Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label SS7 Hack. Show all posts

The Dark Web's SS7 Exploit Service Providers are Bogus

 

Back in 2016, cybersecurity experts cautioned concerning flaws in Signalling System No. 7 or SS7, and as a consequence, just a year later, theoretical SS7 attacks turned legitimate ones. 

In the following years, government-sponsored attackers exploited flaws in SS7 to monitor persons overseas. Not just that, but threat actors used them to hack Telegram login credentials and emails. 

Apart from SMS abuse, the SS7 security flaws can be used for a variety of purposes, including: 

  • Monitoring and forwarding phone call
  • 2FA codes might be sent or intercepted. 
  • Locate the gadgets 
  • SMS forgery 

To obtain accurate data and reports, SOS Intelligence security analysts chose to explore all SS7 exploitation options provided on the darknet and assess them to determine whether they had flaws at their end or are simply phony. 

Subsequently, they evaluated 84 distinct onion domains claiming to provide SS7 exploitation services. They trimmed down the findings to make them more specific and visible, and they highlighted four services that appeared to be still functioning. 

Four services seemed to be still operational: SS7 Exploiter, SS7 ONLINE Exploiter, SS7 Hack, and Dark Fox Market. They discovered that many of the domains were pretty anonymous and had few inbound links after reviewing the network topology data of these websites. 

In general, it is not a healthy indicator of a website's reliability and credibility. And all of these factors indicate that they are recently founded phony platforms. 

Whilst, the SS7 Hack website appears to be a hoax, as it appears to be cloned from a clearnet page published in 2021. Even the experts were unsuccessful when they attempted to employ their set of SS7 flaws in the hope of building API mirroring capabilities, but the sound of that service was later blocked. 

Furthermore, it was discovered through investigation that in 2016, a Russian-speaking individual released demo films on YouTube about the services offered by the Dark Fox Market site, which charges $180 for each targeted phone number. 

The most intriguing aspect of this case is that all of the demo videos have been copied from YouTube and had no relation to the Dark Fox Market portal. To find a legitimate deal, one must go deeper, as the majority of websites are rife with fraud and scams.

Group-IB reported attempts to hack Telegram of Russian entrepreneurs


The company specializing in the investigation of cybercrime Group-IB reported that attackers attempted to hack correspondence of Telegram messenger, and Russian entrepreneurs became the target of cyberattacks.

As the experts explained, at the end of 2019 several Russian entrepreneurs turned to them for help, who faced the problem of unauthorized access by unknown persons to their correspondence in the Telegram messenger.

The incidents occurred on iOS and Android, regardless of the carrier used. Group-IB believes that the attackers were able to view and copy activation codes from SMS messages that Telegram sends when activated on a new device.

Technically, the cyber attack could have been carried out using a vulnerability in the SS7 Protocol. However, attacks on SS7 are rare.

“It is much more difficult to implement such an attack, it requires certain qualifications in the field of data transmission networks and their protocols,” explained Kaspersky Lab’s antivirus expert Viktor Chebyshev.

"The attack began when a message was sent to the Telegram messenger from the Telegram service channel (this is the official messenger channel with a blue verification tick) with a confirmation code that the user did not request. After that, an SMS with an activation code was sent to the victim’s smartphone, and almost immediately a notification came to the Telegram service channel that the account was logged in from a new device,” reported Group-IB.

It is known that other people's accounts were hacked through the mobile Internet, the IP address of the attackers was most often determined in the city of Samara.

It is assumed that the attackers used disposable SIM cards. They deliberately sent SMS with the code, intercepted it and authorized in Telegram. They could buy access to tools for hacking in the Darknet from 100 thousand rubles ($1,565).

The company drew attention to the fact that in all cases, SMS messages were the only authorization factor on devices affected by hacking attempts. Accordingly, such an attack can only be successful if the “Cloud Password” or “Two-step verification” options are not activated in the Telegram settings on the smartphone.

According to anti-virus expert Viktor Chebyshev, Telegram is consistently included in the list of applications targeted by cybercriminals in various spy campaigns. Such an attack can allow attackers to gain access to the correspondence of specific people.

Hackers Now Utilizing SS7 Attacks to Steal Money from Bank Accounts


As indicated by yet another research cyber hackers have now shifted their attention towards taping the phone network by means of the misuse of the SS7 protocol in order to steal money from the bank accounts directly by intercepting the messages.

Since the protocol is utilized by Internet service providers and telecom company to control the telephone calls and instant text messages across the world, the SS7 attacks performed by the said cyber criminals uses a current 'structure blemish' i.e. a flaw in it and exploits it accordingly so as to perform different perilous attacks, that are very much similar to the acts of data theft, eavesdropping, text interception and location tracking.

UK's Metro Bank has already fallen victim to this attack. In view of the affirmation given by the National Cyber Security Center (NCSC), the 'defensive' arm of the UK's signals intelligence agency GCHQ, SS7 attacks are consistently utilized by cybercriminals to intercept the messages in order to steal the code that is additionally utilized for bank transactions.

NCSC said that “We are aware of a known telecommunications vulnerability being exploited to target bank accounts by intercepting SMS text messages used as 2-Factor Authentication (2FA).”

Due to this two factor authentication, by having a SS7 network access the cybercriminals can intercept the messages even after they gain access to the internet banking login credentials by the means of phishing attacks and then initiate the verification code through text message. Later they can without much of a stretch block it through SS7 attack and use it to finish their transaction procedure.

 “Something that members of the general public don’t necessarily have to worry about. An SS7 attack is unlikely to be effective if the bank uses a form of 2FA that doesn’t rely on text messages, such as an authenticator app.”

When approached some of the notable Telecom Service Providers to get to know their thoughts regarding this matter of concern, Vodafone says “We have specific security measures in place to protect our customers against SS7 vulnerabilities that have been deployed over the last few years, and we have no evidence to suggest that Vodafone customers have been affected.”

Likewise they express that, they are working with GSMA, banks and security specialists so as to alleviate and further protect their clients.