Saturday, October 12, 2024
Homecyber securityHackers Using VPNs To Exploit Restrictions & Steal Mobile Data

Hackers Using VPNs To Exploit Restrictions & Steal Mobile Data

Published on

Malware protection

Hackers are offering “free” mobile data access on Telegram channels by exploiting loopholes in telecom provider policies, which target users in Africa and Asia and involve sharing configuration files to mimic zero-rated traffic. 

The channels function as technical support hubs where users exchange instructions on creating custom payloads, setting up secure tunnels, and manipulating HTTP headers to disguise data usage, which has circulated numerous configuration files for various telecom providers over the past year. 

To bypass data metering on telecom networks, attackers leverage various tunneling techniques by manipulating data packets using tools like HTTP Injector to mimic traffic from zero-rated services (exempt from data charges).

- Advertisement - SIEM as a Service

Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan

Payload generators further enhance this deception. Alternatively, they establish encrypted tunnels using SSH or Stunnel, disguising their traffic as legitimate secure communication, while VPNs with obfuscation techniques and undetectable protocols achieve a similar outcome. 

Configuration files

Attackers can manipulate traffic headers with proxies or route all traffic through a remote server using SOCKS proxies, tricking the network into treating their data as unmetered. 

To abuse zero-rating policies, attackers manipulate data traffic to appear as originating from exempt services, which involves modifying HTTP headers and payloads (traffic redirection), altering DNS settings to exploit zero-rated domains, or spoofing the Server Name Indication (SNI) in HTTPS requests. 

SNI proxies can also be used to forward traffic while disguising it as coming from a zero-rated source. Split tunneling and selective routing techniques channel-specific traffic through zero-rated services while keeping other data encrypted. 

For mobile data, attackers can exploit weaknesses in APN configurations, including modifying APN settings to trick the network (APN tweaks) or rapidly switching between APNs to bypass billing (APN switching). 

HTTP injectors can be used in conjunction with pre-configured profiles that contain individualized parameters to automate zero-rating exploitation. 

CloudSEK identified several tools used to bypass online restrictions and access secure connections, including HTTP Injector, an Android application for manipulating HTTP headers, crafting custom payloads, and establishing secure tunnels. 

Your Freedom VPN Client provides various tunneling methods to bypass firewalls, while HA Tunnel Plus is another option for creating secure VPN connections.

All three tools leverage their tunneling capabilities to circumvent restrictions and enable secure internet access. 

Telecom providers can deploy a multi-layered defense to curb free data exploitation via VPNs and tunneling, while deep packet inspection (DPI) and traffic analysis pinpoint suspicious traffic patterns. 

Limiting bandwidth for well-known tunneling protocols and blocking certain SNI fields that these apps use makes them less useful.

Blacklisting malicious IP addresses and monitoring DNS traffic for tunneling attempts further tighten the net. 

Better APN security protects against changes made without permission, and machine learning models find strange behavior that could be a sign of zero-rating abuse by disrupting free data exploitation methods.

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free

Latest articles

Threat Actor ProKYC Selling Tools To Bypass Two-Factor Authentication

Threat actors are leveraging a newly discovered deepfake tool, ProKYC, to bypass two-factor authentication...

Mozilla Warns Of Firefox Zero-Day Actively Exploited In Cyber Attacks

A critical use-after-free vulnerability affecting Firefox and Firefox Extended Support Release (ESR) is being...

SpyCloud Embeds Identity Analytics in Cybercrime Investigations Solution to Accelerate Insider and Supply Chain Risk Analysis & Threat Actor Attribution

IDLink, SpyCloud’s new automated digital identity correlation capability, is now core to its industry-leading...

Abusix and Red Sift Form New Partnership, Leveraging Automation to Mitigate Cyber Attacks

The agreement has marked over 600,000 fraudulent domains for takedown in just two months...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Threat Actor ProKYC Selling Tools To Bypass Two-Factor Authentication

Threat actors are leveraging a newly discovered deepfake tool, ProKYC, to bypass two-factor authentication...

Mozilla Warns Of Firefox Zero-Day Actively Exploited In Cyber Attacks

A critical use-after-free vulnerability affecting Firefox and Firefox Extended Support Release (ESR) is being...

Hackers Exploiting Zero-day Flaw in Qualcomm Chips to Attack Android Users

Hackers exploit a zero-day vulnerability found in Qualcomm chipsets, potentially affecting millions worldwide.The flaw,...