Podcast Directory

Introduction

Bohdan Hopanchuk is an ethical hacker, based in Kyiv, Ukraine. Check out his first podcast (Podcast 99) with us focused on some of the scams operated by CPaaS. Bohdan received great feedback on his first episode.

One person, who provided feedback, claimed Johnny has a poor reputation in the industry because he names the organizations commiting fraud. This demonstrates the level of corruption in CPaaS when the crooks expect to remain nameless.

We should be celebrating the CPaaS committed to doing the right thing for their customers, like BT Group, Deutsche Telekom, and TSG Global. Crooks can not be trusted, they should not be allowed to operate in the CPaaS industry, just look at the state of the US telecoms industry where lawmakers are advising Americans to avoid using the PSTN. We’ve been warning the industry for close to 18 months on the issues. And still some people / organizations try to maintain the cover-up.

We all know a grandma or grandpa who have been scammed. One the the TADHack participants parent’s lost their life’s savings to a romance scam, so their children now support them. Scammers and those who enable scammers should be sent to prison. This is not like a speeding ticket, this is like driving drunk and killing the people in the other car. Lives are being lost and ruined every day, and we can stop this together, by naming the crooks facilitating it, and showing the solutions telcos and individuals can adopt, e.g. in the Honest CPaaS Review.

Here is part of an email Bohdan received from a international Cyber Criminal:

We’re looking for local USA route (both SIM and Direct) that can accept marketing type traffic (we got daily 1-3 mln SMS) Have u got this kind of route now?

Millions of SMS per day, for ‘marketing’ messages (likely containing a URL), for local USA routes. Its phishing coming into the US.

Digital Armies of Tens of Millions of devices

But back to Bohdan, he ties together several threads that made me realize how vast the problem has become. He covers AIT, SIM/eSIM, hacking QR codes (quishing), huge BOT-nets via telecom routes, and infected devices. Simply there are digital armies of millions / tens of millions of devices under state sponsored control.

We had an excellent presentation last year on The EU Cyber Resilience act on the risks of out of date open source software in IoT devices. From Olle Johansson, Experienced consultant in network security and real time communication – PKI, webrtc, SIP , XMPP. Kamailio and Asterisk expert. And Sandro Gauci, CEO / Senior Penetration Tester / Chief mischief officer at Enable Security.

Bohdan confirmed that risk is widely exploited, so there are millions, likely tens of millions of devices sending SPAM (email and SMS), malware, and any credentials used on compromised devices. 2023 and 2022 we saw bot-nets being used for DDoS (Distributed Denial of Service) attacks. In 2021 Sandro Gauci gave an excellent presentation at TADSummit on The worst of enemies – let’s talk about DDoS and RTC.

TADSummit has covered many of the issues over the years, but we did not join up the thinking on these issues, which Bohdan is now enabling. Cyber criminals, and also kids as the technology as become so widely known, infect devices like web cams, EVs (Electric Vehicles), etc. And then upon the criminal’s command they can be used for any campaign. For example, sharing all your credentials to steal from you, spy on you, or hold you to ransom. Its multi platform: calls, emails, SMS, eSIMs, messaging clients, etc.

With state sponsored attacks they target government agencies, and financial institutions, Stealing tens of billions of dollars.

Biometrics, Zero Day Exploits, Scale of Bot-Nets

An important point Bohdan made is use your biometrics, e.g, finger print as that has not yet been compromised. Use passkeys! My family use biometrics across our phones and laptops. Though not on the many other devices we use around the home, though we do try to ensure the software on the IoT devices are up to date, no default passwords, and monitor for unusual home network traffic.

Bohdan moves on to zero day exploits, that is inherent weaknesses in software system. And how state sponsored hackers are placing malicious code 24/7 wherever they find zero day exploits, for later activation. As an example Bohdan uses the Deloitte hack, reported yesterday, where Brain Cipher Ransomware Group allegedly stole 1 TB of data.

I then ask about the ratio of fraudulent traffic between SIM boxes to bot-nets. Bohdan highlights the bot-nets have access to not only SMS; but to SS7, grey routes, zero hop direct routes, etc. Scammers are so confident on delivery of phishing SMS, their concern is only click rates for a campaign.

Johnny highlights the unusual situation we’ve reached where senators are warning people to not use the PSTN. That ultimately telcos will be held responsible for the situation, not their third parties. In the Honest CPaaS Review, we highlight the steps telcos can take to protect their customers and their networks.

Bohdan on his next TADSummit episode will get into more details on the exploits and how people can protect their emails. Bohdan joined up the thinking of several topics TADSummit has covered over the past few years, to realize the scale of the threats we face. When the US lawmakers are briefed on Dec 11th, the outcome could be again unusual, as we do live in interesting times.