“The exploits are anywhere you give your money. Those are the holes. Anyone you give your money, anyone who has your phone number, anyone who has your address – they’re the exploits. If their support line is based on human interaction, it’s super easy.”
-ZeroExFF, Self-Confessed Swatter
“Swatting” is a prank often used by cybercriminals to harass a target by reporting activity like a hostage situation or active shooter with the goal of getting a police SWAT team to respond. New high profile attacks and arrests have left many asking the question “Why is this attack so easy?”
In some ways, swatting attacks are very simple. Police have no way to determine whether a call is a false alarm, and must react to any possible threat. In other ways, swatting is a surprisingly sophisticated attack. To pull it off, a potential swatter must have several pieces of information, including a target’s home address, the target’s phone number or IP address to spoof when contacting the police, and information about the target’s home and family, to provide a more accurate sounding story when they call.
Though much of this information is available freely on the internet, it is not always easy to find. While you may be able to locate the address and phone number of a person you know online, it is much harder to get information on someone you may only know as an online gamer, an internet forum commenter, or a minor celebrity. Yet, these are the most common targets for swatting attacks.
For these targets an attacker knows only through gaming or the internet, it may be difficult to even find a person’s real name, much less what in area of the country they live. Meanwhile, public figures have often put much effort into maintaining their privacy. Yet, even prominent reporters in the info sec industry, like Brian Krebs and Mat Honan, have had fraudsters find their personal information.
Recently, a self-confessed swatter known as “ZeroExFF” came clean on a Twitch subreddit, detailing the techniques he used to obtain detailed personal information about targets. Reporter Patrick Klepek then contacted the teenager for an interview, to learn more about the mindset behind swatting attacks.
What Klepek found was that swatting attacks are not as simple as a single call to the police. Rather, they involve a series of reconnaissance calls to several unconnected services. ZeroExFF recounts calling various internet service providers, Paypal, and Amazon in an effort to learn enough information about a victim to launch a swatting attack. Using social engineering techniques, the swatter would impersonate internal employees or the victim himself, asking for help with technical issues (to learn IP address information) or help updating account information (to learn phone numbers and addresses).
ZeroExFF wrote, “You call them, and you say “Hi, my name is Richard, I work out of this region. This is my first day. I wasn’t really listening to what my manager had to say. What is the tool to look up modems? Modem activity?” Stuff like that. Most of the time, they’ll just give it to you. You ask them for their name and employee ID [EID], just to verify they’re an actual employee is what you say. Most of them will believe it. “Oh, it’s just this guy’s first day. He doesn’t know what he’s doing. What’s he going to do with my EID?” But then you call and say “Hi, my name is Elizabeth Wallace. My EID is 20657. Can I please get an IP lookup done? My workstation’s having issues.”
“We’d call Paypal and tell the agent we’ve moved around a lot, and require to update our information. They’d ask “Why not do it on site?”, we’d reply with “The site’s giving us weird errors and redirecting me to some random code!”. This would normally get them to let us update via the phone. They’d ask for the last 4 digits of our Bank account/Debit/Credit card on the account. We’d say “I have like, 20 visas, sorry, does the first number start with an X?” The first number is usually 1, 4, 5, or 8.”
There are a few key lessons to takeaway from this interview. First, the phone channel is the weakest link. Customer Service Representatives armed with Knowledge Based Authentication questions are not enough. Fraudsters are con-men who are skilled in social engineering techniques. Even these gamers, who are skilled in online hacking, see the phone channel as the quickest and easiest way to get steal information.
Second, not every fraud call is an attack. Pindrop research has shown that fraudsters make an average of five reconnaissance calls before finally attempting to takeover a financial account. Likewise, these swatters are making several reconnaissance calls before making the final attack call to the police.
Finally, fraudsters are calling across organizations. Even if Paypal or Amazon recognized a fraudulent caller who was not attempting to steal money or goods, there is no mechanism in place to share information on that fraudster with another organization that will bear the brunt of the attack.
At Pindrop, we’re building tools to protect the phone channel. Our patented Phoneprinting technology can identify, locate and authenticate phone devices directly from the call audio – helping to identify fraudulent calls. With Pindrop’s Consortium and phone reputation service we can work together to detect large-scale fraud attempts across multiple networks.