What you need to know:
- Individuals, government, and private organisations should routinely train in cyber security at a personal level and conduct penetration tests on their computer networks.
As we were reeling from the Pegasus-Stanbic-MTN mobile money fraud that occurred on October 3, 2020, through which hackers withdrew more than Shs20b from more than 2,000 mobile money points located in different parts of the country, a similar fraud, this time, a betting company experienced a breach that imparted the Airtel Money Commerce Uganda Limited (AMCUL) systems. Just under Shs8b was withdrawn using 1,800 sim cards out of 1,840, employing the same Tools, Techniques, and Procedures (TTPs) as in the case of the previous fraud.
Looking at both frauds, it is evident that the threat actors (hackers) implemented the breach strategically, utilising a systematic approach and technical means from the launch of the attack to the end. The difference here is that in the first case, Pegasus, the integrator was the victim of the exploited vulnerability. In contrast, in the second case, it was the betting company, an Airtel client.
When hackers have a task at hand, they implement a reconnaissance attack, where they gather possible information about the target network, individual, and information systems and collect and study the exploitable vulnerabilities (Open-Source Intelligence-OSINT).
Being an organised and coordinated attack, they possess pre-registered sim cards and new ones ready for the heist. Additionally, the mobile money agents with ready float (cash) to conclude the transaction. Having no prior information about the target and implementing penetration testing to discover as much information about vulnerabilities existing on a system is known as black box penetration.
Both ethical and unethical hackers employ this process in reconnaissance.
Through social engineering or enumeration of the betting company’s web servers, the hackers gained unauthorised access to the web resources, which led to the compromise of data, thereby obtaining permissions beyond what’s intended for standard users and ultimately using the escalated privileges to initiate fraudulent transactions. Airtel Commerce could only stop the fraud in the nip of time before it could get any worse.
Contrary to what was reported by the CID detectives in the recent betting company and Airtel fraud (Reported in the Sunday Monitor of November 20, 2022), a black box attack is an ATM attack that compels the ATM unit to dispense cash illegitimately by using sophisticated hacking cards that trigger the cash release.
As cyber fraud continues to surge in sub-Saharan Africa, in Uganda, organisations and security elements need to be acquainted due to threat actors’ level of planning and sophistication. Today, we see consistent attacks on mobile money platforms aimed at financial gain.
Tomorrow, the attacks will extend to government infrastructure, with the aim of denial of service or information theft.
Modern cyber-attacks combine social engineering strategies with malware, bugs, and rootkits which create a foothold on social media accounts and backdoors on networks while at the same time exploiting the discovered vulnerabilities. The compromises are evident in the increasing number of hijacked socials, internet blackmail, and credential theft.
Therefore, to avert this trend, individuals, government, and private organisations should routinely train in cyber security at a personal level and conduct penetration tests on their computer networks. The measures assist in ascertaining any exploitable vulnerabilities and possible remediation depending on the levels of criticality.
Dennis Ssengendo MSc., Cyber Security with Security Analysis (CND, CEH, CPENT, CHFI).