Hackers are offering “free” mobile data access on Telegram channels by exploiting loopholes in telecom provider policies, which target users in Africa and Asia and involve sharing configuration files to mimic zero-rated traffic.
The channels function as technical support hubs where users exchange instructions on creating custom payloads, setting up secure tunnels, and manipulating HTTP headers to disguise data usage, which has circulated numerous configuration files for various telecom providers over the past year.
To bypass data metering on telecom networks, attackers leverage various tunneling techniques by manipulating data packets using tools like HTTP Injector to mimic traffic from zero-rated services (exempt from data charges).
Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan
Payload generators further enhance this deception. Alternatively, they establish encrypted tunnels using SSH or Stunnel, disguising their traffic as legitimate secure communication, while VPNs with obfuscation techniques and undetectable protocols achieve a similar outcome.
Attackers can manipulate traffic headers with proxies or route all traffic through a remote server using SOCKS proxies, tricking the network into treating their data as unmetered.
To abuse zero-rating policies, attackers manipulate data traffic to appear as originating from exempt services, which involves modifying HTTP headers and payloads (traffic redirection), altering DNS settings to exploit zero-rated domains, or spoofing the Server Name Indication (SNI) in HTTPS requests.
SNI proxies can also be used to forward traffic while disguising it as coming from a zero-rated source. Split tunneling and selective routing techniques channel-specific traffic through zero-rated services while keeping other data encrypted.
For mobile data, attackers can exploit weaknesses in APN configurations, including modifying APN settings to trick the network (APN tweaks) or rapidly switching between APNs to bypass billing (APN switching).
HTTP injectors can be used in conjunction with pre-configured profiles that contain individualized parameters to automate zero-rating exploitation.
CloudSEK identified several tools used to bypass online restrictions and access secure connections, including HTTP Injector, an Android application for manipulating HTTP headers, crafting custom payloads, and establishing secure tunnels.
Your Freedom VPN Client provides various tunneling methods to bypass firewalls, while HA Tunnel Plus is another option for creating secure VPN connections.
All three tools leverage their tunneling capabilities to circumvent restrictions and enable secure internet access.
Telecom providers can deploy a multi-layered defense to curb free data exploitation via VPNs and tunneling, while deep packet inspection (DPI) and traffic analysis pinpoint suspicious traffic patterns.
Limiting bandwidth for well-known tunneling protocols and blocking certain SNI fields that these apps use makes them less useful.
Blacklisting malicious IP addresses and monitoring DNS traffic for tunneling attempts further tighten the net.
Better APN security protects against changes made without permission, and machine learning models find strange behavior that could be a sign of zero-rating abuse by disrupting free data exploitation methods.
Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free