Fraudsters in Latin America are manipulating HTTP headers with injector files that are enabling unauthorized internet access.
Security firm Flashpoint is warning of an emerging attack pattern where fraudsters are using a technique known as HTTP injectors to steal internet access.
Analysts at Flashpoint reported on April 9 that they have noticed an increase in fraudster conversations about HTTP injectors, which can be used to modify the HTTP headers sent on network requests to enable unauthorized internet access.
“Cyber-criminals use HTTP injectors to obtain free access to mobile internet,” Flashpoint analyst Olivia Rowley told eWEEK. “They may also be used to circumvent regional blocks.”
Flashpoint has found that the HTTP injector files are being shared in a variety of ways, with many using the Telegram messaging service. The activity to date has been concentrated in South America, including Brazil and Colombia.
“Fraudsters typically download HTTP injector files—such as those shared openly on Telegram—then use a special HTTP injectors app to deploy the file,” Rowley said. “The scheme defrauds telecommunications companies and is not, as far as Flashpoint analysts are aware, a threat to or an attack on individuals or consumers.”
The HTTP injector method detected by Flashpoint is not a man-in-the middle (MiTM) attack, Rowley said. In an MiTM attack, a hacker is able to get in between an individual and the intended recipient of data to intercept, manipulate and potentially redirect traffic. She added that while HTTP injector fraud is a form of redirection, Flashpoint hesitates to classify it as an “attack,” as it is not exploiting a vulnerability but it is rather misusing the protocol as designed.
While the HTTP injector traffic monitored by Flashpoint does represent a form of fraud, the total financial impact is not known at this point. Rowley said that for the attack that Flashpoint is tracking, most of the individuals appear to be low-level cyber-criminals or individuals hoping to get free internet in a fraudulent manner.
“While we cannot estimate the losses involved with this form of fraud, 1G of data typically costs between $10-$20 USD in Latin American countries, according to a blog post published by the World Bank,” Rowley said. “These Telegram groups that we’ve observed can have upwards of tens of thousands of followers, meaning there is potential for significant losses.”
There are several methods that internet operators can use to mitigate HTTP injection attacks, but using Secure Sockets Layer/Transport Layer Security (SSL/TLS) encryption is not one of them, according to Flashpoint.
“If an ISP implements SSL/TLS on the available websites, it has no effect on the actor, as the initial website is merely to obtain a session, which can be done via HTTP or HTTPS,” David Shear, intelligence analyst at Flashpoint, told eWEEK.
In addition, Shear noted that the HTTP injection fraudsters themselves can and do make use of SSL/TLS when they use the session with SSH (Secure SHell) proxies for internet access.
“Effectively, the best prevention of this technique would require network-level protections, as opposed to protections only on the application level,” Shear said.
Rowley suggested that organizations impacted by HTTP injection look to understand how the cyber-criminals are abusing their services and then respond according to trends observed in their data.
“Monitoring of conversation and exchanges in the cyber-criminal underground can provide impacted businesses with insights into how to mitigate this issue as well as how effective mitigation measures are,” she said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.