Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Google Microsoft

Hacker Uses Premium Rate Calls To Steal From Instagram, Google, Microsoft (helpnetsecurity.com) 37

Reader Orome1 writes: Some account options deployed by Instagram, Google and Microsoft can be misused to steal money from the companies by making them place phone calls to premium rate numbers, security researcher Arne Swinnen has demonstrated. Swinnen calculated that, in theory, these options would allow an attacker to milk over 2 million euro per year from Instagram, 432,000 euro per year from Google, and nearly 700,000 euro from Microsoft by using a slew of fake accounts, multiple premium numbers, and different tools and approaches to automate the process.
This discussion has been archived. No new comments can be posted.

Hacker Uses Premium Rate Calls To Steal From Instagram, Google, Microsoft

Comments Filter:
  • Not news (Score:3, Interesting)

    by fubarrr ( 884157 ) on Monday July 18, 2016 @10:26AM (#52533839)
    We had same thing in Russia around 12 - 11 years ago when there were the WAP and premium content craze. There was a guy from carders.su who wrote an MMS exploit that hacked Sony cellphones on A100 OS and made them send premium sms in 2006. The whole Megafon cell network went down as it got DDOSed by the chain reaction of the virus spreading
    • As I remember, the guy used a buffer overflow in EXIF parser
    • by Anonymous Coward

      This is not the same thing, as it's not tricking end-users' handsets into dialling the numbers, it's tricking the various companies account verification systems. This is a big difference, because to go the handset route, you have to deploy malware on a lot of handsets, whereas in this case you only have to deal with one system (per company), and you don't have to hack it or deploy any malware, you just have to understand how the system works.

  • No credit card? Try collect call back. Dial 1-215-SEX-TALK and we'll call you right back.

  • Click bait (Score:5, Insightful)

    by ITRambo ( 1467509 ) on Monday July 18, 2016 @10:36AM (#52533903)
    The story explains how the proof of concept exploit could work. It is tedious and was not likely to be used by sane people. The guy was awarded $2000 for discovering the loophole.
    • If you go to the original story (https://www.arneswinnen.net/2016/07/how-i-could-steal-money-from-instagram-google-and-microsoft/) it shows exactly how he did it for real. He just stopped when he gained a little bit of money (1 Euro, 1 Pound and 1.20 Euro) and reported it.

  • by gurps_npc ( 621217 ) on Monday July 18, 2016 @10:44AM (#52533953) Homepage

    As in, I would love to get a phone number that is 'premium' and then give it out to every website that keeps asking for a phone number.

    Slime keep trying to steal my privacy in exchange for nothing. They abuse the phone number and have no business asking for it. If they want my phone so badly, then PAY every time you call me. After all, I never want you to call me, so why shouldn't you pay to talk to me?

    • But then each time some one calls you have to state the rate and give them chance to hang up without being changed

      • I am fine with that - most of the shmucks that ask for numbers like this use robo callers. I should make quite a profit from robo callers ignoring my warning.

        • ... most of the shmucks that ask for numbers like this use robo callers.

          And the schmucks in question are normally cluefull enough to program their robots to NOT call the "premium content" number ranges. (Which is also what anyone programming a service that includes a callback feature should also do.)

          Not doing this for cellphone ranges or numbers on do-not-call list doesn't impact a phone-pimp's bottom line. Trying to scam a pay-to-talk line does. It might not cost enough to bankrupt them, if their scam i

          • How much is it to set one up? Ideally set a cheap rate so real people could still talk if they wanted to. Would be great on Whois records and other public databases, along with any marketing databases. Any legal users (aka lawyers, real businesses, etc) could still pay the micro fine to talk to you.

    • I assume you dont care about your friends and family and legitimate business transactions.

    • If they want my phone so badly, then PAY every time you call me.

      What? You think they want to use that number to call you? hahahah No that's just the unique key in their relational database so they can compare you and on sell your data.

  • and practice. In practice there is. Yogi Berra
  • They're basically banned in the US. Are they still around outside the USA?

  • Yeah, I know, that's a different site [thedailywtf.com] but really:

    TRWTF is allowing any kind of "pay for a service over the phone" operation where billing is done onto the telco bill. For example, calling a lawyer (those guys charge by the minute for phone calls related to a live case) leads to a bill from the lawyer's office, not the telco. That would be allowed, but not "you can talk to this sexy [choice of self-identified gender] for $5/minute added to your phone bill."

  • If they offer free domestic calling and one calls a premium number and they connect it, where's the hack? Your agreement with anyone (including large corporations) is what you agreed to -- not what someone claims you agreed to.
  • Title suggests on-going exploits. Content only mention a mechanism but no actual proof of active exploits.

So... did you ever wonder, do garbagemen take showers before they go to work?

Working...