Abusing Phone Numbers and Cross-Application Features for Crafting Targeted Attacks

Abstract: With the convergence of Internet and telephony, new applications (e.g., WhatsApp) have emerged as an important means of communication for billions of users. These applications are becoming an attractive medium for attackers to deliver spam and carry out more targeted attacks. Since such applications rely on phone numbers, we explore the feasibility, automation, and scalability of phishing attacks that can be carried out by abusing a phone number. We demonstrate a novel system that takes a potential victim's phone number as an input, leverages information from applications like Truecaller and Facebook about the victim and his / her social network, checks the presence of phone number's owner (victim) on the attack channels (over-the-top or OTT messaging applications, voice, e-mail, or SMS), and finally targets the victim on the chosen channel. As a proof of concept, we enumerate through a random pool of 1.16 million phone numbers. By using information provided by popular applications, we show that social and spear phishing attacks can be launched against 51,409 and 180,000 users respectively. Furthermore, voice phishing or vishing attacks can be launched against 722,696 users. We also found 91,487 highly attractive targets who can be attacked by crafting whaling attacks. We show the effectiveness of one of these attacks, phishing, by conducting an online roleplay user study. We found that social (69.2%) and spear (54.3%) phishing attacks are more successful than non-targeted phishing attacks (35.5%) on OTT messaging applications. Although similar results were found for other mediums like e-mail, we demonstrate that due to the significantly increased user engagement via new communication applications and the ease with which phone numbers allow collection of information necessary for these attacks, there is a clear need for better protection of OTT messaging applications.