Can a hacker do damage with a copy of the White Pages? Perhaps not with just a name and phone number. However, it doesn’t take much more than that to enable all sorts of attacks that involve impersonation. Phishing attacks, phone number swaps and even common spam are on the rise, and a likely culprit is a series of recent data breaches and leaks that have exposed basic contact information that is often overlooked.
Millions of phone numbers exposed by Facebook
On September 4, TechCrunch reported that hundreds of millions of Facebook accounts were compromised. User phone numbers were available online in a number of databases that were not password protected. Some records also had names, genders and locations attached. The exposed server was accessible without a password.
Security researcher Sanyam Jain of GDI Foundation discovered the server hosting all of the databases, and could not initially identify the owner. He went to TechCrunch with it, where they were able to determine that the databases contained phone numbers matched with Facebook ID numbers.
In total, 419 million Facebook users were exposed. Of these, most belonged to users in the United States – 133 million, or roughly 80% of all users in the country. 50 million users in Vietnam were exposed, 18 million in the United Kingdom, and the remaining users were dispersed broadly around the globe.
The data is a vestige of a canceled Facebook feature that used to allow users to search for each other via phone number. The database owner appears to have scraped the information at least a year ago, prior to Facebook’s removal of that feature.
A follow-up Cnet report on September 6 revealed that another security researcher in the UK had found a different unprotected server containing information that matches the original find. At this point, it is unclear how many copies of these scraped Facebook customer databases are online sitting open to anyone who cares to visit them.
A pattern of contact information breaches
This breach is just the latest in a long pattern involving not just Facebook, but all manner of large multinationals that handle huge amounts of personal data.
Facebook’s privacy woes date as far back as 2010, when it was discovered that popular games and apps on the platform were circumventing user privacy settings to access IDs and personal data. The whopper came last year when the Cambridge Analytica scandal came to light, however, and it has been a seemingly unceasing string of privacy-related mishaps since. Things have gotten so bad for the company that there is talk in American politics about sentencing Mark Zuckerberg to prison time.
Facebook is far from the only company with these issues, however. Monster.com just made news for exposing the resumes of over a million users, a breach at American Medical Collection Agency exposed the records of tens of millions of Americans, and the invitation service Evite saw as many as 100 million customer email addresses exposed – and these are just a few of the largest examples in 2019! All of these breaches involved a security failing by a third party vendor, most frequently either due to unsecured databases or phishing attacks.
Jonathan Bensen, CISO at Balbix, had some thoughts on how organizations should manage the risks posed by personal data collection going forward:
“This exposure is the latest in a string of security and privacy incidents involving Facebook. Armed with phone numbers, a threat actor can hijack accounts associated with that number by having password reset codes sent to the compromised phone as well as attempt to trick automated systems from victims’ banks, healthcare organizations, and other institutions with sensitive data into thinking the attacker is the victim. Exposed individuals even put their employers at risk; attackers can leverage stolen numbers to obtain unauthorized access to work email and potentially expose more data. Misconfigurations have been the reason behind several data leaks this year including incidents affecting Orvibo, Tech Data and ApexSMS. Companies are tasked with the hefty burden of continuously monitoring all assets across hundreds of attack vectors to detect vulnerabilities. Through this process, companies are likely to detect thousands of flaws in their network – far too many to tackle all at once. The key to thwarting future instances of data exposure is to leverage security tools that employ AI and ML to observe and analyze the entire network in real time and derive insights in order to prioritize the vulnerabilities that need to be fixed.”
The potential damage: Phishing attacks, spam and a new Android attack
There is sometimes an errant perception that information such as phone numbers and employment history is relatively harmless and does not require the same level of security that financial information does.
Hackers actively seek and make use of this information in a variety of ways. One of the simplest is for leads for spam. Another is for targeted scams. The information in this recent Facebook leak is ideal for scammers who target the elderly, for example. They can sort potential targets by age and have at least a basic dossier of information to work from, particularly if they can get access to the victim’s Facebook page.
Similarly, a compilation of this sort of information can be used for targeted and authentic-looking phishing attacks on particular employees of an organization, giving attackers a foothold from which to compromise the entire company network. And once an attacker has a phone number and enough personal information, they can attempt a SIM swap attack that gives them control of the user’s phone.
As if those weren’t enough possibilities, a new phone-based threat has emerged that has put virtually every modern Android device capable of receiving text messages at risk. Attackers merely need the “international mobile subscriber identity” (IMSI) number of an Android phone to send a false over-the-air (OTA) update that will deploy network specific settings and re-route all internet traffic through a hacker’s server. While IMSI numbers are not made public, reverse lookup services that make use of the phone number are widely available. Android apps can also be given access to it.
With a GSM modem – a common SIM card-enabled modem that can be had for as little as about $100 USD – attackers can send an SMS message to Android devices that changes settings once received. The attacker can then route all their internet traffic through a server they control, where they can view and even modify it. This can potentially be done even without the IMSI number, if the attacker is able to trick users into accepting a settings change included in the text message. This is unprecedented in the world of phishing attacks, and Samsung phones are particularly vulnerable as they do not have a built-in authenticity check.
Erich Kron, Security Awareness Advocate, KnowBe4, elaborated on what potential targets might expect from this attack:
“This is a demonstration of how sophisticated the bad guys are getting. Five years ago, this type of attack could have been included in the plot of some high-tech spy movie, but now it is being used by regular, run of the mill bad guys. People should be very suspicious any time they receive an unsolicited text message that is asking them to enter a PIN or any other authorization, even if it appears to come from the carrier. If they receive something like this, they should immediately contact the carrier through their customer service number and ask if this is legitimate.”
This vulnerability was disclosed to mobile carriers and device manufacturers in March, and they have since created patches for it. However, patching usually requires that the device still be supported with OTA updates by the manufacturer. Manufacturers often drop this type of support for their Android phones very quickly, sometimes in as little as a year after bringing the device to market. That leaves millions of phones still in use vulnerable to these potent new phishing attacks.
“Harmless” data and lax security
As this brand new attack that makes use of SMS messages demonstrates, new vulnerabilities are always developing and advanced phishing attacks can be highly effective with just a little bit of personal information.
As Jonathan Deveaux, head of enterprise data protection at comforte AG points out, it all comes down to overall security culture and awareness at organizations:
“When data-centric security is not in place, people are left in an awkward position to make key decisions when it comes to securing data. Which decision was made in this case?
‘The phone numbers are old, so the data doesn’t need protection.’
‘Phone numbers aren’t sensitive data, so they don’t need protection.’
‘The data is just for research purposes, so it doesn’t need to be protected.’
‘We have so many servers; no one will find the data.’
‘Someone else is responsible for data security, so they will protect the data.’
“The main risk of the phone number exposure incident is the potential of spam calls, which are a huge nuisance today. The bigger fear is what other unprotected sensitive data exists, which may be subject to the same decisions, but possibly posing a larger risk to end-users? The more sensitive data a company has, the more critical it is to protect the data. A ‘security-first’ policy employing a data-centric approach helps ensure data is protected throughout an organization.”
Access to a Facebook page paired with a phone number provides a rich amount of information for phishing attacks. They usually have access to even more than that, however, thanks to increasing aggregation of personal data both by attackers and by private enterprise.