Exploiting Phone Numbers and Cross-Application Features in Targeted Mobile Attacks

Smartphones have fueled a shift in the way we communicate with each other via Instant Messaging. With the convergence of Internet and telephony, new Over-The-Top (OTT) messaging applications (e.g., WhatsApp, Viber, WeChat etc.) have emerged as an important means of communication for millions of users. These applications use phone numbers as the only means of authentication and are becoming an attractive medium for attackers to deliver spam and carry out more targeted attacks. The universal reach of telephony along with its past trusted nature makes phone numbers attractive identifiers for reaching potential attack targets. In this paper, we explore the feasibility, automation, and scalability of a variety of targeted attacks that can be carried out by abusing phone numbers. These attacks can be carried out on different channels viz. OTT messaging applications, voice, e-mail, or SMS. We demonstrate a novel system that takes a phone number as an input, leverages information from applications like Truecaller and Facebook about the victim and his / her social network, checks the presence of phone number's owner (victim) on the attack channel (OTT messaging applications, voice, e-mail, or SMS), and finally targets the victim on the chosen attack channel. As a proof of concept, we enumerated through a random pool of 1.16 million phone numbers and demonstrated that targeted attacks could be crafted against the owners of 255,873 phone numbers by exploiting cross-application features. Due to the significantly increased user engagement via new mediums of communication like OTT messaging applications and ease with which phone numbers allow collection of pertinent information, there is a clear need for better protection of applications that rely on phone numbers.

[1]  Mustaque Ahamad,et al.  Phoneypot: Data-driven Understanding of Telephony Threats , 2015, NDSS.

[2]  Federico Maggi Are the Con Artists Back? A Preliminary Analysis of Modern Phone Frauds , 2010, 2010 10th IEEE International Conference on Computer and Information Technology.

[3]  Christopher Krügel,et al.  Abusing Social Networks for Automated User Profiling , 2010, RAID.

[4]  Ram Dantu,et al.  Detecting Spam in VoIP Networks , 2005, SRUTI.

[5]  Hyoungshick Kim,et al.  I've Got Your Number: - Harvesting Users' Personal Data via Contacts Sync for the KakaoTalk Messenger , 2014, WISA.

[6]  Aurélien Francillon,et al.  The role of phone numbers in understanding cyber-crime schemes , 2013, 2013 Eleventh Annual Conference on Privacy, Security and Trust.

[7]  Edgar R. Weippl,et al.  Friend-in-the-Middle Attacks: Exploiting Social Networking Sites for Spam , 2011, IEEE Internet Computing.

[8]  Konstantin Beznosov,et al.  Design and analysis of a social botnet , 2013, Comput. Networks.

[9]  Debin Gao,et al.  MobiPot: Understanding Mobile Telephony Threats with Honeycards , 2016, AsiaCCS.

[10]  Lise Getoor,et al.  Privacy in Social Networks: A Survey , 2011, Social Network Data Analytics.

[11]  Saurabh Bagchi,et al.  Spam detection in voice-over-IP calls through semi-supervised clustering , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[12]  Nick Feamster,et al.  Building a Dynamic Reputation System for DNS , 2010, USENIX Security Symposium.

[13]  Sebastian Kurowski Using a whatsapp vulnerability for profiling individuals , 2014, Open Identity Summit.

[14]  Amy B. Woszczynski,et al.  Proceedings of the 1st annual conference on Information security curriculum development , 2004 .

[15]  Haesun Park,et al.  CallRank: Combating SPIT Using Call Duration, Social Networks and Global Reputation , 2007, CEAS.

[16]  Yada Zhu,et al.  Social Phishing , 2018, Encyclopedia of Social Network Analysis and Mining. 2nd Ed..

[17]  Edgar R. Weippl,et al.  Guess Who's Texting You? Evaluating the Security of Smartphone Messaging Applications , 2012, NDSS.

[18]  Roberta Presta,et al.  An anomaly-based approach to the analysis of the social behavior of VoIP users , 2013, Comput. Networks.

[19]  Evangelos P. Markatos,et al.  A Systematic Characterization of IM Threats using Honeypots , 2010, NDSS.

[20]  Leyla Bilge,et al.  All your contacts are belong to us: automated identity theft attacks on social networks , 2009, WWW '09.

[21]  Dengguo Feng,et al.  Bind your phone number with caution: automated user profiling through address book matching on smartphone , 2013, ASIA CCS '13.