research-article

Exploiting Phone Numbers and Cross-Application Features in Targeted Mobile Attacks

Authors:

Mustaque Ahamad,

Ponnurangam KumaraguruAuthors Info & Claims

SPSM '16: Proceedings of the 6th Workshop on Security and Privacy in Smartphones and Mobile Devices

Pages 73 - 82

https://doi.org/10.1145/2994459.2994471

Published: 24 October 2016 Publication History

Abstract

Smartphones have fueled a shift in the way we communicate with each other via Instant Messaging. With the convergence of Internet and telephony, new Over-The-Top (OTT) messaging applications (e.g., WhatsApp, Viber, WeChat etc.) have emerged as an important means of communication for millions of users. These applications use phone numbers as the only means of authentication and are becoming an attractive medium for attackers to deliver spam and carry out more targeted attacks. The universal reach of telephony along with its past trusted nature makes phone numbers attractive identifiers for reaching potential attack targets. In this paper, we explore the feasibility, automation, and scalability of a variety of targeted attacks that can be carried out by abusing phone numbers. These attacks can be carried out on different channels viz. OTT messaging applications, voice, e-mail, or SMS. We demonstrate a novel system that takes a phone number as an input, leverages information from applications like Truecaller and Facebook about the victim and his / her social network, checks the presence of phone number's owner (victim) on the attack channel (OTT messaging applications, voice, e-mail, or SMS), and finally targets the victim on the chosen attack channel. As a proof of concept, we enumerated through a random pool of 1.16 million phone numbers and demonstrated that targeted attacks could be crafted against the owners of 255,873 phone numbers by exploiting cross-application features. Due to the significantly increased user engagement via new mediums of communication like OTT messaging applications and ease with which phone numbers allow collection of pertinent information, there is a clear need for better protection of applications that rely on phone numbers.

References

[1]

BSNL auction for Vanity Numbers. http://eauction.bsnl.co.in/auction1/index.aspx?id=74.

[2]

Ex-policeman under suspicion of voice phishing. http://koreajoongangdaily.joins.com/news/article/Article.aspx?aid=2997528.

[3]

Fetching friends from Graph API. http://stackoverflow.com/questions/11135053/fetching-list-of-friends-in-graph-api-or-fql-appears-to-be-missing-some-friend.

[4]

HeadsUp for WhatsApp. http://www.adaptivemobile.com/blog/headsup-for-whatsapp.

[5]

How to send 5 million spam emails without even noticing. https://nakedsecurity.sophos.com/2014/08/05/how-to-send-5-million-spam-emails/.

[6]

I.R.S Tech Support Scams. http://www.forbes.com/sites/michaelzakkour/2015/04/14/i-r-s-tax-phone-scam-claims-more-victims-than-ever-as-2015-tax-day-arrives/.

[7]

Over-The-Top Messaging Apps Overtake SMS Messaging. http://mobilemarketingmagazine.com/over-the-top-messaging-overtakes-sms.

[8]

Price for Vanity Numbers. http://articles.economictimes.indiatimes.com/2007--10--13/news/27675454_1_digit-numbers-mukul-khanna-minimum-price.

[9]

Whaling? These Scammers Target Big Phish. http://www.scambusters.org/whaling.html.

[10]

M. Antonakakis, R. Perdisci, D. Dagon, W. Lee, and N. Feamster. Building a dynamic reputation system for dns. In USENIX security symposium, pages 273--290, 2010.

Digital Library

[11]

S. Antonatos, I. Polakis, T. Petsas, and E. P. Markatos. A systematic characterization of IM threats using honeypots. In Proceedings of the 17th Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, 2010.

[12]

V. Balasubramaniyan, M. Ahamad, and H. Park. CallRank: Combating SPIT Using Call Duration, Social Networks and Global Reputation. In Conference on Email and Anti-Spam, CEAS, 2007.

[13]

M. Balduzzi, P. Gupta, L. Gu, D. Gao, and M. Ahamad. Mobipot: Understanding mobile telephony threats with honeycards. In Proceedings of the 11th ACM SIGSAC Symposium on Information, Computer and Communications Security, ASIA CCS '16, New York, NY, USA, 2016. ACM.

Digital Library

[14]

M. Balduzzi, C. Platzer, T. Holz, E. Kirda, D. Balzarotti, and C. Kruegel. Abusing Social Networks for Automated User Profiling. In Recent Advances in Intrusion Detection, pages 422--441. Springer, 2010.

Digital Library

[15]

L. Bilge, T. Strufe, D. Balzarotti, and E. Kirda. All Your Contacts Are Belong to Us: Automated Identity Theft Attacks on Social Networks. In Proceedings of the 18th International Conference on World Wide Web, WWW '09, pages 551--560, 2009.

Digital Library

[16]

Y. Boshmaf, I. Muslukhov, K. Beznosov, and M. Ripeanu. Design and analysis of a social botnet. Computer Networks, 57(2):556--578, 2013.

Digital Library

[17]

Y. Cheng, L. Ying, S. Jiao, P. Su, and D. Feng. Bind Your Phone Number with Caution: Automated User Profiling Through Address Book Matching on Smartphone. In Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security, pages 335--340. ACM, 2013.

Digital Library

[18]

S. Chiappetta, C. Mazzariello, R. Presta, and S. P. Romano. An anomaly-based approach to the analysis of the social behavior of VoIP users. Computer Networks, pages 1545--1559, 2013.

Digital Library

[19]

A. Costin, J. Isacenkova, M. Balduzzi, A. Francillon, and D. Balzarotti. The role of phone numbers in understanding cyber-crime schemes. In Privacy, Security and Trust (PST), Eleventh Annual International Conference on, 2013.

[20]

R. Dantu and P. Kolan. Detecting spam in voip networks. In Steps to Reducing Unwanted Traffic on the Internet Workshop, SRUTI'05. USENIX Association, 2005.

Digital Library

[21]

S. E. Griffin and C. C. Rackley. Vishing. In Proceedings of the 5th annual conference on Information security curriculum development, pages 33--35. ACM, 2008.

Digital Library

[22]

P. Gupta, M. Ahamad, J. Curtis, V. Balasubramaniyan, and A. Bobotek. M3AAWG Telephony Honeypots: Benefits and Deployment Options. Technical report, 2014.

[23]

P. Gupta, B. Srinivasan, V. Balasubramaniyan, and M. Ahamad. Phoneypot: Data-driven Understanding of Telephony Threats. In 22nd Annual Network and Distributed System Security Symposium, NDSS, 2015.

[24]

S. Hao, N. A. Syed, N. Feamster, A. G. Gray, and S. Krasser. Detecting spammers with snare: Spatio-temporal network-level automatic reputation engine. In USENIX Security Symposium, 2009.

Digital Library

[25]

M. Huber, M. Mulazzani, E. Weippl, G. Kitzler, and S. Goluch. Friend-in-the-middle attacks: Exploiting social networking sites for spam. Internet Computing, IEEE, 15(3):28--34, 2011.

Digital Library

[26]

S. Insights. Mobile marketing statistics. http://www.smartinsights.com/mobile-marketing/mobile-marketing-analytics/mobile-marketing-statistics/, July 2015.

[27]

T. N. Jagatic, N. A. Johnson, M. Jakobsson, and F. Menczer. Social Phishing. Communications of the ACM, 50(10):94--100, 2007.

Digital Library

[28]

E. Kim, K. Park, H. Kim, and J. Song. I've Got Your Number: Harvesting users' personal data via contacts sync for the KakaoTalk messenger. In Information Security Applications: 15th International Workshop, WISA 2014, Jeju Island, Korea, August 25--27, 2014.

[29]

S. Kurowski. Using a whatsapp vulnerability for profiling individuals. Open Identity Summit,GI-Edition - Lecture Notes in Informatics (LNI) - Proceedings 237, pages 140--146, 2014.

[30]

F. Maggi. Are the con artists back? a preliminary analysis of modern phone frauds. In Computer and Information Technology (CIT), IEEE 10th International Conference on, 2010.

Digital Library

[31]

S. News. Losses from telephone banking fraud rise 95 percent. http://news.sky.com/story/1562860/losses-from-telephone-banking-fraud-rise-95-percent, October 2015.

[32]

E. Pais. The premium-rate text-messaging scam worth 5 million euros. http://elpais.com/elpais/2015/04/20/inenglish/1429529298\_001329.html, April 2015.

[33]

S. Schrittwieser, P. Frühwirt, P. Kieseberg, M. Leithner, M. Mulazzani, M. Huber, and E. R. Weippl. Guess Who's Texting You? Evaluating the Security of Smartphone Messaging Applications. In 19th Annual Network and Distributed System Security Symposium, NDSS 2012.

[34]

W. Staff. Biggest phone scam in irs history continues to grow as tax season approaches. http://wiat.com/2016/01/20/biggest-phone-scam-in-irs-history-continues-to-grow-as-tax-season-approaches/, January 2016.

[35]

v3.co.uk. Instant messaging to overtake email as biggest digital communication platform. http://www.v3.co.uk/v3-uk/news/2416558/instant-messaging-to-overtake-email-as-biggest-digital-communication-platform, July 2015.

[36]

Y.-S. Wu, S. Bagchi, N. Singh, and R. Wita. Spam detection in voice-over-ip calls through semi-supervised clustering. In Dependable Systems & Networks, 2009. DSN'09., pages 307--316. IEEE, 2009.

[37]

E. Zheleva and L. Getoor. Privacy in social networks: A survey. In Social network data analytics, pages 277--306. Springer, 2011.

Cited By

Burda PAllodi LZannone N(2024)Cognition in Social Engineering Empirical Research: A Systematic Literature ReviewACM Transactions on Computer-Human Interaction10.1145/363514931:2(1-55)Online publication date: 29-Jan-2024
https://dl.acm.org/doi/10.1145/3635149
Hagen CWeinert CSendner CDmitrienko ASchneider T(2022)Contact Discovery in Mobile Messengers: Low-cost Attacks, Quantitative Analyses, and Efficient MitigationsACM Transactions on Privacy and Security10.1145/3546191Online publication date: 30-Jun-2022
https://doi.org/10.1145/3546191
Durmaz BAyday E(2021) Entering Watch Dogs * : Evaluating Privacy Risks Against Large-Scale Facial Search and Data Collection IEEE INFOCOM 2021 - IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS)10.1109/INFOCOMWKSHPS51825.2021.9484550(1-6)Online publication date: 10-May-2021
https://doi.org/10.1109/INFOCOMWKSHPS51825.2021.9484550
Show More Cited By

Index Terms

Exploiting Phone Numbers and Cross-Application Features in Targeted Mobile Attacks
1. Security and privacy

Recommendations

Emerging threats abusing phone numbers exploiting cross-platform features
ASONAM '16: Proceedings of the 2016 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining

Phone number, a unique identifier has emerged as an important Personally Identifiable Information (PII) in the last few years. Other PII like e-mail and online identity have been exploited in the past to launch phishing and spam attacks against them. ...
Mitigation of Targeted and Non-targeted Covert Attacks as a Timing Game
GameSec 2013: 4th International Conference on Decision and Game Theory for Security - Volume 8252

We consider a strategic game in which a defender wants to maintain control over a resource that is subject to both targeted and non-targeted covert attacks. Because the attacks are covert, the defender must choose to secure the resource in real time ...
Detecting Mobile Application Spoofing Attacks by Leveraging User Visual Similarity Perception
CODASPY '17: Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy

Mobile application spoofing is an attack where a malicious mobile app mimics the visual appearance of another one. A common example of mobile application spoofing is a phishing attack where the adversary tricks the user into revealing her password to a ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SPSM '16: Proceedings of the 6th Workshop on Security and Privacy in Smartphones and Mobile Devices

October 2016

130 pages

ISBN:9781450345644

DOI:10.1145/2994459

Program Chairs:
Long Lu
Stony Brook University
,
Mohammad Mannan
Concordia University

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 24 October 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'16

Sponsor:

SIGSAC

CCS'16: 2016 ACM SIGSAC Conference on Computer and Communications Security

October 24, 2016

Vienna, Austria

Acceptance Rates

SPSM '16 Paper Acceptance Rate 13 of 31 submissions, 42%;

Overall Acceptance Rate 46 of 139 submissions, 33%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

10
Total Citations
View Citations
339
Total Downloads

Downloads (Last 12 months)21
Downloads (Last 6 weeks)3

Reflects downloads up to 30 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Burda PAllodi LZannone N(2024)Cognition in Social Engineering Empirical Research: A Systematic Literature ReviewACM Transactions on Computer-Human Interaction10.1145/363514931:2(1-55)Online publication date: 29-Jan-2024
https://dl.acm.org/doi/10.1145/3635149
Hagen CWeinert CSendner CDmitrienko ASchneider T(2022)Contact Discovery in Mobile Messengers: Low-cost Attacks, Quantitative Analyses, and Efficient MitigationsACM Transactions on Privacy and Security10.1145/3546191Online publication date: 30-Jun-2022
https://doi.org/10.1145/3546191
Durmaz BAyday E(2021) Entering Watch Dogs * : Evaluating Privacy Risks Against Large-Scale Facial Search and Data Collection IEEE INFOCOM 2021 - IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS)10.1109/INFOCOMWKSHPS51825.2021.9484550(1-6)Online publication date: 10-May-2021
https://doi.org/10.1109/INFOCOMWKSHPS51825.2021.9484550
Prasad SBouma-Sims EMylappan AReaves BCapkun SRoesner F(2020)Who's calling? characterizing robocalls through audio and metadata analysisProceedings of the 29th USENIX Conference on Security Symposium10.5555/3489212.3489235(397-414)Online publication date: 12-Aug-2020
https://dl.acm.org/doi/10.5555/3489212.3489235
Jang HJi WWoo SKim H(2020)Design and Evaluation of Enumeration Attacks on Package Tracking SystemsInformation Security and Privacy10.1007/978-3-030-55304-3_28(543-559)Online publication date: 6-Aug-2020
https://doi.org/10.1007/978-3-030-55304-3_28
Yue HGuo HMa X(2018)Breaking Users’ Mobile Phone Number Based on Geographical Location: A Case Study with YYInformation10.3390/info90802009:8(200)Online publication date: 6-Aug-2018
https://doi.org/10.3390/info9080200
Gupta SKuchhal DGupta PAhamad MGupta MKumaraguru PAkkermans HFontaine KVermeulen IHouben GWeber M(2018)Under the Shadow of SunshineProceedings of the 10th ACM Conference on Web Science10.1145/3201064.3201065(67-76)Online publication date: 15-May-2018
https://dl.acm.org/doi/10.1145/3201064.3201065
Dewan PSuri ABharadhwaj VMithal AKumaraguru P(2017)Towards Understanding Crisis Events On Online Social Networks Through PicturesProceedings of the 2017 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining 201710.1145/3110025.3110062(439-446)Online publication date: 31-Jul-2017
https://dl.acm.org/doi/10.1145/3110025.3110062
Helenport ATait B(2017)Aspects of Voice Communications FraudGlobal Security, Safety and Sustainability - The Security Challenges of the Connected World10.1007/978-3-319-51064-4_6(69-81)Online publication date: 4-Jan-2017
https://doi.org/10.1007/978-3-319-51064-4_6
Ezpeleta EZurutuza UHidalgo J(2016)A study of the personalization of spam content using Facebook public informationLogic Journal of IGPL10.1093/jigpal/jzw04025:1(30-41)Online publication date: 5-Aug-2016
https://doi.org/10.1093/jigpal/jzw040

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents