A Tale of Two Professionals

Tuesday, September 09, 2014



By: Rob Beck

On a recent engagement I was tasked with reviewing a mobile application that provides users with disposable phone numbers. The application I was testing provided phone numbers to mobile users, permitting users to make VoIP phone calls, as well as receive SMS and picture messages; I will omit the actual application name, since it has no impact on the information being disclosed and I’m not out to shame a specific developer.  As part of their service offering, you could acquire phone numbers in various countries, as well as, various regions and cities in those countries, allowing for “local” phone calls, reducing costs for inbound and outbound regional calls.

During the initial setup of the application, new users are provided a free phone number to use during a three day trial period.  The trial period provides all features of the service including making and receiving phone calls, sending and receiving SMS messages, sending and receiving picture messages, caller identification (“Caller ID”), and voicemail.  At the conclusion of the three day trial period, users are asked to renew the phone number or acquire a different number, using extremely short-term or long-term subscriptions.  One of the selling points of the service is permitting users to create “burner”, or disposable, phone numbers that they can use for a specific period of time and for specific purposes.

Another feature of the service is the ability to have multiple phone numbers, to be used on a single mobile device.  This allows users to have multiple phone numbers, for specific purposes, in a variety of regions around the world.  As part of my testing, I navigated the various menus, going through the process of acquiring a phone number in another country.  The most important thing to note here was that after selecting my country and region/city of choice, I was presented with a list of possible phone numbers I could acquire for that area.  Not only did this allow me to enumerate possible phone numbers for this service, at least the ones not currently in use, it indicated that the service had a finite amount of available phone numbers in any area; this “feature” might be indication enough that privacy and anonymity wasn’t on the forefront of the developer’s mind.  It was only after I had selected a number that I was prompted with the various pricing models available to procure the phone number for personal use.

Because of the various pricing options, as well as the trial period, I opted to put the project on hold and move on to another application so that I could allow the trial period to expire.  This would allow me to determine pricing models following the trial period, as well as, anything else the application might want to charge me for.  I put the application in the background and went about conducting my testing on additional applications.

Fast-forward 48 hours later.  I decided to check up on the previous VoIP application to determine if there were any additional notifications for payment, warnings of trial expiration, and to begin wrapping up my testing to begin documentation.  I was surprised to see that the application had logged in excess of 20 missed calls and had a backlog of SMS messages from 10 or more random people.  If you’ll recall, I established that this service had a finite number of available phone numbers, I was provided a free phone number to test during the trial period, and this means that the number I was provided was previously used by another user of the system.

Going based solely on the contents of the SMS messages received, as well as some of the voicemails left on my trial number messaging service, the previous owner was also a specialized professional who is use to charging an hourly rate; let’s just say that her chosen profession was of a much more discreet and intimate nature.  I was presented with text upon text message asking if he/she was available, what their hourly rate was, as well as a few much more graphic explanations of specific requests the potential clients would like performed.  What was more surprising, and traumatizing, was that some of these individuals had chosen to send naughty-gram picture messages of their previous work with this professional, personal pictures in admiration of this person, and… well, you have an imagination.

None of the individuals contacting this number had any indication that the person they were trying to contact (no pun intended) had been using a burnable phone number.  The problem was made worse for them because of the features provided by this service, as previously mentioned the VoIP service offers Caller ID; I was not only receiving the correspondence from this lengthy list of previous contacts, but now I had the phone numbers they were using to reach me.

A sample of the least explicit messages received.

A sample of the least explicit messages received.

This situation now not only posed a risk to the previous owner of this phone number, permitting me access to their contacts who had reached out to her, but exposed her clients and potential clients to exposure from an unknown individual now in possession of their information.  While it would be nice to assume that the individuals attempting to correspond with the previous owner of the number were also using temporary phone numbers, this isn’t a perfect world and people rarely take the steps needed to ensure their privacy if they don’t feel that they’re at risk; after all, some amount of this sort of business is based on a level of trust and unwritten understanding between the professionals and their clients.

I’m not here to provide commentary on the nature of the previous individual’s chosen profession or hobby, to each their own, but this situation presented an extreme introduction into some of the dangers of the burner phone culture some of us have come to accept.  While many of us can see the value of having a disposable phone number and messaging, easily hopping between numbers for both legitimate and illegitimate purposes, I don’t think many people have realized the repercussions of being the recipient of a disposable resource.  Even in the age of services such as Google Voice, assumptions are made that the numbers we’re corresponding with have a reasonable time to live with the person that provided it to us.

With a minimal amount of social engineering, much more information could have been captured from these individuals.  Due to the disclosure of their phone numbers coupled with the power of Google and other search engines, the potential for extortion by a random individual who is now in possession of compromising photos is also a reality.  The next time we make a phone call, or send a SMS with questionable content, we have to ask ourselves – do we really know who is receiving this or have we also been burned?

This was cross-posted from the Neohapsis blog.

General Impersonation Phishing Phreaking
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.