Swapped SIM used in phishing attempt

17 June 2020 01:29 am - 0     - {{hitsCtrl.values.hits}}

A A A

  • Several hours after the messages started appearing, more details became clear. The number used to for the attack was one that was registered with, possibly amongst other groups, the very popular WhatsApp group curated by Groundviews
  • The phishing attempt that targeted journalists and others working in related fields should have raised a heap of red flags
  • Even that group sprang a leak, when someone linked in forwarded a message to someone outside of it and the message was traced back to the group
  • For those politely refused the request for the WhatsApp code there was a bit farce that followed, complete with crying emojis

Sunday morning, this message appeared on the WhatsApp feed of dozens of phones, most in Sri Lanka, some outside.   
Those who are wary of online hygiene through choice or necessity tend not to reply to these types of messages, especially from unknown numbers. The situation changes if the message came from a known number or one that was in the contacts.   


Many who got this message did not react. But as much as I know, a few did and sent their WhatsApp log-in code to the number. Shortly after receiving the message, the same phones got a message from WhatsApp with a six-digit code. The code is sent when the number is logged on to WhatsApp from a new device.   
By sending this security code to an outsider, the WhatsApp app on the target phone is rendered accessible to a third-party. This is the best possible scenario. In the worst-case scenario, data from other apps, contacts, messages and online backups also risk compromise.   


The number that was used for this kind of cyber-attack called phishing is where the bigger question marks lie. The number where the message with two hearts originated from came off a SIM card that was swapped. The registered owner of the SIM was in possession of the SIM and the phone when this attack was underway. Swapping a SIM is not a simple task. What this really does is convincing the carrier to transfer the number to a SIM that the attackers own. Even high-profile targets like the head of Twitter faced such an attack in August 2019. Here is where this story takes a sinister turn.   
Several hours after the messages started appearing, more details became clear. The number used to for the attack was one that was registered with, possibly amongst other groups, the very popular WhatsApp group curated by Groundviews.   


“The compromised, cloned mobile number was on the original Groundviews WhatsApp group used to send updates. It is highly probable that the 1st recipients were harvested from the other subscribers in that group. The compromised number may have also been on other (journalist) WhatsApp groups as well,” a subsequent Groundviews statement said.   
Groundviews also hinted at some details of the compromised number – “the registered owner of the number along with the institution the owner works in is seriously investigating at this breach. It is up to this registered owner to lodge a complaint, for what it is worth, with the local authorities around this case.”   


And at the level of tech sophistication that is required to carry out such a cloning – “in sum, this is an attack that used a combination of technical prowess and confidence hacking (many in the The phishing attempt that targeted journalists and others working in related fields should have raised a heap of red flags group may have the compromised/cloned number associated with an address book entry in their phone). Again, this demonstrates strategic intent and technical resourcefulness.”   


The phishing attempt that targeted journalists and others working in related fields should have raised a heap of red flags. There is already evidence that phone tracking is taking place in Sri Lanka with limited reach as part of epidemiological tracing efforts of COVID-19 infections. What is not known is the potential reach and width of these capabilities and to what other purposes they can potentially be employed in the future.   
Few hours after the phishing attempt was made public by Groundviews, many colleagues back in Sri Lanka were talking of a mass migration to more secure apps. More worrying but not noticed by many is the dismal levels of digital hygiene in Sri Lankan in general and among the media fraternity in particular.   


Groundviews later closed down the WhatsApp group, but not before warning “what’s happened now - and likely to happen again - is a security risk that will grow at pace with the general surveillance landscape in Sri Lanka.”   
Use of small groups connected through mobiles is nothing new in Sri Lanka media circles. The earliest I was part of was one that was used by a trusted group of journalists to exchange information at the height of the war. All members of the group were known to each other.   
Even that group sprang a leak, when someone linked in forwarded a message to someone outside of it and the message was traced back to the group.   


WhatsApp groups have been far more prolific and widespread, used by everyone from the neighbourhood three-wheeler park to moms at the school. They became essential mainstays for journalists during the October 2018 Constitutional Crisis and then the Easter Attacks.   
For those politely refused the request for the WhatsApp code there was a bit farce that followed, complete with crying emojis.   

The writer is a Post-grad Researcher at CQUniversity, Melbourne focusing on online journalism and trauma 
Twitter - @amanthap 

See Kapruka's top selling online shopping categories such as Toys, Grocery, Flowers, Birthday Cakes, Fruits, Chocolates, Clothing and Electronics. Also see Kapruka's unique online services such as Money Remittence,News, Courier/Delivery, Food Delivery and over 700 top brands. Also get products from Amazon & Ebay via Kapruka Gloabal Shop into Sri Lanka.

 

  Comments - 0

See Kapruka's top selling online shopping categories such as Toys, Grocery, Flowers, Birthday Cakes, Fruits, Chocolates, Clothing and Electronics. Also see Kapruka's unique online services such as Money Remittence,News, Courier/Delivery, Food Delivery and over 700 top brands. Also get products from Amazon & Ebay via Kapruka Gloabal Shop into Sri Lanka.

 

 

Add comment

Comments will be edited (grammar, spelling and slang) and authorized at the discretion of Daily Mirror online. The website also has the right not to publish selected comments.

Reply To:

Name - Reply Comment




Army’s LRRP Ambush of LTTE’s Military Intelligence Chief

A news report in the Dailymirror last August stated that the Long Range Recon

“I don’t think Sri Lankans can be realistically ruled by force” -Ahimsa Wickrematunge

Twelve years after the assassination of Lasantha Wickrematunge, the founding

Decisions to be made in Sri Lanka’s hunt for the COVID-19 Vaccine

Around the world, governments are gearing up to roll out nationwide immunizat

“I am the Godfather of Russian tourists” - Udayanga Weeratunga

Former Sri Lankan Ambassador to Russia Udayanga Weeratunga is back in the sce

See Kapruka's top selling online shopping categories such as Toys, Grocery, Flowers, Birthday Cakes, Fruits, Chocolates, Clothing and Electronics. Also see Kapruka's unique online services such as Money Remittence,News, Courier/Delivery, Food Delivery and over 700 top brands. Also get products from Amazon & Ebay via Kapruka Gloabal Shop into Sri Lanka.

 

 


MIRROR CRICKET