The method of hijacking accounts "wholesale" through access to the services of a cellular operator
Today, just a few hours ago, I discovered a new way of fraud for me: an attempt to gain access to the personal account of my mobile operator.
Upd: Nevertheless, the word “new” was removed from the title, thanks for the criticism. Answers to the main points of criticism placed at the end so that there is no need to read the comments.
A quick search in the network, as well as a survey of familiar IT specialists, showed that no one has yet seen this method in work. The lack of publicity, as well as the obviousness to the inhabitants of all threats to the use of the obtained access makes it more dangerous.
An example of a real correspondence:

Naturally, I did not send the code to anyone, pulled the time of the attacker with requests like "send again, SMS does not come" while dialing a friend and asked him to immediately change the password and take action. Unfortunately, it was not possible to find out the exact percentage of victims through it, since The hacked man did not plan to go to VC at all, but urgently changed the password and went back to business, but to my question “How many people have been caught?”, the answer was “full!”.
A brief survey of 9 inhabitants showed:
Threats to gain access to your account were announced as follows:
Points 1, 2 are obvious to everyone, 3–4 are not obvious to the respondents, but obvious to more experienced users, but points 5 and 6 are only obvious to the most experienced. Only two people knew about the presence of the whole payment gateway in the MTS personal account, and nobody knew about the possibility of # 7 to send money directly from the MTS account to any card. I discovered it by examining the MTS personal account in order to find ways to exploit the access gained.
For verification, I took the second number and rather quickly, using this scheme, entered the MTS personal account and set up redirects.
MTS notifies the old victim number of:
After that, the victim's phone subsides and everything goes to the new number.
NB: Setting voice forwarding does not lead to any notifications from MTS, but in vain.
Then, just using the new phone, I am successful:
When I tried to restore access to my main (red, green, yellow) Internet banks, I was faced with the need to provide additional information, such as passwords, and for recovery, account and card numbers. This complicates the process a bit, or rather slows it down, because if the victim sent the details at least once, then it is easy to find in the history of correspondence, because the messenger and his history have already been stolen.
So, I also successfully entered one of the banks and sent a Card2Card transfer. The amounts were small, the bank did not have any questions, but earlier on large amounts, I never asked anything more complicated than personal data.
Thus, I assess the risk of financial losses as extremely high. A major financial loss as tangible, although, in my case, the task was facilitated by an easy search for details in the correspondence, but I think I am not the only one.
I will conclude my “letter to the editor” with the wish of vigilance to you and your loved ones.
Most often, commentators' claims were to the title:
Where is the new way here? - in the very first sentence he justified, but not enough, the more true word would be “not distributed” or “little known”, however, I removed the word altogether. Novelty, relative, is not in the direct request of money, but in the request of "not financial in nature", which has no direct obvious connection with financial losses. This is an objective rarity - they often ask stupidly for debt, but I’m happy to get acquainted with real statistics. Thank you for understanding the habrovchan who answered in the same way in the comments below.
And what is the wholesaleness of such a theft?- Indeed, I did not explain, blame, correct. “Wholesale”, in quotation marks, means that the same phone can be the “second factor” of two-factor authorization on many services at once, and obtaining such access can lead to loss of control for several accounts at once, as well as to other losses. I did not invent a better word, but the point is that one key can open more than one obvious door, but several, and what is not known.
Another popular outrage motive:
Ordinary social engineering! Why is it on Habré?- so it is, but only social engineering is a very broad term that does not say anything specifically. However, it is possible to build a system so that simple user fraud schemes do not work, and fraudulent schemes are all different, and any IT specialist or security person should be aware of the possibility of the existence of illegitimate-enabled redirection. Therefore, in Habré.
Examples:
- fasten the opportunity to listen to the captcha or code from car audio?
- left a digital number at the gateway for confirming SMS?
We consider that we can put "zombies" in the system. This is not always obvious. Perhaps after such a restoration of access, you really need to restrict the rights or ask clarifying questions when restoring access.
- do we send some confidential information via SMS or auto-dialer?
There is a risk to disclose it to intruders or, for example, to answer under Federal Law 152 for “Ivan Ivanovich, you have a debt on a loan for such and such a lot of rubles.
- the employee complains that he does not receive SMS from the corporate portal?
We do not send him to hell, but we investigate the situation, perhaps his SMS has gone “to the left”.
In addition, if at least a dozen people once again talk to their surroundings with the rules of the form: “any translations or codes only after a personal call, even if it is not about money at all”, then I did not write for nothing.
Special thanks to trublast for habr.com/en/post/436774/#comment_19638396 and tcapb1 forhabr.com/ru/post/436774/#comment_19637462 , in which they understood and developed my thoughts, brought possible threats and options.
At the end I will add an answer to comments like "According to my estimates, people with such a level of gullibility have nothing to steal for a long time."
Quite right, as a rule, there is nothing to steal, and this is another important feature that information systems, security protocols and authorization policies must take into account. The fact that many people try to be good, kind, help each other, lose their money, but they work in enterprises. If someone has a computer buggy, and urgently needs to send a letter, they will be allowed, despite the fact that they have access to a completely different level.
The average IT person, still quite paranoid, has a high level of abstract thinking, is able to quickly build chains of reasoning and evaluate probabilities, and hears about various deception schemes. And the average person is completely different, he needs to solve his working questions easier and quicker to help himself and a friend, and then he will help you. Any loader, electrician, courier, manager, people not associated with constant contact with information security issues may have access to very private data, expensive products and absolutely do not understand what they are capable of disturbing, the level of risk and the price of potential damage. And even if they are guilty of losing millions, there’s nothing to take from them, in general. Therefore, I think, IT professionals,
Upd: Nevertheless, the word “new” was removed from the title, thanks for the criticism. Answers to the main points of criticism placed at the end so that there is no need to read the comments.
A quick search in the network, as well as a survey of familiar IT specialists, showed that no one has yet seen this method in work. The lack of publicity, as well as the obviousness to the inhabitants of all threats to the use of the obtained access makes it more dangerous.
Attention! This post was written to warn the community about a possible danger and a new form of fraud. The repetition of the actions described in the article, with any accounts other than their own, attracts responsibility in accordance with the legislation of the Russian Federation.The main purpose of this article is to quickly acquaint a wide range of specialists and people with a new way to hijack accounts from services that can be authorized or restored via telephone. It would also be useful to initiate a discussion of this method and its variations among the experienced community and disseminate information more widely. Therefore, I will be brief and do not pretend to a comprehensive analysis, rather I want to describe a specific case and show possible variations of this example with large strokes.
Description of the method
- Through the hacked account of the VC (like any other network or messenger), the “old friend” (the attacker) knocks on the victim and describes the “unavailable phone problem”.
- He asks for “help to enter somewhere” by receiving an SMS code, for this he asks to send him a code or a “screen”.
- The victim comes SMS with a confirmation code of one-time access to the services of MTS.
- The victim fulfills the request and thus gives access to his personal account MTS.
An example of a real correspondence:

Naturally, I did not send the code to anyone, pulled the time of the attacker with requests like "send again, SMS does not come" while dialing a friend and asked him to immediately change the password and take action. Unfortunately, it was not possible to find out the exact percentage of victims through it, since The hacked man did not plan to go to VC at all, but urgently changed the password and went back to business, but to my question “How many people have been caught?”, the answer was “full!”.
Preliminary analysis of threats and their perceived "horror"
A brief survey of 9 inhabitants showed:
- in 4 cases, in this sequence of actions they do not see a serious threat,
- 5th, he is alarming and they are ready to try to identify the identity of the "old friend."
Threats to gain access to your account were announced as follows:
- "Write off money from the phone's account",
- "Connect services paid or mailing",
- "Write money off the autocomplete card",
- "Can transfer money to another phone",
- "Can set up call forwarding and cheat,"
- "They can set up SMS forwarding and steal accounts of other services."
Points 1, 2 are obvious to everyone, 3–4 are not obvious to the respondents, but obvious to more experienced users, but points 5 and 6 are only obvious to the most experienced. Only two people knew about the presence of the whole payment gateway in the MTS personal account, and nobody knew about the possibility of # 7 to send money directly from the MTS account to any card. I discovered it by examining the MTS personal account in order to find ways to exploit the access gained.
Test operation of the stolen access in LC MTS
For verification, I took the second number and rather quickly, using this scheme, entered the MTS personal account and set up redirects.
MTS notifies the old victim number of:
- change password
- entering the MTS services,
- SMS forwarding and SMS Pro services.
After that, the victim's phone subsides and everything goes to the new number.
NB: Setting voice forwarding does not lead to any notifications from MTS, but in vain.
Then, just using the new phone, I am successful:
- made the completion of another phone account,
- made a money transfer account MTS → bank card (commission 4.3%, but not less than 60 rubles),
- restored access to a pair of online accounts,
- accepted the audio call instead of SMS,
- ordered a call back from the store site,
- entered the Internet bank and sent money to an unknown card, see below.
When I tried to restore access to my main (red, green, yellow) Internet banks, I was faced with the need to provide additional information, such as passwords, and for recovery, account and card numbers. This complicates the process a bit, or rather slows it down, because if the victim sent the details at least once, then it is easy to find in the history of correspondence, because the messenger and his history have already been stolen.
So, I also successfully entered one of the banks and sent a Card2Card transfer. The amounts were small, the bank did not have any questions, but earlier on large amounts, I never asked anything more complicated than personal data.
Thus, I assess the risk of financial losses as extremely high. A major financial loss as tangible, although, in my case, the task was facilitated by an easy search for details in the correspondence, but I think I am not the only one.
I will conclude my “letter to the editor” with the wish of vigilance to you and your loved ones.
Upd 02/14/19 - Answers to questions and criticism in the comments
Most often, commentators' claims were to the title:
Where is the new way here? - in the very first sentence he justified, but not enough, the more true word would be “not distributed” or “little known”, however, I removed the word altogether. Novelty, relative, is not in the direct request of money, but in the request of "not financial in nature", which has no direct obvious connection with financial losses. This is an objective rarity - they often ask stupidly for debt, but I’m happy to get acquainted with real statistics. Thank you for understanding the habrovchan who answered in the same way in the comments below.
And what is the wholesaleness of such a theft?- Indeed, I did not explain, blame, correct. “Wholesale”, in quotation marks, means that the same phone can be the “second factor” of two-factor authorization on many services at once, and obtaining such access can lead to loss of control for several accounts at once, as well as to other losses. I did not invent a better word, but the point is that one key can open more than one obvious door, but several, and what is not known.
Another popular outrage motive:
Ordinary social engineering! Why is it on Habré?- so it is, but only social engineering is a very broad term that does not say anything specifically. However, it is possible to build a system so that simple user fraud schemes do not work, and fraudulent schemes are all different, and any IT specialist or security person should be aware of the possibility of the existence of illegitimate-enabled redirection. Therefore, in Habré.
Examples:
- fasten the opportunity to listen to the captcha or code from car audio?
- left a digital number at the gateway for confirming SMS?
We consider that we can put "zombies" in the system. This is not always obvious. Perhaps after such a restoration of access, you really need to restrict the rights or ask clarifying questions when restoring access.
- do we send some confidential information via SMS or auto-dialer?
There is a risk to disclose it to intruders or, for example, to answer under Federal Law 152 for “Ivan Ivanovich, you have a debt on a loan for such and such a lot of rubles.
- the employee complains that he does not receive SMS from the corporate portal?
We do not send him to hell, but we investigate the situation, perhaps his SMS has gone “to the left”.
In addition, if at least a dozen people once again talk to their surroundings with the rules of the form: “any translations or codes only after a personal call, even if it is not about money at all”, then I did not write for nothing.
Special thanks to trublast for habr.com/en/post/436774/#comment_19638396 and tcapb1 forhabr.com/ru/post/436774/#comment_19637462 , in which they understood and developed my thoughts, brought possible threats and options.
At the end I will add an answer to comments like "According to my estimates, people with such a level of gullibility have nothing to steal for a long time."
Quite right, as a rule, there is nothing to steal, and this is another important feature that information systems, security protocols and authorization policies must take into account. The fact that many people try to be good, kind, help each other, lose their money, but they work in enterprises. If someone has a computer buggy, and urgently needs to send a letter, they will be allowed, despite the fact that they have access to a completely different level.
The average IT person, still quite paranoid, has a high level of abstract thinking, is able to quickly build chains of reasoning and evaluate probabilities, and hears about various deception schemes. And the average person is completely different, he needs to solve his working questions easier and quicker to help himself and a friend, and then he will help you. Any loader, electrician, courier, manager, people not associated with constant contact with information security issues may have access to very private data, expensive products and absolutely do not understand what they are capable of disturbing, the level of risk and the price of potential damage. And even if they are guilty of losing millions, there’s nothing to take from them, in general. Therefore, I think, IT professionals,