Hacking VC, two-factor authentication will not save
Recently, I was horrified at how easy it is to access a user’s page, knowing only the phone number to which the victim’s page is registered. The cost of hacking is ~ 1000-1500 rubles, the time of hacking is ~ 30 minutes. The only condition - unscrupulous mobile operator?
Get down to business immediately.
If you have ever left your passport details in any large mobile phone stores and your mobile operator is not very conscientious, then you are subject to this method of hacking. Let's just say, most of the employees of these networks are not very worried about the confidentiality of these customers and very cool trade this information in the darknet. (What else is there, getting a list of transactions on the card costs only 2000 rubles ...). In general, it turned out to be very simple - to find a person who punches your passport data for you by the user's phone number. In my case, both my data and my mom and even my grandmother's data were in the database of a large communication salon. The cost of obtaining this information just fits into the price tag of ~ 500-1000 rubles. Perhaps it looks rather dreary and problematic, but in fact it takes no more than half an hour and it is unlikely that someone will search after you and find you. Payment methods are different everywhere, someone accepts only Bitcoins, someone does not hesitate to indicate his card in the telegraph. By the way, a fairly common occurrence is when an attacker is not afraid to indicate his (or not his) card number, because, for example, money is transferred from card to card without any problems and after the accusation of the cardholder where the money was transferred is almost impossible . Personally, I have no comments on this issue.
So, we received a scan of the user's passport. No, we will not photoshop a photo with the user's face, where he is holding it in front of the camera. We will go to mobile operators, who will gladly set up a victim. We register the fake VK page on the left phone number, plug in the VPN and write to the official community of the victim’s mobile operator a message similar to the following:
')
"Good day. We need to set forward all calls to the new phone number. I do not have access to the phone itself. What do I need for this operation? ”
And what's next? You will be asked for the victim's phone number, a new phone number where you want to forward all calls and passport details to "verify your identity and possession of the phone number." Wow, isn't it? Simply buy a new sim card at the station for 300 rubles, or buy a virtual sim card somewhere on the network and not bathe. You give all the information and everything, it's in the bag - the redirection is on and, most surprisingly, the victim is not instantly notified about the redirection.
First, the notification did not come at all, an hour passed - it came as much as 2 times:
I tried to connect the service to another phone number of this operator - the notification comes after 2-3 minutes, which is enough to take further actions to gain access to the page. In addition, if you do it all at 4 am, then the victim is unlikely to wake up from the operator’s SMS and manage to do something on time.
Generally bad if you personally have such an operator:
Well, if such:
So, now go to VKontakte and start hacking:
Starting to recover your password:
At this stage, our victim receives an SMS stating that someone is trying to change the password on the page:
But now, so what? What do you personally have time to do in 2 minutes? SMS, we do not intercept, because call forwarding only works on calls. But we are not interested. Click "Send code again" and see the following window:
Understood what we will do next? Yeah, let the robot make the call and the operator will forward it to our phone number and tell us the code to change the password. So, we call:
The robot calls our left phone number, reports the code and then we just take and change the password:
Everything, access to the page is received. Most likely the panicked victim will soon change the password and then this action can be repeated again and the hacker has only 2-3 minutes left. But there are no problems running the page dump script, which saves the entire history of correspondence, all photos and everything that only pleases your heart in a couple of seconds.
Warning All materials and methods outlined below are presented for informational and experimental purposes only. We remind you that hacking users' personal pages and collecting data illegally is prosecuted by the legislation of the Russian Federation (in particular the Criminal Code of the Russian Federation). Be careful and experiment only with your own or test accounts!
Get down to business immediately.
If you have ever left your passport details in any large mobile phone stores and your mobile operator is not very conscientious, then you are subject to this method of hacking. Let's just say, most of the employees of these networks are not very worried about the confidentiality of these customers and very cool trade this information in the darknet. (What else is there, getting a list of transactions on the card costs only 2000 rubles ...). In general, it turned out to be very simple - to find a person who punches your passport data for you by the user's phone number. In my case, both my data and my mom and even my grandmother's data were in the database of a large communication salon. The cost of obtaining this information just fits into the price tag of ~ 500-1000 rubles. Perhaps it looks rather dreary and problematic, but in fact it takes no more than half an hour and it is unlikely that someone will search after you and find you. Payment methods are different everywhere, someone accepts only Bitcoins, someone does not hesitate to indicate his card in the telegraph. By the way, a fairly common occurrence is when an attacker is not afraid to indicate his (or not his) card number, because, for example, money is transferred from card to card without any problems and after the accusation of the cardholder where the money was transferred is almost impossible . Personally, I have no comments on this issue.
So, we received a scan of the user's passport. No, we will not photoshop a photo with the user's face, where he is holding it in front of the camera. We will go to mobile operators, who will gladly set up a victim. We register the fake VK page on the left phone number, plug in the VPN and write to the official community of the victim’s mobile operator a message similar to the following:
')
"Good day. We need to set forward all calls to the new phone number. I do not have access to the phone itself. What do I need for this operation? ”
And what's next? You will be asked for the victim's phone number, a new phone number where you want to forward all calls and passport details to "verify your identity and possession of the phone number." Wow, isn't it? Simply buy a new sim card at the station for 300 rubles, or buy a virtual sim card somewhere on the network and not bathe. You give all the information and everything, it's in the bag - the redirection is on and, most surprisingly, the victim is not instantly notified about the redirection.
First, the notification did not come at all, an hour passed - it came as much as 2 times:
I tried to connect the service to another phone number of this operator - the notification comes after 2-3 minutes, which is enough to take further actions to gain access to the page. In addition, if you do it all at 4 am, then the victim is unlikely to wake up from the operator’s SMS and manage to do something on time.
Generally bad if you personally have such an operator:
Well, if such:
So, now go to VKontakte and start hacking:
Starting to recover your password:
At this stage, our victim receives an SMS stating that someone is trying to change the password on the page:
But now, so what? What do you personally have time to do in 2 minutes? SMS, we do not intercept, because call forwarding only works on calls. But we are not interested. Click "Send code again" and see the following window:
Understood what we will do next? Yeah, let the robot make the call and the operator will forward it to our phone number and tell us the code to change the password. So, we call:
The robot calls our left phone number, reports the code and then we just take and change the password:
Everything, access to the page is received. Most likely the panicked victim will soon change the password and then this action can be repeated again and the hacker has only 2-3 minutes left. But there are no problems running the page dump script, which saves the entire history of correspondence, all photos and everything that only pleases your heart in a couple of seconds.
Source: https://habr.com/ru/post/435916/
All Articles