Cybercriminals have been exploiting flaws in Signalling System No. 7 (SS7), also known as CCITT number 7 or C7 in the UK, a set of telephony signalling protocols, to target mobile subscribers using their devices to conduct banking - draining their accounts of cash in the process.
The SS7 protocols were developed in the 1980s and are used by more than 800 telecoms companies globally: they supply metadata required to set-up calls and also underpin data communications between different telecoms companies' networks.
Today, they are also used to ensure that text messages can be sent between people in different countries, and to ensure that phone calls are uninterrupted when travelling on an over ground train. It can even be used to eavesdrop on calls and track users' locations.
Weaknesses within the protocol have been known about since at least 2014 and, in January, criminals exploited it to bypass the mobile-phone-based two-factor authentication method that banks use to protect unauthorised withdrawals from online accounts, German newspaper Suddeutsche Zeitung has reported.
Specifically, telecoms company O2 in Germany confirmed that some of its customers had their accounts drained by hackers in a two stage process.
The first stage involved bank-fraud Trojans that enabled the attackers to harvest user names, passwords, phone numbers and bank account details by directly infecting account holders' computers.
Attackers then used SS7 to intercept and redirect text messages used by the banks to send ‘one off' passwords to their own numbers to authorise payments and bank transfers. They then used the mTANs - mobile transaction authentication numbers - to transfer money out of a targeted account.
In addition to infecting the victims with Trojan horse malware, the attackers would have required inside access to a telecoms company in order to compromise SS7.
"Criminals carried out an attack from a network of a foreign mobile network operator in the middle of January," a representative with Germany's O2 Telefonica told Süddeutsche Zeitung.
"The attack redirected incoming SMS messages for selected German customers to the attackers."
The foreign operator has since been blocked, and any customers that were affected were informed of the breach. The SS7 flaw is yet to be fixed, which means that it is likely that there will be a boom in similar attacks coming very soon.
British Airways blames 'global systems outage' for IT meltdown
Mark Zuckerberg mercilessly trolled by Harvard student newspaper after return to university he dropped out of 12 years ago
'Unauthorised user' blamed by Harvard for insulting Mark Zoinkerberg
Android under attack from 'Judy', Google Play Store malware that has infected up to 36.5 million users
Yet more Android malware discovered on the Google Play Store
Airport believes new system will be more reliable than GPS or Google Maps