Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Mobile Telephony Threats in Asia

4,198 views

Published on

Trend Micro's Dr. Marco Balduzzi presents mobile telephony threats in Asia at Black Hat Asia 2017.

Published in: Technology
  • Be the first to comment

Mobile Telephony Threats in Asia

  1. 1. Dr. Marco Balduzzi Mobile Telephony Threats in Asia Black Hat Asia 2017, Singapore Data Scientist Pindrop Dr. Payas Gupta Sr. Threat Researcher Trend Micro Lion Gu Sr. Threat Researcher Trend Micro Joint work with Prof. Debin Gao (SMU) and Prof. Mustaque Ahamad (GaTech)
  2. 2. 2 Marco’s 9th BH Anniversary :-)
  3. 3. 3 Click to play recording [removed]
  4. 4. Wangiri Fraud, Japan 4
  5. 5. Fake Officials Fraud, China 5
  6. 6. This is your Telco calling, UAE 6
  7. 7. Police Scam, Singapore 7
  8. 8. BringBackOurCash, Nigeria 8
  9. 9. Why is Happening? • Lack of users’ awareness • Users publicly disclose their mobile numbers • Expose themselves and the organization they work for! 9
  10. 10. Current Defeat Strategies 10 10 • Telcos • Crowd sourced – FTC, fraud complaints – 800notes open datasets • Proprietary
  11. 11. Missing Caller's Details 11
  12. 12. No Actual Timestamps 12
  13. 13. Perception v/s Reality 13
  14. 14. Not all Fraudulent Calls are Reported • Compared both FTC and 800notes against each other for a certain set of numbers 14
  15. 15. Delay in Reporting Fraudulent Calls 15
  16. 16. Any Solution?
  17. 17. 17
  18. 18. Using SIP Trunks 192.168.1.10 Tel. Range - 88800 to 88899 IP-192.168.1.11 Tel. ext - 83345 IP-192.168.1.12 Tel. ext - 83351 IP-192.168.1.13 Tel. ext - 88346 Rules Destination no. Destination IP Incoming call 88800 - 88899 192.168.1.10 Incoming call 83345 192.168.1.11 Incoming call 83351 192.168.1.12 Incoming call 88346 192.168.1.13 SwitchCall Manager/ PBX Telephone Exchange Call Manager table Honeypot Call SIP Trunk 18
  19. 19. Using GSM/VoIP Gateways 19
  20. 20. Mobile Telephony Honeypot 20
  21. 21. Mobile Telephony Honeypot 21
  22. 22. Example of Call Recording
  23. 23. Example of SMS Recording 23 • 确认了哈,位置还留起的 之前在等qq消息,我刚才电话问 了,给我转款吧。建 行四川分行第五支行5240 9438 1020 0709,户名:王玲。 (I have confirmed. Reservation is still valid. I am waiting QQ message, and I contact you by phone call. Please transfer money to me. China Construction Bank Sichuan Provincial Branch Fifth Sub-branch, account number: 5240 9438 1020 0709, account name: Wang Ling) 23
  24. 24. 24
  25. 25. How to make honeypot numbers “appealing” to fraudsters?
  26. 26. Seeding Social network Mobile malware Abuse list 26
  27. 27. Simulating Social-Network Leaks 27
  28. 28. Mobile Malware Leak • Honeypot numbers in contact list •~400 samples of 60 families •Track 140 C&C leakages • Taint Droid • Network traffic 28
  29. 29. Active Engagement with Fraudsters •2000+ reported (abuse) numbers •Engaged with SMS and one-ring call – I am fine with our discussion. How do we want to proceed? 29
  30. 30. General Results 30
  31. 31. Effect of Seeding 31
  32. 32. Social Networks • Very effective • Picked up by Xinhua Quanmei [*] • Daily news in the form of spam -> 221 messages [*] http://www.xhqm.cn/ 32
  33. 33. Malicious Apps • 79 ADs from 106588302 • Self-promoting app [*] – 0690123590110 (mal1) 1065502004955590110 (mal2) are spoofed [*] http://wap.guanxi.me 33
  34. 34. Fraudsters’ Strategies 34
  35. 35. Blended Malicious Traffic 35
  36. 36. Concealed Caller Numbers • 51% fraudsters: Use of SMS gateways and VoIP services to hide identity • Use of foreign sim-cards (mainly Thailand) • Use of split-paid services to reduce cost on international calls 36
  37. 37. Social Engineering • Human = weakest point in chain • Multi-hop attack, similar to BEC • Lateral movements 37 37
  38. 38. Multi-step Attack Pretend to know the victim Ask for IM contact Confirm IM Send payment instructions (paypal) Confirm paypal • Repeated over time • Combination of Calls and SMS 38
  39. 39. The “Big Boss” Example 39
  40. 40. Google Business Listing • List your business online on Google • Click here for recording [removed]. 40
  41. 41. Can you hear me? • Subscribe you to services when you say ‘YES’ • Click here for recording. [removed] 41
  42. 42. Tax Collection Agency Find you and call you Intimidation Pay using tax vouchers 42
  43. 43. Technical Support Scam 43
  44. 44. Use of intimidation • Postal service – Fee requested for a package in customs hold • Telephony provider – Contract suspended because bill not paid 44
  45. 45. How campaigns operate? • Use of multiple calling numbers to avoid easy detection 45 • Common sources – Multiple campaigns ran by the same gang
  46. 46. Authentication Bypass • Reuse of previously-terminated numbers • Circumvent 2-factor auth! [Tencent] Verification code 658339. Use it to change the password of the QQ number 64******5. Leaking the verification code has a risk. The QQ Security Center. 46
  47. 47. Defensive Strategies 1) Adopt reputation-based solutions 2) Protect your number 3) Don’t get social engineered 4) Look after your 2 auth 47 47
  48. 48. 48 Questions? @embyte Thanks! 48

×