In one of these cases, a Muscovite lost more than 20 thousand rubles. An unknown sender sent the man a photo and asked if it was him in it. When the victim, who, according to him, only uploaded a “snapshot,” the dialogue with the attacker disappeared, and 22 thousand rubles were written off from the debit card, after which the card was blocked by the bank. However, all the experts interviewed by RG doubt that the money was written off without additional actions by the users themselves.
According to the head of Kaspersky GReAT (Kaspersky Lab’s Global Research and Analysis Center for Threats) in Russia, Dmitry Galov, the picture itself is unlikely to pose cyber risks, but if the message also contains text with a link, then you need to be more careful. “Theoretically, attackers can send messages with greeting cards supposedly from relatives or friends and motivate them to follow a link that will lead, for example, to a phishing page. At the same time, there have been cases when, under the guise of an archive, users were sent malicious software in instant messengers. The person expected to see inside, for example, a picture or a congratulation, but in fact these were executable malicious files,” he says.
Money can be stolen not after clicking on the picture, but after the user launches the sent file with the .apk extension. Photo: Social networks
Leading engineer of CorpSoft24 Mikhail Sergeev is sure that the user does not receive a “picture”, but a virus or Trojan (apk file), which the user personally installs on the smartphone, having previously disabled the protection and allowing installation from unknown sources, after which the attacker gains hidden access to the sending and receiving SMS messages. “Then the hacker recovers the password to the client bank, mailbox, through the usual “forgot password” form and can transfer funds through the client bank,” says Sergeev.
Yuri Shabalin, owner of the Stingray product from AppSec Solutions, agrees with him. “The scheme is actually very simple. In such cases, social engineering methods always work. That is, without user actions, of course, no access can be obtained,” he noted.
As the expert said, most likely in these cases there is a vulnerability associated with compromised logins and passwords from some personal account, and the theft of the second authentication factor. As a rule, this is an SMS message. The user is sent a supposed photo or something else that is actually an application. When installing this application, it requests the necessary permission in the system and can monitor, including SMS. Attackers, using a previously stolen login and password, try to register in a system they want to hack, for example, a bank.
In any case, the picture itself cannot “steal” the money. In order for attackers to steal them, they must know the bank card details or the login/password combination from the victim’s personal banking account. Such data is obtained either from the users themselves, using social engineering, or by purchasing personal data databases on the darknet. However, even this is not enough to steal funds. You still need to install spyware on your smartphone, which will intercept authorization SMS or push messages from the bank and transmit them to attackers.
In this case, the user must download and run the file with the .apk extension and then grant it all the necessary rights (reading SMS, viewing the screen, access to other applications). Moreover, by default, Android smartphones prohibit installation from any source other than the Google Play app store, and until 2022, the very warning from the Android OS “allow the installation of unknown applications” that appeared when trying to install an application not from Google Play looked like a red flag. However, after the removal of applications of large Russian banks from Google Play, Russian users were faced with the need to install these applications from bank websites or from RuStore. Thus, many are already accustomed to allowing their smartphones to install applications from “unknown sources” (for an Android smartphone, any source other than Google Play is “unknown”). This has become a routine process and such a request from the Android operating system is no longer perceived as an alarm signal. This is what attackers take advantage of.
Source: rg.ru
