fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Police Crack SMS Phishing Operation

Police Crack SMS Phishing Operation

Federal and New South Wales police in Australia say they’ve broken up a sophisticated SMS phishing scheme designed to collect personal details and bank login credentials. The investigation took more than a year.

It’s a rare success in the fight against unsolicited text messages, which at the most benign end come from aggressive marketers and the more pernicious end from cybercriminals.

Two men are accused of “smishing,” which is a portmanteau of SMS and phishing. Police allege the two sent tens of thousands of SMSes in one go, impersonating Australian financial institutions. The links led to phishing sites at which victims would be asked their login credentials and other personal information.

Also Read: New Data Protection Laws Australia: How Implementation Works

Chris Goldsmid, the Australian Federal Police’s commander of cybercrime operations, tells Information Security Media Group that police seized nine SIM “boxes,” which are devices that hold dozens of SIM cards and can transmit thousands of messages. The operation had a “significant capability to send SMS phishing text messages at scale,” he says.

One telecommunications company, which was not identified, saw 49,000 messages delivered via its network in one week. In another case, the men allegedly sent 10,000 smishing messages over a two-week period. Forty-five customers of one bank, which was not named, were tricked, and one person had 30,000 Australian dollars ($21,100) stolen.

Charges Levied

Two search warrants executed in the Sydney area resulted in the seizure of hundreds of SIM cards, fake ID documents, 50,000 Australian dollars, a money counter, mobile phones, hard drives, computers, methamphetamine and drug paraphernalia.

Police arrested A. Smith, 50, of Macquarie Park, who appeared during a brief hearing in Sydney Central Local Court on Wednesday. The other suspect, a 36-year-old from Burwood, is expected to be charged soon, an Australian Federal Police spokeswoman said Thursday.

Smith has been charged with eight counts of false information, abusing a telecommunications network, dealing with identity and financial information and dealing with proceeds from crime and one drug-related count.

The investigation involved major Australian banks – including ANZ, Commonwealth Bank and WestPac – and operator TPG Telecom, according to the AFP.

Goldsmid says he is limited in what he can say about the operation because the court cases are pending, and police did not want to reveal information that would serve as clues to other fraudsters.

“Criminals are always looking to exploit vulnerabilities in technology, vulnerabilities in processes, whether that is registration of SIM cards or bank accounts, and using them for crime,” Goldsmid says.

Expert: How Fraudsters Evade

Australian law requires mobile phone customers to provide a name, birth date and home address to activate even a prepaid SIM card. If someone is going to activate more than five devices at once, there’s more identification required, according to the Australian Communications and Media Authority.

But there are workarounds that fraudsters can employ, says Alex Tilley, a former AFP senior tech analyst in cybercrime operations who now is a researcher with Secureworks in Australia. For example, they can use stolen identity details or make up the details out of thin air. But it’s a fast-moving game.

“The telcos will eventually figure it out,” Tilley says. “But you need [the SIM cards] to work for one morning or maybe a week before you move on. The whole idea of this crime is you can churn it over so quickly that you are getting ahead of that detection cycle.”

Once fraudsters have acquired SIM cards, those cards are put into SIM boxes. Those devices, which have legitimate uses, are also used for interconnect bypass schemes, which can deprive telecommunication companies of revenue. The SIM boxes are then networked with an operator, either through trunk lines, wireless or in other ways, Tilley says.

Also Read: Unbelievable Facts About NRIC Check Digit Algorithm

One technique fraudsters use to increase the appearance of legitimacy in their messages is to spoof the senderID. So rather than seeing a phone number, the message would say it came from Apple or Australian government services, such as myGov, the government services portal.

Spoofing the senderID makes it even more difficult for people to detect an attack because sometimes the messages end up in the same thread on a person’s phone as those that came from the legitimate provider.

Telstra, the largest mobile operator in Australia, said last week it had developed a way to reject messages with a spoofed sender.

Targeting Phone Numbers

Another key question is how the target phone numbers were obtained. Data breaches and marketing databases could help fuel the operations. “It’s very easy to get a list of thousands of thousands of Australian phone numbers that are active,” Tilley says.

Often, large-scale smishing operations are not very targeted. It’s common, for example, for someone to get an SMS impersonating a bank that they do not use, which is easy to dismiss. Tilley says it’s a pure numbers game, and if fraudsters get enough of a response for their effort, more targeting isn’t necessary.

SMS also offers an edge over phishing emails, which are more likely to be viewed with suspicion, Tilley says.

“SMS has always been the bane of existence for security people,” Tilley says. “There’s no guarantee of authenticity.”

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us