Threat Watch

Hackers Hijack Telegram Accounts by Stealing 2FA Codes Sent Through SMS

Hackers who had access to the Signaling System 7 (SS7) have managed to target high-level employees within the crypto-currency industry. The hackers used SS7 to steal 2-Factor Authentication (2FA) codes sent to victims through SMS. According to Tsachi Ganot, who investigated the incident with his company, Pandora Security, they stated that all clues point to an SS7 attack. The attacker spoofed a message of a mobile network operator to send an update location request to the targeted phone number. The update request asked the provider to send the fake message service center all of the calls and messages that the phone would get. Since the attacker was in control of the spoofed message service center, they managed to gather all of the messages sent to the phone. With previously compromised credentials, the attackers were able to use them and the 2FA codes to log in to the accounts of victims. Telegram was the main application that was targeted where the attackers would private message others trying to exchange cryptocurrency. It is not believed anyone fell for the scam once the accounts were compromised.

ANALYST NOTES

SS7 attacks are becoming more common as more threat actors are working to gain knowledge of how these sophisticated attacks work. Sending SMS messages for 2FA messages is not considered to be secure by many throughout the security industry, because text messages can be easily stolen. It is recommended that all accounts be set up with 2FA and use a mobile authenticator app such as Microsoft Authenticator, Google Authenticator, or another trustworthy app to generate time-specific authentication codes without sending the codes over the cellular network.

More details of this attack can be read here: https://www.bleepingcomputer.com/news/security/hackers-hijack-telegram-email-accounts-in-ss7-mobile-attack/