We have all received calls from fake bank representatives, offering us complimentary credit card upgrades, free Insurance, and assistance to complete KYC (Know your customer) formalities. And to provide these services, they would have requested us for credit card or debit card details.
However, in the last few years, the general public has smartened up to this scam. And most of us don’t indulge these calls anymore. And in response to this, scammers have repackaged their scams, that are delivered to us, via other channels. The new schemes are so convincing that we reach out to them.
Let’s explore these sophisticated approaches and the various resources that allow scammers to continue defrauding us.
What makes us vulnerable?
Most people unequivocally rely on Google search for everything ranging from bank locations to restaurant reviews. So, it is only natural that scammers have started targeting Google services, to index bogus web pages that contain fake bank branches and customer care numbers. Also, it is simple to list a business on Google, because there is no detailed verification process. In 2018, police busted a scammer who was running a fake branch of Karnataka Bank in UP’s Ballia.
How are fake banking services provided?
The scammer buys a domain name that closely mimics the targeted bank. They replicate the bank’s trademarks, logos, and website design, to give it an air of authenticity.
They set up telephone numbers which are advertised on the fake website. The scammer goes the extra mile, to convince skeptical users, by mimicking original caller tunes, hold tunes, and following standard operating procedures.
Sometimes, scammers even set up interim branches and kiosks, employing people at different levels, so that it appears to be a legitimate operation.
They then list themselves on Google services with seemingly genuine location details.
When a customer searches for a bank branch or customer care number, these sites appear as top Google search results.
When the customer calls the fake number or visits a fake branch, scammers slip questions about CVVs (Card Verification Value) or ask for OTPs (One Time Password) in the middle of the conversation.
They may even advise users to download and install certain remote desktop sharing apps or open links that give them the control of the customer’s mobile device.
Scammers especially favour UPI (Unified Payment Interface) and other similar apps. They will ask for a victim’s UPI ID, and convince them to accept 1 rupee on the app. Wherein, instead of accepting money, unaware and inexperienced users, will in fact be remitting a large amount from their account.
Are there precautions we can take?
Stay abreast of scammers and the different types of online scams.
Proactively monitor the surface web and alert authorities of any scams you have identified.
Inform targeted banks about such scams. It will also help them to initiate the takedown of such sites and apps and ensure others don’t fall prey to these scams.
If you have concerns about your organization’s security posture, contact us: Request a Demo now.
Miscreants recently siphoned INR 4.57 million from Creative Engineers’ bank account. The attackers first hacked the proprietor’s gmail account and sent an email to Airtel to confirm the SIM swap. With access to his email and phone number, they were able to gain access to his internet banking credentials, to carry out the attack. The attackers employed SIM hijacking, which is the process of deactivating a SIM and appropriating a phone number, to pass the internet banking authentication.
If you have a phone, you are a target.
Other than being a convenient mode of communication, mobile phones also serve as authentication for a variety of services.
Since password protection alone could not secure accounts, we introduced 2 Factor Authentication, linked to our email or phone number, to protect sensitive accounts. This includes emails, online banking accounts, and cryptocurrency exchanges.
Time has come, to assess if 2 Factor Authentication is still ironclad. Given the success of attacks such as SIM hijacking, it looks like hackers have found a way to get around that as well.
SIM Hijacking is the process through which a hacker confiscates your phone number and deactivates your SIM card, rendering it non-functional.
Getting access to your SIM is usually just one part of a larger scam. In order to siphon your bank accounts or steal sensitive information, a hacker needs access to your account details also. Without which they cannot successfully bypass 2 Factor Authentication.
SIM Hijacking is also used to steal Instagram usernames that are then sold for Bitcoin. This form of attack, though not as rampant, should be monitored, considering the potential impact.
Sophisticated strategies to compromise a phone number
SS7 and Diameter attacks function by attacking the underlying telecom network/protocol. This allows an attacker to take over any phone number by intercepting SMS-based tokens, account recovery codes, and calls.
IMSI catchers are RF devices that enable an attacker to take over a phone number by intercepting and injecting cell traffic. This method requires physical proximity to the target.
Fig 3: ISMI catcher used for SIM hijacking
SIM Hijacking targets a carrier through conventional attacks, or by social engineering support staff, to take control of a phone number. This is known as SIM porting/hijacking, which is becoming increasingly popular with attackers.
Execution of SIM Hijacking
In India, hackers often contact victims, posing as executives from telecom companies, offering better network plans or discounts. They usually verify your full name, address, phone number, DOB, last four digits of social security number (SSN), Aadhaar number, or other security questions.
The attacker then tries to obtain your unique 20-digit SIM number and SIM swap authentication. For example: If you are a Vodafone user, the attacker will use a new Vodafone SIM to process the SIM exchange. Vodafone will send a confirmation SMS on your phone number. And the attacker will instruct you to press a digit to authenticate the SIM swap. Vodafone will then officially initiate the SIM swap.
Once the swap is successful, your SIM will stop working and won’t have cell reception. On the other hand, the attacker’s new SIM will be fully functional.
The attacker, in most cases, will already have your banking ID and password. All they need is the OTP to perform fraudulent financial transactions. Hijacking your number allows the attackers to pass the 2-step verification process. This gives the hacker access to your accounts across Google, Twitter, Facebook, O365, online banking, and crypto currency trading platforms.
Fig 4. Execution of SIM Hijacking
What if the hacker has an individual’s email ID but not their phone number?
With your email ID the hacker will initiate a password reset process for your accounts.
The hacker can reset your password using a link or a secret code received via email, SMS, or phone call.
To reset a password with an SMS or a phone call, the prompt displays part of the phone number. Depending on the platform, the number of digits visible, may vary. This is because there is no standardized way to mask personal identifiable information (PII) such as phone numbers. For example, Paypal reveals the first digit and the last four digits. While some other platforms show the first digit and the last 2 digits.
Similarly, the hacker will use your email on different platforms to reveal more digits of your phone number.
A typical Indian mobile number format is: “+91-XXXX-NNNNNN”. The first four digits indicate an operator’s code, while the remaining six digits are unique to the subscriber. The hacker narrows the options by detecting the operator code.
There are many ways an attacker can verify if the shortlisted phone numbers are linked to the email address:- Using search engines to check if you have posted your phone number on a forum, website, etc.,
– Employing online services such as Pipl or Spokeo that have huge databases with personal information
– Using telephone system online services that allow you to reverse search the owner of a phone by its number.
By abusing password reset options, and by brute-forcing using publicly available information, a hacker can obtain your complete phone number.
When the hacker has a phone number, this process is reversed, to obtain the corresponding email ID. Services such as Amazon and Twitter allow password reset using a phone number. For this, a verification link is sent to the associated email ID. The prompt for which, displays a few characters of the email ID. Amazon provides the first and last letter of the username and the full domain. Also, the number of masked characters reveal the length of the username.
While it is incumbent on telecom carriers to enforce stringent measures to prevent attacks that target phone numbers, it is also important for us, as mobile phone users, to be able to identify the signs of a SIM Hijacking attack.
You are a victim of SIM Hijacking if you:
Lose cell service for an extended period of time.
Get locked out of your email and social media accounts because the passwords have been reset.
Receive suspicious calls, during which the executive asks for your personal details or SIM number.
Another layer of security, while helpful in the short term, won’t be fool proof. As witnessed from the breach of previous security frameworks, hackers will find a way to circumvent the new layer of security as well. So, how do we shield ourselves against SIM Hijacking:
Use PIN based authentication. Most carriers offer the option to protect your accounts using a passcode or PIN.
Using an authentication app such as Google Authenticator instead of receiving the two-factor authentication code via SMS.
Link sensitive accounts to a separate phone number and keep it confidential.
Label email addresses and phone numbers. So that the hint prompt displays labels such as “Home phone”, instead of your phone number.
As evident from the recent attack on Creative Engineers, hackers are increasingly resorting to SIM hijacking. And being linked to the services we use every day, makes each of our phone numbers valuable targets.
While telecom operators need to bolster the security of their networks, as users, our best defense is awareness. We can protect ourselves by taking simple precautions and by understanding how scammers orchestrate such attacks.