2018-07-21

Mobile Phone SIM Swapping Fraud

Description of the Threat

As mobile number and SMS are increasingly used for two-factor authentication and one-time-password, hackers are trying to get the number ported to other SIM and have their way in with all personal online services. In the USA, these scams have doubled over the years: 2013 (1038), 2016 (2658) and currently the Spear Phishing -type attack is roaming in Africa.

The generic attack vector is as follows:

 1. Hacker acquires target’s usernames (on sale in different dark websites) for profitable accounts (Instagram, Bitcoin, Online banking, etc.)
 2. Hacker collects other essential information from target’s public knowledge (mobile number, birthday, address, family members and their birthday information, etc.) or going through target’s trash bin (bank statements, bills, copies of passport, visa, ID cards, driving licenses)
 3. With the above information, the hacker:
  • Tries to break target’s mobile online service account and then swaps the number
  • Tries to deceive mobile operators service personnel to swap the number to different a SIM
  • Gets the target’s phone in his hands for a few minutes and orders the SIM swap
 4. Hacker swaps the mobile number from target’s SIM card to other SIM card in his possession
 5. Hacker can reset the target’s account passwords using the mobile number as a recovery method

Some of the current online service providers take the mobile number as irrevocable credential and authorise significant transactions, e.g., money transfer, online payments, and username and password changes.

Protection

Protection against the above kind of Spear Phishing may be achieved with:
  • Have all your essential devices protected by anti-virus, VPN and firewall.
  • Do not download any apps or open unfamiliar pages with the device you are using for essential online services
  • Ensure that your session happens with original account pages and not proxied, or man-in-the-middle created
  • Keep the personal information that is used to answer security questions out from public access
  • Use strong passwords (> 12 characters, a sentence that makes sense to you, replace letters with numbers, symbols and capitals), Do not use variations of the same passwords in different accounts.
  • Harden your mobile phone management account. Most mobile operators provide stronger access management than just username and password.
  • Use other numbers (another mobile number, VOIP-number) as trusted phone numbers in essential accounts.
  • Use other strong authentication methods (if the service provider has options).

References:
1. https://motherboard.vice.com/en_us/article/vbqax3/hackers-sim-swapping-steal-phone-numbers-instagram-bitcoin
2. https://www.fin24.com/Finweek/Featured/the-rise-of-sim-swap-fraud-20170906
3. https://www.techjaja.com/sim-card-swap-fraud-explained/
4. https://www.quora.com/How-do-I-avoid-SIM-Swap-Frauds
5. https://motherboard.vice.com/en_us/article/zm8a9y/how-to-protect-yourself-from-sim-swapping-hacks

Tailored Cyber Attack on Military Mobile Devices

Incident

Early in July 2018, Israeli security agencies announced that the Hamas had installed spyware on Israeli soldiers’ smartphones to collect. About 100 Israelis fell victim to the attack that came in the form of fake World Cup and online dating apps that had been uploaded to the Google Play Store, the official app store of Google.

Effect

Once the apps were installed on the victims’ phones, the highly invasive malware was then able to carry out the following malicious activities:

  • Record the user’s phone calls
  • Take a picture when the user receives a call.
  • Steal the user’s contacts.
  • Steal the user’s SMS messages.
  • Steal all images and videos stored on the mobile device and information on where they were taken.
  • Capture the user’s GPS location.
  • Take random recordings of the user’s surroundings.
  • Steal files and photos from the mobile device’s storage.


Pattern

This tactic has been used before:

  • In early 2017, the Viperat spyware targeted Israeli soldiers serving around the Gaza strip, leveraging social engineering techniques to steal photos and audio files from their smartphones. 
  • In March 2016, ‘SmeshApp’, a calling and messaging app on Google Play store, was allegedly used by Pakistan in to spy on Indian military personnel.
  • Further, in 2016, a Russian APT group was suspected of using Android spyware to track Ukrainian field artillery units.


What to do for prevention


  1. Armed Forces can provide troops with particular mobile devices that are managed, secured and supported by an exclusive service provider.
  2. Soldiers personal mobile devices can be installed with a unique security application that protects devices from threats at device, application and network levels.
  3. Soldier’s can be guided to be aware of these spyware and avoid their injection.
  4. Armed Forces may ban the use of smart devices in duty entirely.


References:
1. https://gbhackers.com/military-mobile-devices-spyware/
2. https://blog.checkpoint.com/2018/07/05/an-invasive-spyware-attack-on-military-mobile-devices/