Flashpoint researchers have come across several Telegram messaging channels being used to exchange HTTP injectors which can be used to obtain free mobile internet access.
The research firm noticed a spike in this activity conducted by threat actors in Brazil, Columbia and other Latin American countries. Those interested in obtaining or exchanging an HTTP injector are using encrypted Telegram channels as their marketplace with one such Portuguese channel boasting more than 90,000 members and the injectors being offered here target telcos located in Latin America.
An HTTP injector works by connecting to an SSH/Proxy with a customer header. Flashpoint said in the cases it has observed the connection is made using a device with a zero remaining balance on its SIM card. Then using the device's mobile browser they connect to a data-free website to avoid connecting to a captive portal where payment would be required. The next is to establish a connection using the SSH proxies, thus obtaining free internet access.
“One possible reason cybercriminals share their HTTP injector files so freely is to generate a larger footprint on the compromised infrastructure being utilized as a proxy by the HTTP injectors, thereby masking their own illicit activities,” the report said.