Home News Cherry-picking, a new trend among hackers

Cherry-picking, a new trend among hackers

Patchwork BADNEWS, APT31 threat group

This is the second time this year, where a security measure for safety has given an access card for cybercriminals. The first one was with WhatsApp and Telegram, where encryption, designed to spruce security potentially enabled hackers to slip-through a malware-ridden photographs. With no mechanism for intercepting messages in transit, and being far more difficult to scan for viruses or other malicious attacks sent using the service, the hackers could access the account, check photographs and even hijack the account.

The next one is rather more dangerous, as it involves your money as well as your personal details. This security measure has been deployed by almost all the companies from across the world including many high-profile websites like Google, Facebook, Amazon, among others. We are talking about the two-step verification. According to a Daily Mail report, hackers have used a common vulnerability in telecom networks to rip access codes off to online bank accounts.

The users will be oblivious to the fact that their accounts have been compromised until they see a random transaction made on the account or a malicious message have been sent on social media. The reports state that criminals were able to exploit Signal System 7 (SS7). SS7 helps networks to route calls and texts, by switching signal towers. Hackers are here redirecting data and intercepting the two-step authentication using the SS7 service.
One of the first attacks was reported in Germany. According to German newspaper Süddeutsche Zeitung, telecoms company Q2 Telefonica has confirmed the attacks. Although, the number of affected customers remain unknown. Daily Mail states that the attacks have been brought to the attention of legislators in the U.S. way back in 2014, who have initiated a crackdown on the fault.

Congressman Ted W Lieu said in a statement: “Everyone’s accounts protected by text-based two-factor authentication, such as bank accounts, are potentially at risk until the FCC and telecom industry fix the devastating SS7 security flaw. Both the FCC and telecom industry have been aware that hackers can acquire our text messages and phone conversations just knowing our cell phone number. It is unacceptable the FCC and telecom industry have not acted sooner to protect our privacy and financial security.”

Even after this being a problem that legislators know about since 2014, there hasn’t been much noise around it. In fact, world’s largest internet companies across the world still continue to restrict themselves to this method, only at the mercy of hackers.

The silver lining is that hackers must pass the first stage of verification which includes your username and password to initiate the attack. But again, the numerous amounts of hacks that are reported everyday puts you back right at the center of the table. Thankfully, you can find out if your account has been compromised in one of those thousands of mass data breaches. Visit the site ‘Have I Been Pwned?’ A key factor is having multiple passwords for different sites. Second method can be updating your password every now and then. You can also deploy a reputable password manager that can help you generate complex passwords, and will save it in an encrypted format.