Is your child's birthday coming up soon and you're planning to throw them a party? You might be interested in our investigation into a new form of fraud, which we've never heard of before. The case stands out for the surprising amount of personal data exploited by the attacker. To achieve his goals, the hacker used particularly precise information. This information helped lull the victim's suspicions... and steal their money. To fully understand what happened, we interviewed the victim, whom we'll call "Marie" at length to protect her anonymity.
A cyberattack in anticipation of a birthday party
The story begins a few days before her son's 10th birthday, whom we'll call "Matteo." In anticipation of a birthday party on a Sunday, paper invitations are distributed at the school, and the parents of the ten or so children invited are responsible for responding by text message, either yes or no.
During the week, Marie receives several text messages on her smartphone from parents confirming their child's attendance. Late one Wednesday, she receives a message from an unknown number, claiming to be the mother of "Bastien," one of the children invited. This number explains that the little boy will not be able to come—information Marie already had. A few days earlier, she had just bumped into this child in front of the school, who had warned her that he would not be able to attend on the big day.
A discussion ensued via text message. "I was really convinced I was talking to the mother of one of my son's friends," she tells us. During the conversation, she was asked to resend a code she had just received, notably "because the messages are blocked by my phone." Marie didn't think twice and complied. The conversation continued until she arrived at her workplace, at which point the messages stopped.
A few minutes later, Marie glanced at her phone screen. She was immediately intrigued by notifications, which alerted her to four purchases made via her SFR subscription. "Then I realized that the code I had given and these purchases were linked." She thought she could fix it by calling her operator immediately, but without success. The operator explained that the four transactions, totaling around €100, had already been validated. It was too late; SFR could no longer do anything on its side. The company advises her to contact the company where the fraudulent purchases were made: Apple.
The forty-year-old complies immediately, but here too, it's a cold shower. The company dodges the issue. At the time of publication of this article, Marie still had not recovered the euros she had unduly deducted. But the story doesn't end there. To the person who presented herself as Bastien's mother, she sends this text message: "But you're actually a scam!." The person tries to call her, but she doesn't answer.
The same number then sends her: "Hello, I'm Gabriel's dad. We'll come to Matteo's birthday party." She prefers not to answer. He asks her a few minutes later: "Are you really Matteo's mother, in CM1B?" It turns out that her son is in CM1B, and that a Gabriel was also on the guest list. "What shocked me the most was that they had a lot of very specific information available," she told us. How could the scammer have so much data that turned out to be true, when the victim claims not to have used any physical or online service provider for this birthday? She also didn't advertise this event on social media.
What really happened?
To understand how the attacker managed to get hold of such terribly specific information, we contacted a handful of cybersecurity researchers. The experts agree that the scam is particularly well-crafted. Interviewed by 01net.com, Benoit Grunemwald, director of public affairs at ESET France, admits that anyone could have fallen into the trap.
This scam is actually based on psychological manipulation. Instead of tackling vulnerabilities in computer systems, cybercriminals will manipulate people to extract information or push them to do something.
The researcher emphasizes that it is very complicated to protect yourself against scams of this type, "because it means that you question even people who are close to you, people you may even have, why not, met or thought you met at the school gates.".
The trail of a hacked smartphone
For Marc Rivero, a researcher at GReAT, the global research and analysis team at Kaspersky, a cybersecurity company, it is likely that "one of the parents' phones was hacked.". The hacking allegedly allowed the "scammer to access WhatsApp messages." It was through a compromised smartphone that the attacker obtained a wealth of information about Marie and the birthday party being planned at her home. It's possible that this is how the "scammer was able to gather enough personal information to make their story credible and time the scam just right." The parent of one of the children invited to the party could have found themselves in the crosshairs of malware, such as a data thief, or a hacker specializing in phishing attacks. As Benoit Grunemwald points out, smartphones, especially Android devices, are massively targeted by malware, whether through the Play Store or APKs shared online. It very often happens that Android applications spread viruses on their users' phones, without them being aware of it - your child can discreetly install free apps. However, these applications can be Trojan horses, that is, harmless-looking apps designed to slip malware, such as spyware, onto their users' smartphones.
In this particular case, the attack is carried out by a hacker located abroad, who specializes in online scams, and who has all the tricks and tactics to dupe his victims. In other words, it could be a browser, in other words a scammer who is used to pretending to be someone else in order to extort money from Internet users. They are generally found in Africa, particularly in Ivory Coast, Benin, or Ghana.
A stolen phone number
Researchers do not rule out the possibility that a relative was the victim of a SIM Swap attack. This type of attack involves stealing a phone number by transferring it to another SIM card. During this time, the real SIM card no longer works: the owner finds himself without a network connection, without understanding why.
In fact, the hacker can read and send text messages with a person's phone number, without them realizing it. By consulting the messages received, the hacker could have learned about Marie's birthday party and decided to take advantage of it.
An attack from "an acquaintance of an acquaintance"?
Several elements of the victim's testimony suggest that Marie was the victim of a cybercriminal who is close to her. It could be "an inside job, where a parent in the class used information they already had, such as Marie's phone number, the date of the party, and the children's names, to pretend to be another parent and carry out the scam," believes Marc Rivero.
We could be "dealing with a French person who wants to make some pocket money," adds Benoit Grunemwald. The attack would then come from an "acquaintance of an acquaintance or someone nearby." "You don't need to go to Africa to find these malicious little geniuses." The expert cites the example of the cyberattack that hit Free last year, which resulted in the theft of the personal data of nearly 20 million subscribers. After investigation, it turned out that the attack was carried out by a 17-year-old boy living in Breuillet (Essonne).
It is likely that the hacker behind the birthday party scam is "culturally very close to us and therefore not necessarily in Africa". Experts do not rule out the possibility of personal revenge, specifically directed against Marie. The attacker allegedly wanted to target the victim in order to harm her. Financial gain would be secondary here.
A piece of paper at the origin of the scam
As for the attack vectors, our research suggests that it was the paper invitation, distributed at school by Marie's son, that was at the origin of the scam. It was thanks to this document that the attacker obtained the information necessary to contact the victim and achieve his goals. Although Marie claims there was no digital trace of the event, it's not inconceivable that one of the parents took a photo of the invitation to share. The photo, riddled with data, could have ended up being collected by malware installed on the phone or that of the person she was talking to.
Expert Adrianus Warmenhoven also points out that information disseminated on scraps of paper can end up being exploited by hackers. Even "garbage can reveal data, as demonstrated by the "dumpster diving" technique." As a security measure, we recommend shredding all documents containing information about your account, such as invoices or financial documents.
A mistake on SFR's part?
The scam was carried out thanks to a single-use code, received by the victim from SFR. Marie then made the mistake of giving it to the scammer—whom she thought was the mother of one of her son's friends. This code was actually sent by the operator to validate purchases made via her mobile subscription. It is indeed possible to purchase certain specific services or products, as specified on the telecom operator's website. Only series, games, music, and purchases made on app stores like Google Store can be ordered via the subscription.
As always, the hacker opted for small transfers, always under 25 euros, to evade anti-fraud mechanisms. This is a common fraud tactic to slip under the radar of banks' automatic fraud detection systems and also to hope that the victim won't immediately notice the small amounts, emphasizes Marc Rivero. Was there a glitch on the operator's part? None of the experts contacted responded affirmatively. To validate the purchase transaction, the code received and the code given matched. For the operator, it was impossible to detect in the current situation that Marie, the subscription holder, was not at the helm. But according to Benoit Grunemwald, director of public affairs at ESET France, companies could strengthen the security process in this area by adding an additional validation step.
Contacted by 01net.com, SFR indicated that, to its knowledge, there has been "an increase in complaints" following similar scams. The operator reiterates that the code, which allows purchases to be verified, "is not shared." When it is sent, "a warning message accompanies it (...), it is explicitly stated that it is personal and for security reasons, should not be shared", the company emphasizes.
Best practices to protect yourself
Through our discussions with researchers, we have drawn up a list of best practices to adopt to avoid scams of this kind.
Remove the possibility of purchases via your subscription
To avoid this type of scam, it is first possible to limit the possibility of purchases made via your subscription, directly with your operator. To do this, simply go to your personal account, for SFR, and uncheck this purchase option, particularly on the page "manage my online purchases of services and multimedia subscriptions". Any attempt will then be directly stopped by the operator. You can also set an amount not to be exceeded, which can significantly limit the damage.
Two numbers are better than one
We also recommend separating your private and professional activities by opting for two phone numbers if you have a public professional activity. Marie, for example, used the same phone number for her private communications, such as organizing her son's birthday party, as for making professional appointments. By opting for two separate numbers, it's possible to avoid certain scam attempts.
Getting a second phone number is very simple. Many smartphones, including the iPhone, already allow you to install a physical SIM card, and an eSIM, a SIM card commonly referred to as virtual.
Disposable Numbers
Following the same logic, you can use disposable numbers. In Marie's case, she could have organized the birthday party using a temporary phone number. This precaution would have prevented anyone from finding her real number. You can use this tip when you're selling something on LeBonCoin or Facebook.
Services that allow you to get a second phone number at a reasonable price include apps like OnOff, Hushed, Numero eSIM, and TextNow. We also recommend services like Holafly and Yesim. You can buy a number and delete it later.
An alternative to a phone number
Instead of giving your guests a phone number, you can invite them to a messaging app like Telegram. This allows you to create a username and chat with someone without giving them a number. Simply share your username for someone to contact you. Your phone number remains secret unless you've decided to display it publicly in the app's settings.
Obviously, this solution requires your potential contacts to install Telegram instead of sending you a simple text message. We're well aware that this approach may put off a large number of your contacts, but we decided to talk to you about it anyway.
Private questions as passwords
To ensure the identity of your interlocutor, don't hesitate to ask them questions that only they can answer. This is the best way to dispel doubts. It's more effective and reliable than a phone call. In sophisticated attacks, hackers can go so far as to clone the voice or face of your interlocutor using deepfake technology. Therefore, a call, whether audio or video, is not necessarily enough, especially if you're dealing with hackers with sophisticated means.
Be careful, it's important to choose information that hackers cannot obtain, such as private anecdotes. Don't choose information that could have been public at one point or another, whether on Facebook or Instagram. Hackers can scour your social networks looking for data about you.
Good habits to adopt
Finally, there are some basic good digital habits that could allow you to slip through hackers' net. First of all, never install apps that don't come from an official store, like the Play Store or the App Store. These are often fraudulent apps that lead to the installation of malware. Second, get into the habit of installing a reliable antivirus on your phone, especially if you often open files from the internet on it. Furthermore, take the time to enable two-factor authentication whenever possible, and choose a complex password to secure all your accounts.
What to do after the scam?
If you are the victim of a similar scam, the first thing to do is to block the possibility of purchases via subscription with your operator and to dispute the transactions with them. Also dispute these transactions with the company that charged you. Also notify your bank, and if necessary, block the payment – fraudulent charges can also occur at the same time or at a later date. Change all your passwords, and file a complaint against an unknown person – it is possible to do this online.
It is also possible that your smartphone has been infected. We recommend installing an antivirus program. Talk to those around you about it. Remember that as soon as someone talks to you about money, as soon as they ask you to transmit a code, this should alert you and encourage you to stop the oral or written conversation.
Unfortunately, the mystery surrounding the birthday party scam that Marie was a victim of remains unsolved. With the help of experts, we were able to draw up a series of hypotheses and imagine plausible attack scenarios, but we have no certainty. To be sure, we would need to conduct a forensic analysis of the victim's smartphone, and that of all the parents of the children invited. To this day, we do not know the status of the law enforcement investigation.
0 Comments