calls for authentication, and instead use a physical security key or an authenticator app for one-time codes.
What’s Trending in Security
🇨🇳 Facebook disrupted a network of bad actors using its platform to target the Uyghur community and lure them into downloading malicious software that would allow surveillance of their devices. [The Hacker News]
⚠️ Google Project Zero found evidence of an unnamed hacker group, which exploited no fewer than 11 zero-day vulnerabilities in two iterations spanning nine-months — one in February, and the other in October 2020 — that used compromised websites to pierce advanced security defenses built into the platforms and infect fully patched devices running Windows, iOS, and Android.
"The vulnerabilities cover a fairly broad spectrum of issues – from a modern JIT vulnerability to a large cache of font bugs. Overall each of the exploits themselves showed an expert understanding of exploit development and the vulnerability being exploited," researcher Maddie Stone said.
While Google pointed fingers at an "expert" threat actor, a new bombshell report from MIT Technology Review has revealed that it was in fact an active counterterrorism operation conducted by a U.S. ally. [Google Project Zero / MIT Technology Review]
💳 Carding Mafia, a forum for stealing and trading credit cards got hacked, exposing emails, usernames, and passwords of almost 300,000 user accounts. The development comes on the heels of a series of hacks targeting four Russian-language cybercrime forums since the start of the year. [Have I Been Pwned]
📑 Hackers are targeting U.S. taxpayers with documents that purport to contain tax-related content but infect their system with NetWire and Remcos remote access trojans to let attackers take control of the victims' machines and steal sensitive information. [Cybereason]
💲 Researchers discovered more than 200 new fleeceware applications on the Apple App Store and the Google Play Store that have been downloaded approximately one billion times and accrued over $400 million in revenue to date. The apps were found to charge users extortionate subscription fees after enticing them with free trials. [Avast]
💰 Graham Ivan Clark, 18, the Florida teen accused of masterminding the hacks of several high-profile Twitter accounts last summer as part of a widespread cryptocurrency scam pled guilty to fraud charges in exchange for a three-year prison sentence. [The Hacker News]
💵 WeLeakInfo, which sold access to over 12 billion stolen credentials before the FBI seized its domain, leaked account and payment info of over 24,000 of its own customers. Some people who were hacked also said their credit cards on file were used to purchase NFTs costing thousands of dollars, which were then transferred to a hacker's account. [Krebs on Security]
🇻🇦 A Chinese cyberespionage group called Mustang Panda (or Red Delta) has shifted its operations from targeting Vatican officials and Catholic organizations to telecom providers across Asia, Europe, and the U.S. designed to steal data pertaining to 5G technology. [McAfee]
🛡️ Three years after the Spectre attack was first disclosed, researchers with Google released a demonstration website that leverages the attack, written in JavaScript, to leak data at a speed of 1 kilobyte per second (kbps) when running on Chrome 88 on an Intel Skylake CPU. [Google Security Blog]
🖼️ It's a known fact that bad actors constantly find new ways to evade detection and exfiltrate information without attracting too much attention. Magecart groups have now resorted to saving stolen credit card details in the form of .JPG files on the compromised websites. What's more, a security researcher found that it's possible to hide up to 3MB of data such as ZIP archives and MP3 inside a Twitter image. [Sucuri]
🔥 A major fire at a datacenter run by cloud giant OVH earlier this month brought thousands of websites in the aftermath. But it also took down the infrastructure used in government-backed hacking operations. At least 36% of 140 OVH servers used by government hackers and sophisticated criminal groups such as APT39, Bahamut, and OceanLotus. [Vice]
🇩🇪 Finnish officials formally pointed fingers at a group of Chinese state-sponsored hackers dubbed APT31 for a cyberattack that breached the Finnish Parliament's internal IT systems last year. In a related development, email accounts of multiple German Parliament members were targeted in a spear-phishing attack. German security agencies pinned the attack on a Russian military intelligence hacking group dubbed Ghostwriter. [Finnish Security Intelligence Service / Der Spiegel]
🚨 TikTok fixed multiple security vulnerabilities in its Android app that could be chained together to achieve remote code execution. [Sayed Abdelhafiz]
💬 China's Great Firewall ensnared encrypted messaging app Signal, joining Facebook's WhatsApp, Telegram among banned apps. [TechCrunch]
🗃 The past two weeks in data breaches, leaks, and ransomware: Chile's Comisión para el Mercado Financiero, CNA Financial, Flagstar, Honeywell, Line, Shell, and personal data of 6.5 million Israeli citizens.
$4.2 Billion
That's the amount victims are said to have collectively lost in funds as a result of cybercrime and internet fraud that were reported to its Internet Crime Complaint Center in 2020, up 20% from the $3.5 billion reported in 2019. According to the 2020 Internet Crime Report, the FBI said it received 791,790 internet and cybercrime complaints in 2020, more than 69% than the 467,361 reports it received in 2019.
And that's it. See you next week!
-Ravie