{
	"id": "ba828501-71f4-471c-b51e-15e7549b83d0",
	"created_at": "2026-04-06T01:32:15.697894Z",
	"updated_at": "2026-04-10T13:11:41.941197Z",
	"deleted_at": null,
	"sha1_hash": "d88902c004ceba6bfc2931c1da57bdeb1626bdcb",
	"title": "After years of warnings, mobile network hackers exploit SS7 flaws to drain bank accounts",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 51766,
	"plain_text": "After years of warnings, mobile network hackers exploit SS7 flaws\r\nto drain bank accounts\r\nBy Iain Thomson\r\nPublished: 2017-05-03 · Archived: 2026-04-06 01:11:33 UTC\r\nExperts have been warning for years about security blunders in the Signaling System 7 protocol – the magic glue\r\nused by cellphone networks to communicate with each other.\r\nThese shortcomings can be potentially abused to, for example, redirect people's calls and text messages to\r\nmiscreants' devices. Now we've seen the first case of crooks exploiting the design flaws to line their pockets with\r\nvictims' cash.\r\nO2-Telefonica in Germany has confirmed to Süddeutsche Zeitung that some of its customers have had their bank\r\naccounts drained using a two-stage attack that exploits SS7.\r\nIn other words, thieves exploited SS7 to intercept two-factor authentication codes sent to online banking\r\ncustomers, allowing them to empty their accounts. The thefts occurred over the past few months, according to\r\nmultiple sources.\r\nIn 2014, researchers demonstrated that SS7, which was created in the 1980s by telcos to allow cellular and some\r\nlandline networks to interconnect and exchange data, is fundamentally flawed. Someone with internal access to a\r\ntelco – such as a hacker or a corrupt employee – can get access to any other carrier's backend in the world, via\r\nSS7, to track a phone's location, read or redirect messages, and even listen to calls.\r\nIn this case, the attackers exploited a two-factor authentication system of transaction authentication numbers used\r\nby German banks. Online banking customers need to get a code sent to their phone before funds are transferred\r\nbetween accounts.\r\nThe hackers first spammed out malware to victims' computers, which collected the bank account balance, login\r\ndetails and passwords for their accounts, along with their mobile number. Then they purchased access to a rogue\r\ntelecommunications provider and set up a redirect for the victim's mobile phone number to a handset controlled by\r\nthe attackers.\r\nNext, usually in the middle of the night when the mark was asleep, the attackers logged into their online bank\r\naccounts and transferred money out. When the transaction numbers were sent they were routed to the criminals,\r\nwho then finalized the transaction.\r\nWhile security experts have been warning about just this kind of attack – and politicians have increasingly been\r\nmaking noise about it – the telcos have been glacial at getting to grips with the problem. The prevailing view has\r\nbeen that you'd need a telco to pull off an assault, and what kind of dastardly firm would let itself be used in that\r\nway.\r\nhttps://www.theregister.co.uk/2017/05/03/hackers_fire_up_ss7_flaw/\r\nPage 1 of 2\n\nThat may have worked in the 1980s, but these days almost anyone can set themselves up as a telco, or buy access\r\nto the backend of one. To make matters worse the proposed replacement for SS7 on 5G networks, dubbed the\r\nDiameter protocol, also has security holes, according to the Communications Security, Reliability and\r\nInteroperability Council at America's comms watchdog, the FCC.\r\nThis first publicly confirmed attack will hopefully ginger up efforts to fix issues with SS7, at least in Europe,\r\nwhere Germany has a leadership position. As for the US, it might take a series of SS7 assaults before the telcos get\r\ntheir backsides into gear. ®\r\nPS: A US Department of Homeland Security report this month admitted SS7 \"can be exploited by criminals,\r\nterrorists, and nation-state actors/foreign intelligence organizations\" to hijack messages and calls.\r\nBasically, it's time to stop using SMS for two-factor authentication for sensitive stuff.\r\nSource: https://www.theregister.co.uk/2017/05/03/hackers_fire_up_ss7_flaw/\r\nhttps://www.theregister.co.uk/2017/05/03/hackers_fire_up_ss7_flaw/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.theregister.co.uk/2017/05/03/hackers_fire_up_ss7_flaw/"
	],
	"report_names": [
		"hackers_fire_up_ss7_flaw"
	],
	"threat_actors": [
		{
			"id": "f9806b99-e392-46f1-9c13-885e376b239f",
			"created_at": "2023-01-06T13:46:39.431871Z",
			"updated_at": "2026-04-10T02:00:03.325163Z",
			"deleted_at": null,
			"main_name": "Watchdog",
			"aliases": [
				"Thief Libra"
			],
			"source_name": "MISPGALAXY:Watchdog",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775439135,
	"ts_updated_at": 1775826701,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d88902c004ceba6bfc2931c1da57bdeb1626bdcb.pdf",
		"text": "https://archive.orkl.eu/d88902c004ceba6bfc2931c1da57bdeb1626bdcb.txt",
		"img": "https://archive.orkl.eu/d88902c004ceba6bfc2931c1da57bdeb1626bdcb.jpg"
	}
}