xorl %eax, %eax

Cyber-criminals and SS7 attacks

with one comment

Last week the news were flooded with some SS7 attack demonstration in Canada, an example of this was the “Hackers only needed a phone number to track this MP’s cellphone” by CBC News. The SS7 attacks have been known for years but the this news article reminded me of something I came across in a recent investigation. It started with the following PasteBin post.

This SS7 offer by threat actor “elitehackingservice” (email address: “elitehackingservice@gmail.com”) first appeared in late October 2017 and it is still active in various underground websites. The offer is $400 for four PDF documents that will guide an attacker on how to exploit SS7 to track and intercept cell phones. You can see the complete advertisement below.

I have released the official SS7 Network Exploits PDF.
This guide will instruct you how to hack into the SS7 network 
and how to track cell phones to their locations and how you can
intercept them from their carriers location.
There are 4 PDF files.
1. What is SS7, how it works and current vulnerabilities
2. Entry points to the SS7 Network Protocol
3. How to hack the SS7 Network Protocol step by step instructions.
4. How to locate and intercept specific cell numbers step by step instructions.
The price is $400.
Link to buy and download is: https://satoshibox.com/x65q8owqgnxbr3n8e3s7zfdz

Contact me on: elitehackingservices@gmail.com

Threat actor decided to use SatoshiBox to sell this tutorial, a website widely used by some cyber-criminals. Based on the description and the actual filenames from SatoshiBox we can deduce that here is exactly what buyers get from this offer.

  • Attacking-SS7-instructions.pdf (1.40MB): How to hack the SS7 Network Protocol step by step instructions
  • What-is-ss7.pdf (6.39MB): Entry points to the SS7 Network Protocol
  • celllocationandtracking.pdf (1.46MB): How to locate and intercept specific cell numbers step by step instructions
  • signalssystemvulnerabilitiesaugust2017.pdf (488.78KB): What is SS7, how it works and current vulnerabilities

It is worth noting that the Bitcoin address of this threat actor’s offer (3D8NZzzEkWtMiHwHyy4xw61FKmN23LvW54) doesn’t have any recorded transactions until the time of this writing. But we don’t know whether this collection was also being sold elsewhere. An interesting tactic employed by this threat actor to advertise this offer is commenting on popular video sharing websites relating to hacking software such as mobile phones keyloggers and RATs (Remote Access Trojans) tutorials or advertisments. You can see two examples of those below. Note that in those cases threat actor “elitehackingservices” used the handle “Mr HappyCoder” instead.

It is crucial to note that I have no indicators on the reliability or credibility of this threat actor. However, it might be something that you potentially want to investigate further if you are including SS7 attacks as part of your organization’s threat landscape.


Written by xorl

November 28, 2017 at 22:28

One Response

Subscribe to comments with RSS.

  1. Promotion of my exploit? That’s brilliant!
    These tutorials have been sold for the past year mostly on the dark web. I hold no responsibility for the actions which are committed by buyers.
    FYI Mr Happy Coder is a customer who has used the exploit and recommended it. I only ever advertised on satoshibox and the dark web forums and markets.

    Elite Hacking Services

    February 11, 2018 at 14:00

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s