In a growing trend, threat actors are using HTTP injectors to gain free internet access – which may result in a loss of revenue for telecommunications companies worldwide, particularly those that require a SIM card with a balance to access the internet.
Flashpoint analysts have observed widespread chatter pertaining to the use of HTTP injectors to gain unpaid mobile access to the internet. The injectors modify HTTP headers on network requests with malicious code; the code then tricks captive portals into connecting to the internet.
According to an analysis from Olivia Rowley and Amina Bashir at Flashpoint, the bad actors are mainly located in Latin America, particularly in Brazil and, to a lesser extent, Colombia. The actors target Latin American telecommunications companies, especially those that operate in Brazil.
“The process begins via a device with a SIM card with zero remaining balance,” the researchers explained, in a column sent to Infosecurity. “Using the device’s mobile browser, they connect to a data-free website to avoid connecting to a captive portal asking the user to pay before accessing the internet. The initial connection to the data-free website begins the session, which can then be exploited using HTTP injectors to request SSH proxies to connect to the internet.”
Many of these HTTP injector files are exchanged using the Telegram messaging service, which they said has become increasingly popular in cybercriminal and fraud-centric communities over the past few years. The platform has grown in popularity in Brazil, especially following the country’s temporary ban of WhatsApp in 2016.
“HTTP injectors are widely distributed at no cost by users on a variety of Portuguese- and Spanish-language Telegram channels, many of which have tens of thousands of members,” said Rowley and Bashir. “Flashpoint analysts observed one Portuguese-language Telegram channel dedicated to the exchange of HTTP injectors with more than 90,000 members. One possible reason cybercriminals share their HTTP injector files so freely is to generate a larger footprint on the compromised infrastructure being utilised as a proxy by the HTTP injectors, thereby masking their own illicit activities.”