Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label SMS Attack. Show all posts

Here's Why You Should Stop Using SMS Messaging

 

Cybersecurity is more critical than ever in today's digital world. However, one commonly employed but often missed area of weakness could be something you use every day. Since Nokia made the technology available to the public in 1993, Short Message Service, or SMS messaging, has been the major way people have texted. You might be surprised to hear that it's one of the riskiest methods of mobile communication given that it's typically included by default on most mobile devices. 

However, if you intend to stay safe and private, you should avoid using it. Here are five of the reasons why. 

Lacklustre end-to-end encryption

SMS is not encrypted from beginning to end. SMS messages, in reality, are frequently sent as plain text. This means that there are no safeguards in place and that anyone with the necessary knowledge can intercept an SMS. If your mobile provider employs encryption, it is most likely a poor and outdated method that is only used during transit. 

SMS relies on obsolete technology 

SMS technology is based on a set of signalling protocols known as Signalling System No. 7 (SS7), which was established in the 1970s. It is out of date and highly insecure, making it exposed to different forms of cyberattacks. As Ars Technica reported at the time, in 2017, a hacker gang used an SS7 security hole to circumvent two-factor authentication and drained people's bank accounts. Similar attacks have taken place several times over the years. 

The government can read your SMS texts 

Why haven't the security flaws in SS7 been fixed? One probable explanation is that regulators are uninterested in doing so since governments all across the world eavesdrop on their citizens. Whether or not this is the true reason, it is undeniable that your government could read your SMS texts if it so desired. Law enforcement in the United States does not even require a warrant to examine correspondence older than 180 days.Congressional Representative Ted Lieu presented legislation to stop this in 2022, but it was unsuccessful. 

Messages stored by your carrier 

SMS texts are saved by carriers for a set period of time (the length varies depending on the carrier). Metadata, which is information on the data itself, is kept much longer. If you aren't concerned about police enforcement reading your texts, you should be aware that your mobile provider can as well. While it is true that laws, regulations, and internal rules restrict mobile providers from spying on users, unauthorised access and breaches do occur. 

SMS message cannot be unsent 

Unsending an SMS message is not possible. If the recipient receives it, it will remain on their phone indefinitely unless they delete it manually. It's one thing to send a terrible and embarrassing SMS, but what if the recipient's phone has been hacked or otherwise compromised? And what if you revealed personal information in an SMS that you should not have revealed? This is probably not a scenario you want to think about. 

Switch from SMS to a secure messaging app 

SMS should not be used by anyone who is concerned about their personal cybersecurity and wishes to safeguard their privacy. The difficulty is that it provides a level of ease that alternatives simply cannot equal, at least for the time being. However, in most cases, that is not a sufficient justification to employ it. 

Secure, end-to-end encrypted messaging apps outperform SMS in practically every other way. And, if you have no other choice, use SMS wisely. Do not share information that you would not want a third party to have access to, and remember to take additional security steps.

'Hermit' Spyware Deployed in Syria, Kazakhstan, and Italy



Lookout Inc. discovered an enterprise-grade Android surveillanceware being used by the authorities operating within Kazakhstan's borders. Lookout researchers identified evidence of the spyware, called "Hermit," being used in Italy and northern Syria. 

Researchers got a sample of "Hermit" in April 2022, four months after a series of violently suppressed nationwide rallies against government policies. The Hermit spyware was most likely built by RCS Lab S.p.A, an Italian surveillance firm, and Tykelab Srl. 

The Hermit spyware was most likely produced by Italian surveillance vendor RCS Lab S.p.A and Tykelab Srl, a telecommunications solutions company accused of acting as a front company, according to Lookout. 

In the same market as Pegasus creator NSO Group Technologies and Gamma Group, which invented FinFisher, is a well-known developer with previous interactions with governments such as Syria. This appears to be the first time that a modern RCS Lab mobile spyware client has been publicly disclosed. 

The spyware is said to be spread by SMS messages that spoof users into installing what appear to be harmless apps from Samsung, Vivo, and Oppo, which, when launched, load a website from the impersonated company while silently initiating the kill chain. 

Spyware has been seen to infect Android smartphones in the past. The threat actor APT-C-23 (aka Arid Viper) was linked to a series of attacks targeting Middle Eastern users with new FrozenCell versions in November 2021. Last month, Google's Threat Analysis Group (TAG) revealed that government-backed actors in Egypt, Armenia, Greece, Madagascar, Côte d'Ivoire, Serbia, Spain, and Indonesia are purchasing Android zero-day exploits for covert surveillance efforts. 

As per Lookout, the samples studied used a Kazakh language website as a decoy, and the main Command-and-control (C2) server used by this app was a proxy, with the true C2 being located on an IP from Kazakhstan. "They call themselves 'lawful intercept' organizations since they claim to only sell to customers with legitimate surveillance purposes, such as intelligence and law enforcement agencies. Under the pretext of national security, similar technologies have been used to phish on corporate executives, human rights activists, journalists, academics, and government officials "as per the researchers. 

The revelations came as the Israel-based NSO Group is rumored to be in talks to sell its Pegasus technology to US defense contractor L3Harris, which makes StingRay cellular phone trackers, raising concerns it could allow law enforcement to deploy the controversial hacking tool.

Flubot Malware Targets Australians, Spreads Via SMS

 

Muddled phone SMSs and phantom calls attack smartphones in a new wave of hoaxes throughout Australia, including the one that claims a friend's voice message but provides malware that can acquire user personal information. This latest SMS scan, called Flubot, has affected thousands of Australians that intend to implant dangerous malware programs on their smartphones. 

Although the messages could be received by iPhone users as well, Flubot is a sort of virus that targets Android users. It informs the receiver of a missed call or a fresh voicemail and gives the recipient a bogus link to listen to the voice mail. This link leads users to a website that appears like a legitimate brand - maybe Telstra in Australia but it was a packaging provider in Europe. This page asks users to install software to listen to the voice message on their phones. 

It then downloads malware if somehow the user approves. The attacker will gain access to payment card details, private information, SMs intercept, browsing pages, and collect additional information stored on the smartphone if privileges are given for the application. The malware additionally allows the attacker to browse the list of contacts of the user and potentially find new victims. 

Manual solutions are available to eliminate the spyware, although Telstra has recommended users to reset the device with the factory version and to recover the device to a version before the virus was implanted. 

Flubot initially hit Europe earlier this year even before Australians started being inundated with it this month. The Australian Competition and Consumer Commission has informed The Guardian Australia that its Scamwatch Service has gathered over 3700 reports of this exact fraud since the initial report on 04 August. Scamwatch got 413 daily reports on all frauds linked to SMS including Flubot from 4 to 17 August, compared to the 122 received from 01 July to 03 August. 

Delia Rickard, deputy chair of the Australian Competition and Consumer Commission said, “It is flooding the country and it is a really dangerous one.” “We’ve just had one complaint about an instance where the person lost nearly $5000. It appears that the malware has created a fake Google Pay login screen, and the person logged in and then the money disappeared from their account afterward.” 

The finishing touches for fraudsters are cash or personal data, that may subsequently be auctioned on the dark web. Flubot is only one of several frauds in existence that contributes to the pandemic's best year for hackers and cyber thieves. Australians sacrificed almost $850 million to cyber criminals last year, according to ACCC. 

Telstra’s deputy chief information security officer, Clive Reeves, said last week the company was “working with the security community to address this scam”. 

An Optus spokesman said that the business has started contacting impacted consumers. The telecom additionally recommended McAfee Wi-Fi Secure antivirus software to protect consumers linked to wifi connections. 

Another TPG spokeswoman, who manages the Brand Vodafone in Australia, said that last week the firm, including the Flubot scam, has banned over 14m scam SMS. “As scammers constantly morph their tactics, we continually update our filters and mechanisms to catch new scams,” the spokesperson said.

In just $16, Hackers May Steal User Data Via SMS Attack

 

Smartphone users are facing a new confidentiality and security risk as text messaging services are currently misused to secretly divert text messages from users to hackers, for only Rs 1,160 (nearly $ 16), allowing cybercriminals to control two-factor codes or SMS. The unreachable cyber-attack on SMS redirecting firms is carried out in conjunction with workers from telecommunications companies. 

Though having every feasible thread, new technological changes take place every day to fight hackers and protect user data, and further their privacy. But here's a new attack that has been witnessed recently – to defraud one’s protection against OTP in every online transaction. This whole new attack allows hackers to redirect SMS connected to their systems by the victim's phone number. Through its exploiting services, hackers use business-driven text messaging management services to conduct the attack. In a manner, these attacks are also achievable, at least in the United States, due to the failure of the telecommunications industry, and hackers are at ease. 

"The method of attack, which has not been previously reported or demonstrated in detail, has implications for cybercrime, where criminals often take over target's phone numbers in order to harass them, drain their bank account, or otherwise tear through their digital lives," stated the report from Motherboard late on Monday, 15th of March. 

Joseph Cox, a reporter for the motherboard, was personally attacked and was not really aware of the attack on his cell phone number. The odd thing about the attack is that the hacker is available with just a $16 payment (Rs. 1,160). In the case of Cox, the company providing the services said that the attack was resolved but was not taken care of, for several others. Besides, some firms know the attack, still, CTIA, the commercial organization, is being blamed. 

These services not only allow the attacker to intercept incoming texts but also allow them to answer. Another hacking act frequently performed by hackers is the SMS redirect attack. SIM Swapping and SS7 have already been attacking many users. However, what is interesting about such attacks is that in a few instances the user learns about the exploit because the phone has no network. 

Therefore it’s better not to rely on SMS services to prevent this. Users should use Authenticator apps and log their email account to obtain OTPs, especially for bank-related OTPs. 

"It is better to use an app like Google Authenticator or Authy. Some password managers even have support for 2FA built-in, like 1Password or many of the other free managers we recommend," the report mentioned.