Little-used mobile phone feature exposes new scam threat

Jamieson O’Reilly, the CEO and founder of the Sydney-based security company DVULN who wrote the report, said many of these systems allow users to opt to receive a voice call containing a login code if SMS fails.

This means that attackers could divert a victim’s voice calls, and then bypass the MFA system by simply requesting the code get sent by voice.

Additionally, the recent rise in AI systems capable of faking an individual’s voice meant that call diversion could be used in other attacks, too, where computers are used to impersonate the recipient of calls, he said.

“What we’ve got here is a perfect storm of factors, where you have old-school carrier technology and functionality, running on modern phones that do their best to render all different types of links to users, combined with a world where people now use phone-based MFA,” Mr O’Reilly told The Australian Financial Review.

The malicious tel:// link can be distributed via any number of channels, including as SMS messages, WhatsApp messages and as links in a website or email, he said.

Apple users who have their Mac connected to their iPhone will still fall victim to the attack even if they only clicked on the malicious link on their Mac, he said.

Telcos on alert

While diverting voice calls through a malicious tel:// command did cause a very suspicious-looking screen to pop up on iPhones (and a somewhat less obvious dialogue box to pop up on Android phones), the lack of sophistication needed to mount the attack, coupled with the near-free cost of distributing it to many potential victims at the same time, meant that such an attack would inevitably fool some people, he said.

Mr O’Reilly said he has notified Telstra, Optus and the owner of the Vodafone network, TPG Telecom, before publishing the results of his investigation.

In response to queries, a Telstra spokesman said the phone company had yet to see any abuse of the tel:// prefix on its system, but would start to block any SMS messages it saw with malicious tel:// links should they start to appear following the publication of the DVULN report.

“Staying ahead of scammers is sometimes like a game of whack-a-mole,” said Chris Mohan, threat research and intelligence principal at Telstra.

“Technology will inherently come with a variety of features and functionality in various layers that could unfortunately be misused or manipulated by scammers or criminals who are always looking for new ways to steal personal data or gain financially.

“Where we detect abuse of technology on our network we will take necessary action, including blocking malicious messages being sent to customers via our Cleaner Pipes program.”

In a statement, TPG Telecom said that, while this was neither a network fault nor security breach, it was working with its device partners and network teams to identify options to protect customers.

“This reiterates the critical need to be wary of unsolicited texts, messages and emails, even from seemingly reputable sources. For every update, every solution, every problem and patch, one of the best defences remains user diligence and awareness,” TPG said.