1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Blackhat Technique of the Day - Get Google to pay you!

Discussion in 'BlackHat Lounge' started by Asif WILSON Khan, Jul 19, 2016.

  1. Asif WILSON Khan

    Asif WILSON Khan Executive VIP Jr. VIP

    Joined:
    Nov 10, 2012
    Messages:
    12,144
    Likes Received:
    33,693
    Gender:
    Male
    Occupation:
    Fun Lovin' Criminal
    Location:
    London
    Home Page:
    Step 1 - Get a Premium Rate Telephone Number
    Step 2 - Use it as your Verification Number on all services
    Step 3 - Profit!

    Obviously this is a joke and but read these:
    https://www.arneswinnen.net/2016/07/how-i-could-steal-money-from-instagram-google-and-microsoft/
    http://www.cio.com/article/3096619/...hrough-online-phone-verification-systems.html

    How I Could Steal Money from Instagram, Google and Microsoft

    TL;DR: Instagram ($2000), Google ($0) and Microsoft ($500) were vulnerable to direct money theft via premium phone number calls. They all offer services to supply users with a token via a computer-voiced phone call, but neglected to properly verify whether supplied phone numbers were legitimate, non-premium numbers. This allowed a dedicated attacker to steal thousands of EUR/USD/GBP/… . Microsoft was exceptionally vulnerable to mass exploitation by supporting virtually unlimited concurrent calls to one premium number. The vulnerabilities were submitted to the respective Bug Bounty programs and properly resolved.

    In the latest attack that shows how hard it is for users to identify phone numbers with premium call charges, a researcher has found that he could have earned millions by abusing the online phone verification systems used by Google, Microsoft, and Instagram.

    Many websites and mobile apps allow users to associate a phone number with their account. This can be used for two-factor authentication or as an account recovery and verification option. Many of these systems rely on codes sent via text messages, but also offer the option to call the user and dictate such codes.
    Last year, a Belgian IT security consultant named Arne Swinnen started wondering if such systems test if the numbers entered by users have premium charges attached to them and set out to test several popular services.

    READ THESE:
    https://www.arneswinnen.net/2016/07/how-i-could-steal-money-from-instagram-google-and-microsoft/
    http://www.cio.com/article/3096619/...hrough-online-phone-verification-systems.html
     
    • Thanks Thanks x 5
  2. ThatSEO

    ThatSEO Jr. VIP Jr. VIP

    Joined:
    Jan 22, 2016
    Messages:
    734
    Likes Received:
    313
    Gender:
    Male
    Occupation:
    Self employed marketing stuff
    Location:
    Sometimes UK
    That's actually incredible
     
  3. lancis

    lancis Elite Member

    Joined:
    Jul 31, 2010
    Messages:
    1,683
    Likes Received:
    2,426
    Occupation:
    Entrepreneur
    Location:
    Milky Way
    Home Page:
    That guy went a bit further than I usually go.

    I often register my mobile accounts on the company's info/support email (such as [email protected]), amazingly it works in 90% of the times. Often I feel generous and gladly agree to accept a newsletter to that email address. :)
     
    • Thanks Thanks x 3
  4. Asif WILSON Khan

    Asif WILSON Khan Executive VIP Jr. VIP

    Joined:
    Nov 10, 2012
    Messages:
    12,144
    Likes Received:
    33,693
    Gender:
    Male
    Occupation:
    Fun Lovin' Criminal
    Location:
    London
    Home Page:
  5. Sristy

    Sristy Jr. VIP Jr. VIP Premium Member

    Joined:
    Aug 17, 2010
    Messages:
    1,824
    Likes Received:
    489
    Gender:
    Female
    Location:
    In My Blog Network
    Home Page:
    Now we will have something new to deal with than phone verifications...duh
     
  6. Sherbert Hoover

    Sherbert Hoover Jr. Executive VIP Jr. VIP

    Joined:
    Dec 26, 2010
    Messages:
    1,094
    Likes Received:
    9,176
    Occupation:
    ORM - Content - SEO - PBN
    Location:
    Anywhere but the UK