Researchers discovered threat actors misusing text messaging services to snoop on victims’ message inboxes. According to a report from security firm Motherboard, certain text-messaging management services have been misused to secretly redirect text messages from victims’ devices to cybercriminals, including 2FA codes and login links that are sent through SMS.
Companies are the Culprits!
The investigation revealed that threat actors are misusing text-messaging service providers to illicitly redirect users’ SMSes to hackers for just $16, exposing them to privacy and security risks. With this, hackers not only access victims’ incoming text messages, but they can reply as well.
Sometimes, the text-messaging service providers fail to notify the users about SMS redirection.
“The invisible cyberattacks on companies providing SMS redirection services are reportedly being carried out in connivance with workers at telecom companies,” the report said.
In general, SMS redirection is a process of diverting your incoming messages to any local Dialog number, email address, or other contact number. Users mostly use this service when their mobile’s battery is dying, or their network is out of coverage.
SIM Swapping vs. SIM Redirection
Threat actors use several hacking methods, like SIM swapping attacks, to exploit users’ SMS services. In a SIM swapping attack, the hacker calls the service provider and tricks them into changing a victim’s phone number to an attacker-controlled SIM card. It is one of the simplest ways for cybercriminals to bypass users’ 2FA protection. This allows the attacker to reset passwords and gain access to the victim’s sensitive data.
However, it’s easy to discover a SIM swap attack, as the user’s device will be disconnected from the network. While in SMS redirection, the user can’t notice the damage until hackers compromise the device and personal-financial data.
“The method of attack, which has not been previously reported or demonstrated in detail, has implications for cybercrime, where criminals often take over target’s phone numbers to harass them, drain their bank account, or otherwise tear through their digital lives. It is better to use an app like Google Authenticator or Authy. Some password managers even have support for 2FA built-in, like 1Password or many of the other free managers we recommend,” the report added.
