Hackers are offering “free” mobile data access on Telegram channels by exploiting loopholes in telecom provider policies, targeting users in Africa and Asia and sharing configuration files to mimic zero-rated traffic. These channels serve as technical support hubs where users exchange instructions on creating custom payloads, setting up secure tunnels, and manipulating HTTP headers to disguise data usage. Over the past year, numerous configuration files for various telecom providers have circulated among users on these channels.
To evade data metering on telecom networks, attackers are using various tunneling techniques to manipulate data packets by utilizing tools like HTTP Injector to mimic traffic from zero-rated services that are exempt from data charges. Payload generators further enhance this deception, establishing encrypted tunnels using SSH or Stunnel to disguise their traffic as legitimate secure communication. VPNs with obfuscation techniques and undetectable protocols also achieve a similar outcome.
Attackers can manipulate traffic headers with proxies or route all traffic through a remote server using SOCKS proxies to trick the network into treating their data as unmetered. To abuse zero-rating policies, attackers modify data traffic to appear as originating from exempt services by altering HTTP headers and payloads, altering DNS settings to exploit zero-rated domains, or spoofing the Server Name Indication (SNI) in HTTPS requests. SNI proxies can forward traffic while disguising it as coming from a zero-rated source. Split tunneling and selective routing techniques channel specific traffic through zero-rated services while encrypting other data.
For mobile data, attackers exploit weaknesses in APN configurations by modifying APN settings to trick the network or rapidly switching between APNs to bypass billing. HTTP injectors can automate zero-rating exploitation using pre-configured profiles with individualized parameters. CloudSEK identified tools used to bypass online restrictions and access secure connections, including HTTP Injector, Your Freedom VPN Client, and HA Tunnel Plus, which leverage tunneling capabilities to circumvent restrictions and provide secure internet access.
Telecom providers can deploy multi-layered defenses to prevent free data exploitation via VPNs and tunneling. Deep packet inspection (DPI) and traffic analysis can identify suspicious traffic patterns, while limiting bandwidth for tunneling protocols and blocking certain SNI fields used by these apps can reduce their effectiveness. Blacklisting malicious IP addresses and monitoring DNS traffic for tunneling attempts can further enhance security. Better APN security protects against unauthorized changes, and machine learning models can detect unusual behavior that may indicate zero-rating abuse.
In conclusion, hackers are taking advantage of vulnerabilities in telecom networks to offer free mobile data access through techniques like tunneling and manipulation of data traffic. Users can protect themselves by being aware of these methods and implementing security measures to prevent unauthorized data usage. Telecom providers also need to strengthen their defenses to counter these threats and protect user data from exploitation.