How Mobile Phones Turn Into A Corporate Threat
Over the last year, the number of mobile phones overtook the world population. In countries like the United States, mobile subscribers outnumbered traditional landline users and half of Americans shifted to mobile-only to communicate. In modern smart cities, wireless-only buildings are becoming the new construction standard for homes, factories, and organizations in general. Landline phones are going away—sooner rather than later.
While telephone scams seem like old-school hacking techniques, phones—particularly mobiles—still play important roles for both users and organizations. Just like how business email accounts are targeted by spear-phishing, corporate phones are now targeted by cyber-criminals conducting socially-engineered attacks.
For example, users unknowingly publicize their corporate phone number (for example, in social media sites), and fall victim to fraudsters who collect targeted numbers from these readily-available sources. These same attackers carry out attacks using social engineering, thus bypassing normal protection mechanisms that network traffic and emails possess. In this research, we highlighted the current issues we observed with mobile telephony and the risks they pose for organizations world-wide.
While telephone denial-of-service attacks and robocalls (one-ring calls) are both known and simply considered an annoyance, we looked into more sophisticated attacks conducted over mobile phones, mainly in the form of manual and socially-engineered calls. To this end, our Forward-Looking Threat Research (FTR) team (in collaboration with New York University, Singapore Management University, and Georgia Institute of Technology) recently deployed a mobile telephony honeypot (mobipot) to investigate cellular threats and the cybercrime ecosystem. We wanted to learn not only how these wireless-only attacks are conducted, but also how the cyber-criminals are organized.
Mobipot was configured with honeycards (SIM cards controlled by the researchers] that recorded attacks delivered in the form of calls and messages.) The numbers of these honeycards were seeded to potential miscreants with multiple techniques, including running mobile malware that leaked the numbers stored in a test phone’s contact list.
Figure 1 summarizes the architecture of Mobipot, and Figure 2 shows the hardware setup.
Figure 1. Mobipot architecture
Figure 2. Mobipot hardware
Over a seven-month period, the researchers collected 1,021 messages from 215 senders and 634 voice calls from 413 callers. Over 80% of them were unsolicited, comprising of threats like scam, fraud, voice phishing and, targeted attacks.
Most of these calls and texts were carried out during business hours. This confirms that cybercriminals blend in with normal telephone traffic to appear legitimate. Fraudsters also used GSM proxies and VoIP technologies to mask and spoof their origin numbers. As a result, traditional detection techniques based on blacklists are less effective and new techniques taking into account contextual information are needed. This is where our work comes in.
Scams and Spam
Delivered in the form of automated calls and messages, scams and spam represented 65% of the unsolicited traffic. Mobipot was targeted with messages offering ring tones, mobile plans, online services and games, and other sorts of commercials and ads. Some interesting examples include:
- Private investigators offering shadowing and surveillance services
- Hacking services like accessing personal emails and spying on users.
- Trading of illicit goods like stolen credit cards, hijacked payments accounts, PayPal with verified balances, and invoices in different amounts and formats
- Political propaganda: “I wish you a New Year of health and peace. I called to tell you that the Chinese disasters continued. How we will be able to not spend money? […] Love to the Chinese Communist Party. In our program, we want to reform the land […]”
Fraud was usually manually initiated by fraudsters who used social engineering to lure their victims into performing money transfers. Multi-stage attacks were often employed, with attackers repeatedly contacting the same victim first via a phone call and later by text message. These would ask the would-be victim about the status of a payment. The fraudsters making these calls pretended to be banks, non-profit associations, or friends.
For example, some fraudsters pretended to be one of the honeycards’ mobile providers. They “informed” us that the contract was going to be suspended because the bill was not paid—payment information was sent within the day. In another example, the fraudsters impersonated a corporate postal service and requested a fee to release a parcel detained in customs.
Mobipot also looked into a case where fraudsters asked for the user’s private information such as the spelling of his name, the password associated with a specific account, or his personal IM number and account.
The diagram below shows the connections between our honeycards and some of the numbers that were used to conduct attacks. The squares represent our honeycards (with the method used to seed their numbers to attackers inside). Each circle represents a separate attack, with the number inside showing how many numbers were used. Note that in several cases, multiple campaigns were run by the same attacker (connections between small circles). Most of our honeycards were targeted by different attacks as well.
Figure 3. Connections between campaigns and honeycards
Solving this problem requires focusing both on the human aspect of this problem, as well as technical aspects.
Our research shows that there is some risk to making one’s phone number freely known to the public. Employees, particularly those in sensitive roles in a company, should be made aware of these risks. For some, not giving out contact information may be desirable. For others, perhaps a complete separation of their personal and work devices—including the numbers used—may be a good idea.
Whether one’s official number is shared or not, employees should be trained how to handle unsolicited phone calls. Good security training today already includes how to handle unsolicited emails—i.e., the identity of the sender should be confirmed, any instructions contained in the emails should be verified. These practices are already a part of defending against Business Email Compromise (BEC) schemes; the same logic can (and should) be applied to phone calls and text messages. If necessary, these decisions can be made part of an organization’s policies and enforced accordingly.
On the other hand, technical solutions also exist. Incoming calls can be filtered by security products, such as Trend Micro Mobile Security for Android. This provides an additional tool to help users manage the calls they receive on their devices.
Our research shows once again how cybercrime rapidly adapts to a changing world. Fraudsters recognize how mobile phones play an important part in the normal life of millions, and have found different ways to abuse mobile phones to conduct sophisticated and effective social engineering attacks.
In a scenario where organized crime and targeted attacks are becoming more frequent, the mobile devices of employees can now be considered a threat to their organizations. Mobile telephone honeypots allow our researchers to uncover new aspects of these threats.
We initially made our work public during the 11th ACM Asia Conference on Computer and Communications Security conference in Xi’an, China, with the details in our paper titled MobiPot: Understanding Mobile Telephony Threats with Honeycards. We recently presented a follow-up to this, concentrating on Asia-specific findings, at Black Hat Asia 2017 titled Mobile Telephony Threats in Asia.
Additional research and analysis by Lion Gu.