Google Pay, Drug Bots, & SIM Swaps: How Old Leaks Power New Attacks

Thank you so much for coming to our talk. We are very excited to be here. And before we start, a quick introduction. So my name is Ron. I lead the vulnerability research team at Imperva. >> Hi, my name is Arit. I'm a senior security researcher at Imperva. And we are very happy to be here today on stage. >> Yeah. So what are we going to talk about today? We're going to talk about two nation scale data leaks. We're going to talk about Telegram bots and the drug markets they kind of enabled and the infrastructure behind it. And we're going to talk about a vulnerability we recently disclosed to Google. And we're going to try to

explain how all of those things connects to one story. And to do it, we're going to start with a story. It's a story about the biggest data leaks in Israel history. It's called Eg. And so, take it away. >> Yeah. Okay. So let me take you 20 years back to an old town uh to a small town named Chamish. The year is 2004. Sha Bilik, a 42 years old man wakes up and goes to work. He sit at the desk at the ministry of welfare where he work as a contra contractor. Now as part of his role he h it he had access like the highest access of level of u to the databases of the

ministry of welfare. One of them was the entire registry population of Israel. Think of 9 million records um full names, addresses, family relationship like everything basically everything that the ministry of welfare knows about you. One day uh his boss burst into the office saying wow we lost the last three data uh of of the database like total nightmare there not there's no backup in place and everyone is trying to find a solution but luckily Bill had a habit of copying data back home on his own own computer just in case. So his boss was very pleased with the results like he saved the day. Everything is okay. And she didn't even think about like why the hell he copied

the the data to himself like back at home. But I moved on everything is okay. But did something did this tell us something about Bill? like he uh he used to to broke the broke the laws like he was doing with uh some gray areas and it was not the first time that he copy data back home and it's not going to be the last time. Yeah. So as mentioned Bill loved to like break the rules. Um so as she said she he worked as a contractor in the ministry of welfare. So this wasn't the only thing he was doing. He for example also created a program to search through the data that he took home. Like it's

not very useful to just have the data without the ability to search it. So he created a program called flower that basically allow them to search it you know using the national ID number the full name something very simple. And another thing he was doing in his free time is giving services to other organizations. One of them is his name was Diskin and every every few months they ask him to like update the donor records in their database and he got tired of like updating it every few months. So he came up with this idea. What if I take this pro this flower program and install it on their servers that way they don't need to update the donor records because

they have all the records. Brilliant, right? Uh so he set up a meeting and he showed them that he really created this program. It's on their server. they can now use it. Everyone was pleased. One of the people that was in this meeting, his name was Adam. And this Adam like really liked this solution so much so that he decided to make some copies and give them to to to their friends. Uh one of these friends was Vitman. This guy and Vitman immediately saw the financial potential of this data. So he didn't want just to make copies and give to his friend. he was thinking more about selling this data. Uh so he know this

person his name is his name is Aaron and he actually kind of of a database collector. Uh he sold them 9.5 million records for $700. Uh so yeah it was a a good price even if you adjust for inflation and uh we call him the collector because he collects a lot of illegal databases. So at this point he already had 11 different databases. The the flower data set was like the largest he ever got. But he decided, okay, I I'll take this data set with the 11 other ones I have and I'm going to send it I'm going to send it to my programmer friend Moscow who's going to unify all those databases into one kind of program that will allow

like more advanced search abilities. So we gave you a lot of names. So let's try to recap. >> Yeah. I like let's like do the chain of of events. So we started with uh Velik who worked as a constructor in the ministry of uh welfare h and he got access to this uh the population of Israel. Uh he created a a program a simple program named flower and he installed it on the on the servers and the discing organization where he showed it to Adam. Now Adam saw the value in it and he started to create copies, give it away to friends and one of them was Vitman. Vitman saw the financial potential and started um selling them

for hundred of dollars and one of them was Aaron which is our collector and this collector with together with 11 additional databases gave it to Moscow uh and Moscow was a gifted programmer. You can see the passion in his eyes and [clears throat] and he took all those databases together and uh he created a unified program to be able to quickly search through all this data like family relationships like a very cool and awesome program and he knew that he called it Agron and he knew it was such a great program so he decided to encrypt the database uh so only him and the collector like Aaron will be able to to use it. Half goes by and he think to

himself, why should I keep it only for myself? So Aaron was pleased with the result, but this guy Musco wanted to sell and earn some money. So he started sending them and like every time that he sold the program, you also need to supply the password, right, to to be able to use the program. Uh so times goes by and this program get cracked and a cracked version of the program which is to enh to the hands of a young hacker by the name of Ari. >> Yeah. And this Ari guy got this program. It's basically unencrypted. He run it on his computer and he can see the full registry information of all the citizens

of Israel. Again 9.5 million records. And he think to himself like I don't really want to make money from this. He wasn't motivated by money. he was looking more for fame. So he took this program and he uploaded it not to one server but four different servers around the world and he also created a small website. This website basically guided people on how to download the program, how to install it, how to like debug certain issues with it and he motivated the people who downloaded to actually spread it further. He also used this website as kind of a personal blog uh like spreading his opinions about the data and so on. Um and he was aware that he's

doing something very very dangerous. So he he knew how to hide his trucks. He worked mainly from like a coffee place in in Jerusalem and he also used proxy servers from Russia and China. He knew that Israel would have a hard time convincing those countries to really reveal the IP from which he was operating. And after two months or so since he released information, he got his wish. A mainstream news channel in Israel did a full episode about him where they discuss Ari and the data leak. This even got the government involved starting to talk about this leak and its implications. Um and this obviously motivated the investigator to really find the people responsible. So after four years of

investigation, the investigators started to close in. They identify Billic as the original liquor and basically all the other people that physically move copies from one to to another and all of them basically were arrested. But one person still was missing. He didn't get a copy from any of them directly and they had no leads basically. >> So we can think that Ari did a perfect crime, right? So apparently he didn't. H one time when he got all the the fame and glory that he was seeking for, he watched the TV show that Ron just talked about and he added some text to it. You will never catch me. and he think to himself, I need to upload it to my uh

server to to to show it as as part of the manual like uh just teasing them. And he didn't want to upload it to his own server. He uh uploaded to a US-based uh image hosting service. Um but one while he was doing that, he forgot his uh proxy. He didn't use a proxy back then. So this was actually the lead uh the thing that the investigator was looking for. And while they were going over the the website that he created the they saw this link and they thought to themselves ah maybe it's a dead end like he probably used the proxy so we'll never catch him but let's just cover our tracks and and and check it check the

basis. Maybe he did a mistake but who knows we need to do it. So they checked it and apparently they saw the link and they uh reached out to this uh US-based uh image hosting uh providers and they asked them for cooperation and surprisingly they were happily give them the IP and it appeared that the IP was an Israelian one from um a small printing house in Jerusalem. Uh so some investigator when they're undercover pretending to be customers and when they were talking to the um owner of the place they told him you know like who is handling your IT services and computers like just uh just just curious and he was happy to give them the name of liver

and uh um with that information they got search warrants and they went to his house this liver guy and they found all the evidence to prove this this liver was indeed the hacker. It was Ari. So Ari got caught, but the data is still out there. Like you cannot put it put the genie back in the box. >> Yeah. Uh so fast forward to 2020. It's almost like 16 years after the original leak happened and the data is out there, right? Like anyone can access the A1 files still today. Um but you know there is this saying that time heal all wounds and I think this also applies to to datal leaks right like as time passes

you know new people are born the data get like less like it's basically outdated and if we wait long enough maybe it will be worthless um but oops we did it again 2020 was an election year and in election years every party in Israel gets a copy of all the voters so this include like the professional ID, full name, address, basically all the information. And one of these parties decided to take this data and give it to a third party company called Elector. They created like a program that allows those party activists to kind of manage the election, send SMS, surveys, and do all sorts of things. And one researchers called Ran Barzik found this login page.

He looked at the source code at the only JavaScript bundle on this site and he noticed this weird URL get admin users and he decided, okay, let's let's open this URL in in a new page and see what we get. And you get basically a JSON list with all the admins username and plain text passwords. Uh he couldn't believe it's real. So he copied the password and username, plugged them into the login page, clicked login and he had admin access. So this is basically access to 6.5 million voters information. Uh now him being a responsible security researcher, he reported this to elector and they patched the vulnerability. You can call it um but it was too late. We learn

later it was too late. Someone else also noticed this and they actually leaked the information again. Um yeah. >> Yeah. So it happened again and we got refreshed data until 2020. But we can say like okay the data is out there but who can actually reach it? Can like we the simple guys go and and and look at this data or do only hackers like sophisticated hackers that go through the the dark web or hacker forms can put their hands on it. So to answer this question I want to ask you another one like who here has telegram account and I believe that almost everyone yeah so actually telegram in Israel is is associated with illegal uh activities

like selling drugs and while you go uh down the street in Tel Aviv uh for example you can find those flyers on floor on trees on buildings where they promote selling of drugs And there is a QR code at the bottom that if you scan it, you'll reach to a Telegram bot where you can actually buy drugs. And there is a menu like which type you want, what do you want? And if you look closely at this uh uh on this Telegram bot, it's not just about selling drugs. It's actually an infrastructure uh that helps both the provider like the seller and the buyer. And they what they did here they actually uh um imported I can say

imported or something like this like they uh put inside all those leaks the agron leak uh Facebook leak h electro leak like everything inside together so they can they can use it and when a a seller wants to to to sell drugs he asked for the buyer to supply a picture of his ID and also a picture of his face so he can uh check if the the person that is wants to buy some bloods isn't like an undercover police. So you can plug it in and and search for this guy and validate that he is not dealing with with someone that might catch him. >> And um >> so this basically prove that you only

need to scan a QR code to access all those links. You don't need like to be in some hacker forums or anything like that. >> Yeah, exactly. So the data is out there but what attackers can do with it? So first they can do spam, right? They know things about you and so they can create targeted spam on you. They know your address, your name, your mother's name. So when you get a a spamming message like an SMS or something with all the details, it looks more uh believable. You can rely on it. Uh another thing that they can do is social engineering. they can um pretend to be a customer service or something, call you and say,

"Hi, am I speaking with blah blah blah?" H and they will supply all the details that they know about you and you're more likely to cooperate and and give them what what you what they want like the sensitive information that they are looking for. And the another thing that they might do is identity fraud. They might pretend to be you like they will call someone some some company and give all the details that they already know about you. And one of the attacks that's related to identity fraud is team swap attack. By SIM swap is when the attacker calls the company provider pretending to be you and saying, "Hey, I'm lost. I lost my phone. I need you to uh initiate

a new SIM card for me and please send it to uh this and that address." And by having by the fact that they have your own uh SIM card that is connected to your phone, they can uh um take over your laptop or even every service that is using two-factor authentication. >> Yeah. And I think it will be very useful to think on this problem from the mobile company perspective. So one of the edge cases they need to handle is what happens when someone loses their phone, right? They have millions of customers, people lose their phone. they need to be able to authenticate those clients in order to give them a new SIM card. Um,

but this can be kind of challenging, right? Because they have a lot of types of customers. There is a 80 years old man that only have this phone. He doesn't have a computer and there's really like a variety of customers. So, it can't be too difficult. In the end of the day, there are business. They want to give you a new SIM card and that you continue paying them money. Uh, so they do three things. They ask like a for a personal identifier, things like your national ID number, your address, your birthday. They asked like questions like, "What was your mother name before she got married?" And lastly, this is more recent, they started asking for the last four digits

of the payment method you used to pay for this service. And this is very important in our context because as we mentioned before, all that the other information is public. Anyone can access it. They can act. So they can basically steal your your SIM card without this last four digits which is the last line of defense. So can we find a way to leak a user the last four digits of a user credit card. This is where I like to talk about XIX. It stands for cross-sight licks and it's basically an attack where we try to do a side channel attack against the browser. So you can think about timing attack like like caching attack

and a variety of other techniques that are basically used to try to break the same urgent policy in smaller ways. And the same origin policy of course is the most fundamental security feature in the browser but prevent one page from reading information of another page. And in 2021 I wrote this blog post that basically presented a new kind of attack that falls under the XIX. I call it the human side channel and it's kind of built on top of clickjing. And just to give you a quick idea of what click changing is, it's when we take a some iframe. We we embed a hidden iframe in a in our website that kind of trick the

user into performing an unintended action on another website. So if we take for example Twitter, they have a delete this account button. If we could iframe it and place it in our website, once the user click anywhere on our site, we can steal this action and and make them perform this action. And the insight I had with this blog post is that we can use the same kind of technique, but instead of trying to leak an to to cause an unintended action, we can try to get the user to leak some information. Um so this came from the realization that once we look at the monitor when we look at the monitor the same origin

policy doesn't apply to us right if we put five I frames in a page we can see all the cross origin information and we don't necessarily know it's cross origin so the question become can we come up with some user interface that would allow us to to leak this information so for this attack to work we need three things we need the person to look at the screen we need the iframe tag and we need CSS specifically about CSS if we like take uh some random domain and we embed the google.com website in it uh and we apply some CSS filters. So in this case I use the filter grayscale which basically turns everything to

black and white. This is applied to the top level page not google.com but you can see that the Google logo is still black and white. This basically tells you that CSS doesn't care about the same origin policy. when you apply a filter, it will apply to cross origin page as well. So, let me show you a quick attack I actually did with this uh discovery. So, we all remember the like button. It used to be everywhere. And it's basically encodes a state, right? It's either you like this this specific page or you don't like it. If you like it, you get this uh checkbox and if you don't like it, you get a thumbs up icon. And if we

focus at the pixel of the tip of the thumb, we will get a basically a different color depending on the state. So if you if you like something, it's going to be white because we got the thumbs are icon and if you don't like, it's going to be blue because we don't have an icon there anymore. We can apply some CSS filters to this to make it black or white. So we apply the grayscale filter in in contrast. And it's important to mention that we can't read the colors, right? It's still cross origin information, but we now know for sure that it's either going to be white if you don't like and black if you do like a specific page. So, I came

up with this user interface. It's basically a a cookie popup. I know that you you like those those, right? Um, and you can see that we get a different background color to the bottom of the the popup. So, it's either black or white. And you can see that the position of the button also changes. Now in reality, I render both of the buttons all the time. But you would only see the one depending on the on the pixel color. And once you click the one that you can see, you will indirectly tell me what was the pixel color and therefore I could know if you like a specific page or not. Now this leaks very small amount

of information, but we can use the same kind of principles to leak more information. So imagine you you're browsing on your uh phone and you see this capture. Most people will just solve it, right? Uh but if you do, you would actually leak some sensitive information. So let's see how this connects to the last four digits of the user. Uh and this brings me to the Google Pay button. So as you might have noticed, it's it does show the last four digits of of of your credit card. And the Google pay button is actually just an iframe. So the integration is kind of more complex with some JavaScript. But in the end of the day, it's an iframe

that show the last four digits of of your crowd. So what we can do, we can create this page. It has like are you human, the Google pay button, and some text box. Now I'm sure that you're not going to fill this in, right? It's pretty clear. It's the Google pay button. But what if we add some div element that hides some of the button? H. Now it's it looks uh still bad, but it's less obvious. It's Google, right? Um so we can add also a div to the to the other side. We can use CSS filters to invert the colors and add contrast. So now it's it's matches the background. And we can use more CSS to center it and

and even increase the size of the iframe with the the transform kind of operation. And lastly, we can use an SVG to create a wave effect. And now it basically, you know, it look like a capture. Um, so let me show you the actual demo. So this is a Google account with some four digits. I'm going to open the the attacker page. You can see the capture is loading. I even added some control characters to the start and the end to make it harder to understand. It's the last four digits. And yeah, if you filled it in, we licked the last four digits of your credit card. >> Yeah. So we successfully hijacked and got actually the last four digits of the

payment card and now we are able to do the SIM swap attack right like this was the last thing that we needed like the last line of defense. So we tried it. We called uh one of the biggest uh telephone providers. You need to Yeah. So we we called one of the telephone providers in Israel uh telling them that we lost our phone. We need to initiate a new SIM card. So they did all the the usual stuff they do. They asked us who we are like where do we live like some trivia questions and uh the last question was what is your payment card and we gave them the last four digits and they

actually uh were so cooperative and they um they were happily to to send the the new SIM card to whatever address that we asked for. Okay. So we um we told that we we um >> responsibly >> responsibly to Google and they uh they understood the problem and they fixed the issue and they even rewarded us with uh $6,000 and yeah so if we connect all the dots that of what we talked today in this session so we started with one of the biggest leaks in Israel in 2006 which is related to the agron uh program. Later we saw in 2020 another leak uh called the elector with the voters uh data. Then we saw and we

proved and we proved that every anyone who knows how to scan a QR code can use telegram bots uh like illegal drug box to to to look. >> Yeah. And and use the data. Uh and then we saw how uh the evil capture with the uh Google pay button uh revealed the last four digit of the credit card. So all of them together we get to a successful sales swap attack. So if we summarize like everything data leaks will will always happen. There's nothing we can do to prevent them. They will happen and we'll hear it in the news like from time to time. And also vulnerabilities will always be discovered. And we can say that

vulnerability is a context uh issue like it's all about the context. And what what do I mean by that? Like four digits on its own of the payment uh credit card maybe it's not something that I can do with it. It's not that valuable. But if you connect it to the league that was in Israel and the way that the telephone provider are using them in order to uh uh to to check like who who you really are, if you like the person that is calling um then like they they use it for the last line of defense. This is where it comes useful and it has actually volume like the four last uh digits even show on receipt. When you go

to your grocery shop and and you buy something, you throw them away. They also appear there. And if an attacker wants to target specifically you, he can follow you, wait for you to buy something, take this four four digits and do what what he wants like the seam swap attack. But this time the the fact that this uh that all these like 9.5 million records is out there attackers can perform mass attacks. They can send a link of site with this evil capture to as many people as they want. Some will answer it, some will not. But the ones that will they will get the the four digits and then they can uh get those uh

uh will be able to do the the sim swap attack on them. >> Yeah. Um and lastly, I think that organizations should be aware of significant leaks that affects their business. So specifically here, we had a massive like data leak and ideally the government maybe should have issue like a new kind of a secure ID to use, but they didn't. um an organization didn't really took this leak and evaluated as part of their threat model. Uh and this led to this issue, right? So they they like wasn't aware that this is the case that it's very easy to access this data and therefore they use it for authentication. Um, so it's it's highly important to do

to really think about this like even if it's not a huge leak like if all my customers use Adobe and now Adobe was hacked, you should consider this as something that you should evaluate. So this is all for for from us. It was great giving the talk today. Uh, you can read the full report uh if you scan this QR code and uh many other great blogs. Thank you so much. >> Thank you. >> [applause]