Smishmash - Text Based 2fa Spoofing Using OSINT, Phishing Techniques and a Burner Phone

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] foreign yeah we're here today to present our research around 2fa bypass and we call it smishmash because it's really a mix of techniques and it's called text-based two-phase blue thing using ocean fishing techniques and a burner phone and our burner phones we brought them yeah we've got a old Sony Ericsson and a Nokia N900 old hacker phone as you all know but unfortunately You're such way ahead in the phone service that you have disabled 2D and 3D so they don't work here so we'll have to do the demos during other meets but you have to take a word for us they work really well in Sweden in Europe in Europe they work really well but and we didn't have time to buy any more modern burner phones but uh the idea is the same and the demos will work the same on on Modern Hardware um so yeah about us I'm Thomas olafson uh I've been working with security for a long long time I'm also the founder of SEC t.org Swedish security conference running yearly um I used to play ctfs back in the good old days actually managed to win the Defcon CTF back in way back in the day so it barely counts anymore before it became this big and complicated and hard to win um I'm into secure coding and secure development and except for doing hacking and I.T stuff I like climbing diving and motorcycles really safe Sports actually uh Michael yeah and hi everyone I'm Mike uh a hacker and also a co-founder of IO uh also a lock picker and a collector of Intel yeah so uh basically this talk if you don't want to attend the whole talk I'm going to start with with our conclusions uh so and the conclusions are basically text messages smns for two-factor authentification is broken and this is no news for a lot of us I I worked in the Telco industry and this is no news it's been broken since the Inception of Pixma it was never intended to be used anything like this and we have been spoofing text messages for as long as we've been hacking and and Michael has some good stories about actually yeah I have some great examples of a colleague that was abroad and he received a text message from the local police that he had fraudulent soldiers on his card uh so he called them up but of course the local police doesn't send text messages when you get fraudulent charges so so these techniques have been working for years just now that we're seeing the the like mainstream adoption of weaponization of this but but the actual hacking techniques have always been there um so a bit of setting the scene the last couple of years it started in like we saw some date about in 2016-17 but but then it's just been escalating where you've seen in the media in the computer media with very little details about how they do it's like whoa account takeover via phishings Mission and they're bypassing the 2fa so we were interested in like oh when they empty the account they sell all the data or the Bitcoins or the nfts because this has been predominantly active in the crypto space as you can imagine um so we wanted to research how are they doing this what's the modus operandum how did they do it and like what do you actually need to facilitate these attacks and can be reproduce it in a like in a good way and also at the end of the talk we're going to get to how do you actually protect against this and what you can do to change it so the first hack was that got main media attention was the Outlook bypass a couple of years ago but that one when we research it was actually a misconfiguration or open port where you could actually on the exchange servers go in and change the two-factor authentication settings so that one doesn't really count into this I mean it is a 2fa bypass but you're actually hacking the Outlook server to more or less switch off the 2fa which I think is cheating because then it's not actually to if I bypass it's more misconfiguration or vulnerability but if you look at the more modern and hacks we have like crypto.com all the modern crypto exchanges for instance have been attacked during the last couple of years uh and like lost millions and millions and millions of this um so we looked at some of these attacks and this Mission Trends are I'm I know there is discussions on Twitter like why do we need in other words mission for this and I sort of agree but it is its own thing so I I sort of object there I think smashing is very different from phishing because most of the fishing protection mechanisms that we have only work for email and your built-in browser it doesn't actually work from apps if you're in in like telegram or signal all of these links actually get to you uh totally unchecked what we see in statistically According to some research which is not our own but like we've seen a huge increase in number of submission links sent in last year how many of you have got an unsolicited text message in the last couple of weeks yeah it's like I I get now 10 at least 10 a week uh and the reason for that is that your phone numbers are increasingly being leaked on the leak phones and the attackers are starting to exploit that and it's actually very hard to verify the Integrity of the sender of these messages because and and this actually leads to up to 35 percent of the people Target actually don't even understand that the targeting this machine attack so for some reason the text message still has a higher implicit trust than emails especially by the the older user base because it's like no I got the text message from the police like in Microsoft no I need to call the police because the police texted this to me but where we all know you can spoof emails and there you get hundreds of spam emails we're now getting to that point but the market is not saturated yet so we still have a higher trust and that's why these attacks have much higher success rate and that's why we're seeing such an increase in them also contributing to this we will show in demos is the mobile browser functionality which actually plays into the hands of the attacker oh and that brings us to the internal source of leaked user data that just keeps rolling and rolling and rolling we had the Twitter leak last week which we haven't indexed yet we have the sample files we have the phone numbers from there so the number of like leaked phone numbers are just exploding and also on my way here I had to to check in on American Airlines to get my boarding pass I had to put in my phone number not only my email I also need my phone number now to actually get a boarding pass so there's more and more leaked phone numbers coming out which is really Michael's Forte yeah so what we have done is everyone knows uh all the regular hacker forums and breach forums uh where where they leaked these credentials and phone numbers uh and it's both on Clearnet websites and it's also on the dark net uh we can combine them together into a elasticsearch where it's easily searched we also have been collecting from ransomware sites that has increased recently as well how do these forums work for you yeah here we have an example of a site where they post lead credentials uh usually they all work the same you need points to download the and you get points by either posting or posting your own leaks or paying um and and most of the leaks that are available on have I been pawned Etc are publicly available on these sites basically for free they're always located so uh and then we have the the leak files and this is just the screenshot from today because we like to be up to date so these are this the companies they can download today yeah this is a ransomware site where it shows uh what companies have chosen not to pay good work of them um and and then and then we were doing this research we actually got so much spam like do you want to buy the attendee list of black hat 2022 uh so we actually had to do that so we actually bought that list and indexed that one as well as part of the research how much did it cost uh and we we got it below a hundred dollar if we're like if you were texting back and forth with these guys we got below 100 to buy all that indeed list of black cat 2022. uh so we indexed that in our data set for this research as well um so yeah yeah and here you can see some of the leaked credentials that we have imported into a elasticsearch uh it's around 500 million right now uh and we're gonna release this data later uh it's actually live now the 500 million that we have indexed yeah um and we we have found credentials of more than a billion leaked phone numbers we haven't actually in the had time to index all of them because it takes a long while and the data is very unstructured in some ways so basically all your numbers are belong to us so you do you want to see a demo of this that we can actually get some phone numbers and tie them to emails place he has a better Unix beard than me that's why so let's start by searching for or lovely CEO that's here in the crowd uh he's always a good Target to search he's in all breaches we don't import the bridge if Brian is not part of the bridge it's not worth importing yeah so we see here the Brian exists in in three dumb files P2 beta Labs uh LinkedIn the LinkedIn scrape and risley.com so and we can also search by phone number and this is actually Brian's real phone number so so you can call him if you want to yeah please do and then we can also do the reverse search we can search for Brian's phone number and see which other leagues and he has registered under other email addresses uh so this is real data and it's actually really scary so yeah we and we're actually making available uh like a test site where you can actually see if your data has been leaked your phone numbers has been leaked I know have been pawned or starting to import as well but we've done quite a lot of important we're going to publish the links later yeah they come in the end of the slides the back to the presentation I guess um so basically what we thought a credentials that used to be yes username password slash has that's what we thought about as League credential what we're doing now is like saying that well actually if you have username password and telephone username cracked password and your telephone numbers you have a good chance to actually use that information to bypass 2fa because a lot of uh the the 2face Solutions only allow text messages some of the banks in the US have heard only allow Tech space to fa you can't have to P or any more secure devices so in a lot of places you don't have any choice um so basically what this means we have indexed a total you have numbers down here 4.8 billion unique email password combinations and we have 524 index phone numbers we're very close to a billion which means that we can tie one of five every five one in every five email addresses to a valid phone number so that's how broad the attack spectrum is for the adversaries if you do this um so we looked at some of these attacks uh we're gonna be fairly quick of this and and the official response is yeah we've seen a small number of using reporting suspicious activity uh but we will be pausing with Royals that means it's not a small number because it's a lot for people because they're losing a lot of money and this attack they lost crypto.com lost 34.6 million uh from several hundred accounts and our Research indicates yes they were targeted because they had a lot of League credentials so the the users are targeted because they have leak credentials and leaked phone numbers leaked phone numbers is important because that's why you can bypass the 2fa uh similar with openc openc reported multiple attacks because nfts are super super popular last year and you can buy a pixelated monkey for like Millions uh so so for some reason kids had like Millions worth of pixelated monkeys that people wanted to steal so fishing is Michigan attacks in this area is Rife so basically what they did they did is found people's phone numbers actually did this mission Attack and saying like hey we upgraded our contract so you keep your pixelated monkey say if you need to upgrade the contract and transfer them to the to the new contract and actually they copied word by word mail from openc but they pointed the contract to execute the transfer of all their nfts into the adversaries wallets um oh and while we're doing this research this happened last week they were also breached and had all their contact and emails leaked yeah it was a third party so it's not it was not a bridge for themselves but in general we are seeing a lot of bridge and looking at this attack for instance coinbase said in order to access your account these third parties needed prior knowledge of the email address password and your phone number and that's basically what we're saying here yeah we can get there for one out of five people uh however in that incident they also took uh exploited some vulnerabilities during their account recovery process and this is the most common way of fooling 2fa is actually to initiate a password reset and then fool the device and kind of demo very soon so account recovery we looked at like five or six different attacks two or three of them were account recovery the number two was SMS injection where you initiate the login and you you some sites I mean you can log into basic functionality with just username and password but if you want to do a transfer then you need 2fa so what the attackers are doing then is that they're initiating a transfer then sending an SMS to the the perpetrator saying like hey we can demo this there is something wrong with your account input your credentials and doing a man in the middle attack um and this is also very common now but you have this attack combining smashing with adversary in the middle proxies so we're actually getting the real credentials as the people input them and number four which we're not going to talk too much about here but another common way uh is same jacking or Sim cloning or Sim porting basically Michael yeah well it's very common here in the states at least at your social engineered telephone companies to switch their accounts to another sim card or you can go in and buy with a false ID and saying like hey I want to buy the new subscription for Verizon can you port over my number from this other phone I recommend you doing that but it's been known to happen but in general the account recovery process is very relaxed and this is actually my account so if I go in and try to do account recovery on myself on Google and remember Google has the most tested well-known process for account recovery of everyone in the world because they have the most users but even them I think is a bit relaxed you give way like at the ending of my phone number to other of my email addresses this is giving a way of a lot of data if I also have the dump funds um but yeah let's talk in general about text messages text messages was invite invented like in 1984 as part of the GSM specification uh and the first text was sent in 1992 and said merry Christmas and I did for originally it was like they had padding left in the data packets because of like alignment bugs so they had a couple of characters left so some engineer there like what can we do with this ah we can put in seven bit ASCII and we can encode it on the line and run it over the network and then text messaging was basically born it was never intended to be a security protocol at all literally there is no verification of anything except it being 7-bit ASCII there is no sender verification there is no checksums there's no nothing it's just like seven bit ASCII encoded on the line and then pulled up by the Broadband shape and displayed um so getting a telegram from or a text message from Santa Claus is as valid according to the specifications as one from a phone number and that's why we what we see now uh that we are getting all these text messages from like Verizon where you're getting these text messages that's like not intended but that's how the protocol is used so there's a couple of ways to send text messages manually via your phone but then through modem and old phones which we're going to demonstrate here but it's good because we're not going to have time for that demo anyway but you have to trust us you can just plug in a USB cable write 80 some 80 commands transpose it to some bit asking to send it off um or you can use an API service so that's what we're going to demo now the oofing stuff okay let's see start another one it's green recording come on thank you okay this worked a second ago let me see otherwise we have videos because that's boring and a new movie restart the QuickTime okay this is always thing with live demos huh fine oh look at us sweet close-up not working okay now there we go fantastic let's go uh so what we're seeing here is the the point of the attack from the adversary where we're seeing the phone to the left which is my actual normal phone uh and then we have some scripts that are going to use API providers we actually got blocked uh not for spoofing this mess because that's total okay we got locked because some of the payloads that we're sending um were bad by some providers so we have switched to another there's literally hundreds of providers out there uh where you can let's see is the cable bad now no yeah it's not showing up on screen so I got the text message here from binance let's see if it shows up again try it again and change close up okay bad cable um so you just have to watch the video then I'm just use this one try try and we're going to try one cable for you to see this otherwise we're gonna have to go to the videos of the demos five email recording come on yes new cable Finance new text message so I click on on the binance text and I face ID I use my passcode um and what we're seeing here if you select the window here is this is actually inside my nor I do have a binance account uh and this is the real binance account where they're saying sending my verification code you're requesting a transfer if this was not you please be aware of the spam calls and SMS phishing so obviously we're doing the same we're copying their text and basically saying your account is blocked due to suspicious activity to unlock this phone and or your account please go here uh and obviously the domain name would not be demo.smishmash.net and we're not going to do binance we have set up our own crypto uh exchange.com don't sue us don't so so we don't get sued live because it would be bad to do this on um so crypto exchange this is my email and look here uh there is a code and this is actually from the real uh SMS that comes from binance because we're also initiating a login or a transfer and boom just fill it and hit next and we're not really and here with next and we redirected to in this case crypto.com because this goes for all of them and on the adversary side we actually get the username and the token as well as the session tokens and to actually log in and complete the transfer and as you see it's actually very hard to spot on the phone that you're actually being man and middle attacked and fished um and the thing is that the text messages actually like shows up and here actually we have another script so we're actually texting the the credentials to ourselves as well via texting from file which is our company because yeah you can send text from anything so that's um and you can also do this through Google um we have some sample for Google I think yeah fourth message from Google because they actually say what message from Google and it shows up in my normal auth messages coinbase is using the same short code suspicious activity at your account please verify your credential yeah I'm gonna do it always click always click these links very good uh and if the internet is quicker here you're going to see what's happening now the internet is not super fast um but we are getting the requests eventually as you can see from the adversary point of view but uh it's loading Maybe it's on the way is it should be hmm come on let me click on it again Finance yeah cannot write the last response from under middle client okay so um we might have to show you the recorded sorry click again click again and so they don't but they they work really well before this morning uh so we're blaming Network speeds actually I would say um accountsgofishing.com but yeah let's do the video yeah do the video of that one screen recording in here oh okay now yes because I'm doing that it is low speeds so basically what would happen if we had the faster speed here the actual pre-fill would actually overlay uh the the bar if you showed the phone again uh so what's happening here is that my pre-filled credentials to log in to Google uh no it didn't work we will actually uh over uh overlay uh the bar so I'm gonna use black cat let's go find anything now and my Google verification code is very small here actually gets pre-filled let's stop um five you remove recording so my What's Happening Here is that my credentials from Google and these are the real credentials actually get pre-filled in the enter code even though I'm going to a man in Middle side and not the intended side because they come from the same source which were spoofed so I now log in and now we're going to get an error because I'm I'm redirected to the dot SC domain which I don't have a certificate for for this demo but as you see here we have the token already on the adversary side so I'm logged into my Google account without with the real 2fa codes with the man in the middle of the proxy so yeah sorry about the demos there were a bit of cables and slow internet but that's the idea and that's how people are doing it you inject yourself into the SMS stream um and then we found if you're doing this professionally if you're like big time adversary you don't have crappy codes and then you go into your famous Chinese site and you buy the hardware for like 160 bucks you can buy a custom Hardware that does all these SMS moving for you and you can even buy bigger rigs like like going large scale release attacks where you can slot in like 64 SIM cards in parallel and just Brute Force these away um and funnily enough they're actually marketed by like you can also from 80 commands change the EM IE number which is like the hardware number where you're sending from so you totally can't be tracked and you can also send the smsc sender to whatever you like on these devices and this you can just order off of eBay or Chinese eBay and funnily enough and some of them they're actually having the marketing materials look at that screenshot they're actually marketing them with like here's your Google authentication code so so this is sort of a a well-known secret that this is possible it's not like no one's heard of this they're actually marketing them this way so the idea that we just showed is that we have a fish user adversary in the middle and TLS set up but we can still uh do this so okay we're over time uh but I'm just going to say some closing remarks uh or protection against this we have seen a couple of the really targeted side protecting against this there are several ways recapture seems to be the most common because there you can set a cookie from which site the recapture can come so you know at least you as a user will see this uh if you're on the middle side that there's an arrow in recapture some sites are protecting with cloudfront cookies you can do a similar way and you could protect most likely with cores for doing some experimentation with this with setting up the course headers correctly between the API service everyone uses this course star like everywhere everyone's like yeah of course yeah that's fine but you could protect against these type of mandible attacks by doing correct core setups so there is ways to protect against these attacks so uh we're fully releasing all the research data that we've done on this uh under an S3 bucket uh so you start to take a picture of this slide um because that was the best we could think of because we wanted to release it as soon or as late as possible to get as much data as possible into this dump file the dump file is about 50 60 gigs so that's why we put it on S3 bucket because it's a lot of numbers and emails are hashed in that one so so it's show one hashed so you can actually you can search yourself so the key takeaways from this one in five email accounts can be titled out the phone number SMS has no built-in security can be spoofed it's hard to spot fake sites on the mobile because the mobile actually hides the the bar of where you're going uh and the mobile will automatically fill the tofa tokens the correct ones to help you okay thank you guys we had to get ready for the next briefing but thank you guys for attending [Music] [Applause] thank you [Music]
Info
Channel: Black Hat
Views: 15,821
Rating: undefined out of 5
Keywords:
Id: XAGTnJZwLtQ
Channel Id: undefined
Length: 32min 21sec (1941 seconds)
Published: Thu Nov 17 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.