Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacker Uses Premium Rate Calls To Steal From Instagram, Google, Microsoft (helpnetsecurity.com)

Posted by msmash on from the security-woes dept.

Reader Orome1 writes: Some account options deployed by Instagram, Google and Microsoft can be misused to steal money from the companies by making them place phone calls to premium rate numbers, security researcher Arne Swinnen has demonstrated. Swinnen calculated that, in theory, these options would allow an attacker to milk over 2 million euro per year from Instagram, 432,000 euro per year from Google, and nearly 700,000 euro from Microsoft by using a slew of fake accounts, multiple premium numbers, and different tools and approaches to automate the process.

37 comments

  1. steal them hot grits by Anonymous Coward · · Score: 0

    Hello from 2001!

  2. Not news by fubarrr · · Score: 3, Interesting

    We had same thing in Russia around 12 - 11 years ago when there were the WAP and premium content craze. There was a guy from carders.su who wrote an MMS exploit that hacked Sony cellphones on A100 OS and made them send premium sms in 2006. The whole Megafon cell network went down as it got DDOSed by the chain reaction of the virus spreading

    1. Re: Not news by fubarrr · · Score: 1

      As I remember, the guy used a buffer overflow in EXIF parser

    2. Re:Not news by Anonymous Coward · · Score: 1

      This is not the same thing, as it's not tricking end-users' handsets into dialling the numbers, it's tricking the various companies account verification systems. This is a big difference, because to go the handset route, you have to deploy malware on a lot of handsets, whereas in this case you only have to deal with one system (per company), and you don't have to hack it or deploy any malware, you just have to understand how the system works.

  3. No credit card? Try collect call back by Joe_Dragon · · Score: 1

    No credit card? Try collect call back. Dial 1-215-SEX-TALK and we'll call you right back.

  4. Click bait by ITRambo · · Score: 4, Insightful

    The story explains how the proof of concept exploit could work. It is tedious and was not likely to be used by sane people. The guy was awarded $2000 for discovering the loophole.

    1. Re:Click bait by fatquack · · Score: 1

      If you go to the original story (https://www.arneswinnen.net/2016/07/how-i-could-steal-money-from-instagram-google-and-microsoft/) it shows exactly how he did it for real. He just stopped when he gained a little bit of money (1 Euro, 1 Pound and 1.20 Euro) and reported it.

  5. How much to do this legally? by gurps_npc · · Score: 4, Interesting

    As in, I would love to get a phone number that is 'premium' and then give it out to every website that keeps asking for a phone number.

    Slime keep trying to steal my privacy in exchange for nothing. They abuse the phone number and have no business asking for it. If they want my phone so badly, then PAY every time you call me. After all, I never want you to call me, so why shouldn't you pay to talk to me?

    --
    excitingthingstodo.blogspot.com
    1. Re:How much to do this legally? by Joe_Dragon · · Score: 1

      But then each time some one calls you have to state the rate and give them chance to hang up without being changed

    2. Re:How much to do this legally? by jellomizer · · Score: 1

      I assume you dont care about your friends and family and legitimate business transactions.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    3. Re:How much to do this legally? by pla · · Score: 3, Interesting

      You can have more than one phone number, y'know... :)

    4. Re:How much to do this legally? by Grishnakh · · Score: 3, Funny

      You've just identified yourself as someone who doesn't belong on this site, since you can't even conceive of having multiple phone numbers. Shut down your account and go somewhere else more suitable for you, like TMZ.com.

    5. Re:How much to do this legally? by Anonymous Coward · · Score: 0

      Because slashdot, of all places, has standards?

      Probably the funniest thing I'll read all day.

    6. Re:How much to do this legally? by gurps_npc · · Score: 1

      I am fine with that - most of the shmucks that ask for numbers like this use robo callers. I should make quite a profit from robo callers ignoring my warning.

      --
      excitingthingstodo.blogspot.com
    7. Re:How much to do this legally? by Anonymous Coward · · Score: 0

      As in, I would love to get a phone number that is 'premium' and then give it out to every website that keeps asking for a phone number.

      Out of curiosity, do any of those places actually call you? Plenty of sites ask for my number, not to send a text or do any verification, they just mark it "required" on their forms, and they seem perfectly happy with 202-456-1414. But I don't think 99% of sites ever intend to actually call the number. They just demand it in hopes of correlating it with other data.

    8. Re:How much to do this legally? by Anonymous Coward · · Score: 0

      As in, I would love to get a phone number that is 'premium' and then give it out to every website that keeps asking for a phone number.

      Slime keep trying to steal my privacy in exchange for nothing. They abuse the phone number and have no business asking for it. If they want my phone so badly, then PAY every time you call me. After all, I never want you to call me, so why shouldn't you pay to talk to me?

      Anywhere between 50 dollars and 1,000 dollars, depending on where you are, and what features/options you want.

      There may be recurring monthly charges as well.

      If you're in a location at the higher end of the scale, it might be worth setting up a pool with friends and neighbors.

    9. Re:How much to do this legally? by penguinoid · · Score: 1

      And you can also whitelist/refund numbers from approved callers.

      --
      Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
    10. Re:How much to do this legally? by Anonymous Coward · · Score: 0

      You've also identified yourself as someone who should go. Because your reading assessment is incorrect.

      Poster never asked if he can have two numbers... " I would love to get a phone number that is 'premium' " . The poster merely A DESIRE TO GET A PREMIUM number. Perhaps they don't work for a telecom & know all the ins-and-outs of acquiring a business number as just a 'regular Joe' . Does one need to produce a business license? What is the monthly cost? Can it be routed to an existing handset, or does one need a new line? Not knowing the steps to get one is deserving of a question.

      That is all that was written about his interest, and you are a bully looking for space to write something clever.

      Turn in your ID and go back to 4chan and playing MMO's.

      PS: hey OP here's your steps, sorry mr. big mouth cannot add anything useful for you:
      http://www.wikihow.com/Get-a-900-Number

      .

    11. Re:How much to do this legally? by Anonymous Coward · · Score: 0

      http://www.wikihow.com/Get-a-900-Number

      use it and be happy. (and broke. Did you see those fees?!? )

    12. Re:How much to do this legally? by thegarbz · · Score: 1

      If they want my phone so badly, then PAY every time you call me.

      What? You think they want to use that number to call you? hahahah No that's just the unique key in their relational database so they can compare you and on sell your data.

  6. In theory there is no difference between theory by turkeydance · · Score: 1

    and practice. In practice there is. Yogi Berra

  7. Ah, phone fraud by Anonymous Coward · · Score: 0

    Your ways are becoming clearer and clearer, soon the whole system will break under the strain of its own deceits.

  8. But THIS time! by Anonymous Coward · · Score: 0

    It's haxx0rz bein all haxxy 'n' shit. Haxx!

    1. Re:But THIS time! by Anonymous Coward · · Score: 0

      I thought it was c0ws being all Mooooy 'n shit. Mooooo!

      (31337 note: this mooing sponsored by the cult of the dead cow)

  9. Premium rate numbers still exist? by mveloso · · Score: 1

    They're basically banned in the US. Are they still around outside the USA?

    1. Re:Premium rate numbers still exist? by Mal-2 · · Score: 2

      They're basically banned in the US. Are they still around outside the USA?

      No they're not. They're fairly easy to identify with the area code of 900, but they are far from banned.

      --
      How is the Riemann zeta function like Trump rallies? Both have an endless number of trivial zeros.
  10. TRWTF by cellocgw · · Score: 1

    Yeah, I know, that's a different site but really:

    TRWTF is allowing any kind of "pay for a service over the phone" operation where billing is done onto the telco bill. For example, calling a lawyer (those guys charge by the minute for phone calls related to a live case) leads to a bill from the lawyer's office, not the telco. That would be allowed, but not "you can talk to this sexy [choice of self-identified gender] for $5/minute added to your phone bill."

    --
    https://app.box.com/WitthoftResume Code: https://github.com/cellocgw
  11. they still have call in quiz shows not in the usa by Joe_Dragon · · Score: 1

    http://www.callandwin.com.au/t...

  12. Phone# is for Tracking, Not Calling by Anonymous Coward · · Score: 0

    > then PAY every time you call me.

    They are not asking for your phone# in order to call you - except perhaps to verify you during account setup (which usually just a text message). They want your phone# to use as an identifier to cross-reference all your online (and offline) activities.

    Most people do not change their phone# very often because it is a hassle - you have to update all your friends and then there are a billion business relationships you have that you probably don't even remember (like your bank, your utilities, your employer, etc). That makes it one of the best identifiers to use as a key in their databases.

    Going with a premium number won't make a bit of difference because its still just one number and the amount of times it gets called will be far too low to even pay for itself.

  13. what's the hack? by superwiz · · Score: 1

    If they offer free domestic calling and one calls a premium number and they connect it, where's the hack? Your agreement with anyone (including large corporations) is what you agreed to -- not what someone claims you agreed to.

    --
    Any guest worker system is indistinguishable from indentured servitude.
  14. Useless - they're probably already filtering. by Ungrounded+Lightning · · Score: 2

    ... most of the shmucks that ask for numbers like this use robo callers.

    And the schmucks in question are normally cluefull enough to program their robots to NOT call the "premium content" number ranges. (Which is also what anyone programming a service that includes a callback feature should also do.)

    Not doing this for cellphone ranges or numbers on do-not-call list doesn't impact a phone-pimp's bottom line. Trying to scam a pay-to-talk line does. It might not cost enough to bankrupt them, if their scam is lucrative enough - but even for those it would be a drain on the swag.

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
    1. Re:Useless - they're probably already filtering. by psyclone · · Score: 1

      How much is it to set one up? Ideally set a cheap rate so real people could still talk if they wanted to. Would be great on Whois records and other public databases, along with any marketing databases. Any legal users (aka lawyers, real businesses, etc) could still pay the micro fine to talk to you.

  15. NEW SPIN ON THE US GOV SPY SHOPS HUH by Anonymous Coward · · Score: 0

    Instagram isn't a US spy shop, but Google and Microsoft are spy shop in totality.

    So somehow some "hacker" steals phone calls and shit right right right.

    Say Google and Microsoft one more time fucking cunts.

  16. Misleading title by mdfive · · Score: 1

    Title suggests on-going exploits. Content only mention a mechanism but no actual proof of active exploits.