RIO DE JANEIRO, BRAZIL – Four people were arrested this week during Operation Spoofing by the Federal Police on suspicion of having hacked into the cell phone of Minister Sérgio Moro and other high ranking government officials, including president Jair Bolsonaro and Economy Minister Paulo Guedes.
The decision ordering the temporary arrest of the four suspects, issued by Judge Vallisney de Oliveira of the 10th Federal District Court of Brasília, states that the investigations have shown that:
“… the alleged hackers gained access to the code sent by the Telegram application’s servers to Moro’s cell phone and the other targets in order to open the App’s variant on a computer browser, rather than on the cell phone”.
“… then they made calls to the victim’s phone number so that the line would be busy and the call containing the Web Telegram service activation code would be directed to the victim’s mailbox…..”
Understand how this happened and the steps taken by the criminals
In the context of information security, and particularly network security, a spoofing attack occurs when a person or program successfully masquerades as another by falsifying data, to gain an illegitimate advantage.
How does Telegram access work?
When a user tries to access a Telegram account from a new device, the App sends a verification code to authorize entry. Unlike WhatsApp, Telegram allows several simultaneous sessions.
This authentication is carried out through a five-digit code. First, a message is sent to the Telegram app itself. Users can then request an SMS with this code.
Ultimately, users can ask Telegram to make a call and relay the access number.
Why does the victim receive a call from his/her own number?
According to judge Vallisney de Oliveira, who authorized the suspects’ arrest, this was part of the tactics used by hackers to obtain the authentication code of the victims’ Telegram.
What is known about Operation Spoofing
Attackers benefit from the fact that the app provides the option of sending the code through a phone call.
By placing multiple calls to the victim’s mobile number, the line is kept busy and this causes the Telegram call to land in the mailbox.
These hacker calls are made using a Voice Over IP (VoIP) service that allows them to place a call from the Internet, building a “cover” for the caller’s number. Therefore, it may appear that a victim is receiving a call from their own number.
Public telephone networks often provide caller ID information, which includes the caller’s number and sometimes the caller’s name, in each call.
However, some technologies (particularly VoIP networks) allow callers to forge caller ID information and present fake names and numbers.
Gateways between networks that would enable such spoofing and other public networks then forward that fake information.
Since spoofed calls can originate from other countries, the laws in the receiver’s country may not apply to the caller. This limits the effectiveness of laws against the use of spoofed caller ID information to further a scam.
According to the investigations, VoIP was used to forge (or “spoof”) the victims’ telephone numbers.
“From then on, it was possible to call the same number and access the victim’s mailbox, listening to the Telegram access code and thus entering the victims’ Telegram app,” says Sandro Süffert, executive director of Apura Cyber Intelligence.
According to the court ruling, 5,616 calls made by the alleged hackers, where the receiver’s number was identical to the caller’s number, were identified by the police investigation.
It was by tracking the origin of these calls, through the VoIP service, that investigators were able to locate the suspects.