Mobile Telephony Threats in Asia

Transcription

1 Mobile Telephony Threats in Asia Black Hat Asia 2017, Singapore Dr. Marco Balduzzi Dr. Payas Gupta Lion Gu Sr. Threat Researcher Data Scientist Sr. Threat Researcher Trend Micro Pindrop Trend Micro Joint work with Prof. Debin Gao (SMU) and Prof. Mustaque Ahamad (GaTech)

2 th Marco s 9 BH Anniversary :-) 2

3 Click to play recording [removed] 3

4 Wangiri Fraud, Japan 4

5 Fake Officials Fraud, China 5

6 This is your Telco calling, UAE 6

7 Police Scam, Singapore 7

8 BringBackOurCash, Nigeria 8

9 Why is Happening? Lack of users awareness Users publicly disclose their mobile numbers Expose themselves and the organization they work for! 9

10 Current Defeat Strategies Telcos Crowd sourced FTC, fraud complaints 800notes open datasets Proprietary 10 10

11 Missing Caller's Details 11

12 No Actual Timestamps 12

13 Perception v/s Reality 13

14 Not all Fraudulent Calls are Reported Compared both FTC and 800notes against each other for a certain set of numbers 14

15 Delay in Reporting Fraudulent Calls 15

16 Any Solution?

17 17

18 Using SIP Trunks Call IP Tel. ext Switch Call Manager/ PBX IP Tel. ext SIP Trunk Telephone Exchange Rules Destination no. Destination IP Incoming call Incoming call Incoming call Incoming call Call Manager table Tel. Range to IP Tel. ext Honeypot 18

19 Using GSM/VoIP Gateways 19

20 Mobile Telephony Honeypot 20

21 Mobile Telephony Honeypot 21

22 Example of Call Recording

23 Example of SMS Recording 确认了哈 位置还留起的 之前在等qq消息 我刚才电话问 了 给我转款吧 建 行四川分行第五支行 户名 王玲 (I have confirmed. Reservation is still valid. I am waiting QQ message, and I contact you by phone call. Please transfer money to me. China Construction Bank Sichuan Provincial Branch Fifth Sub-branch, account number: , account name: Wang Ling) 23 23

24 24

25 How to make honeypot numbers appealing to fraudsters?

26 Seeding Social network Mobile malware Abuse list 26

27 Simulating Social-Network Leaks 27

28 Mobile Malware Leak Honeypot numbers in contact list ~400 samples of 60 families Track 140 C&C leakages Taint Droid Network traffic 28

29 Active Engagement with Fraudsters reported (abuse) numbers Engaged with SMS and one-ring call I am fine with our discussion. How do we want to proceed? 29

30 General Results 30

31 Effect of Seeding 31

32 Social Networks Very effective Picked up by Xinhua Quanmei [*] Daily news in the form of spam -> 221 messages [*] 32

33 Malicious Apps 79 ADs from Self-promoting app [*] (mal1) (mal2) are spoofed [*] 33

34 Fraudsters Strategies 34

35 Blended Malicious Traffic 35

36 Concealed Caller Numbers 51% fraudsters: Use of SMS gateways and VoIP services to hide identity Use of foreign sim-cards (mainly Thailand) Use of split-paid services to reduce cost on international calls 36

37 Social Engineering Human = weakest point in chain Multi-hop attack, similar to BEC Lateral movements 37 37

38 Multi-step Attack Repeated over time Combination of Calls and SMS Pretend to know the victim Confirm IM Ask for IM contact Confirm paypal Send payment instructions (paypal) 38

39 The Big Boss Example 39

40 Google Business Listing List your business online on Google Click here for recording [removed]. 40

41 Can you hear me? Subscribe you to services when you say YES Click here for recording. [removed] 41

42 Tax Collection Agency Find you and call you Intimidation Pay using tax vouchers 42

43 Technical Support Scam 43

44 Use of intimidation Postal service Fee requested for a package in customs hold Telephony provider Contract suspended because bill not paid 44

45 How campaigns operate? Use of multiple calling numbers to avoid easy detection Common sources Multiple campaigns ran by the same gang 45

46 Authentication Bypass [Tencent] Verification code Use it to change the password of the QQ number 64******5. Leaking the verification code has a risk. The QQ Security Center. Reuse of previously-terminated numbers Circumvent 2-factor auth! 46

47 Defensive Strategies 1) 2) 3) 4) 47 Adopt reputation-based solutions Protect your number Don t get social engineered Look after your 2 auth 47

48 Thanks! 48 48