2025-12-13 –, Clappy Monkey Track
In an age where personal data leaks never truly disappear, a single overlooked detail can become the key to an entire attack chain. This talk follows that detail’s journey - from forgotten breaches, through shadowy online markets, and into the center of a SIM swap.
We’ll explore how decades-old leaks in Israel, repackaged and made accessible through Telegram bots tied to drug dealers' activities, collide with authentication practices still common worldwide. Along the way, we’ll uncover how trust in familiar, everyday online interactions can be weaponized in unexpected ways. What begins as an ordinary user action ends with the attacker holding the final piece needed to take over a victim’s phone number and access everything tied to it.
The technique is simple. The consequences are global. And the path from click to compromise may not be what you expect.
Here is our presentation outline:
Introduction
- SIM Swap attack impact and how it is being done today
- Motivation for looking at Google Pay’s iframe (teasing)Threat Landscape in Israel
- Agron 2006 leak (population registry) and Elector 2020 leak (voter database).
- How these breaches left the last four payment digits as the main SIM swap barrier.
- Rise of Telegram bots tied to drug dealers’ activitiesTechnical Deep Dive: From Button to Breach
- Quick recap of prior research on iframe-based “human side channel” attacks (Facebook Like button case study).
- Structure of the Google Pay iframe and its consistent display of the last four digits.
- Same-Origin Policy limitations and bypass via user-assisted reading.
- CSS cropping, scaling, and styling to isolate digits.
- CAPTCHA disguiseEnd-to-End Attack Flow
- Recon phase: collecting name and ID from leaks or public sources.
- Weaponization: fake CAPTCHA embedding Google Pay iframe.
- Execution: user enters digits.
- Impact: SIM swap or account takeover.Global Relevance
- Countries where the last four digits are used for verification or tracking.
- Risks beyond SIM swaps: cross-site tracking, fingerprinting.Disclosure and Response
Conclusion
Sarit Yerushalmi is an experienced security researcher at Imperva. Her research mainly focuses on application security and APIs. She analyzes traffic to detect new threats, writes security blogs and talks at conferences. Some of her work has been presented at security conferences such as Botconf, Bsides TLV, NorthSec, and Kernelcon.
Ron Masas is a security researcher and leads the Offensive Security team at Imperva. His work focuses on web privacy, application security, and side-channel attacks. Over the years, he has discovered vulnerabilities across various platforms, contributing to stronger security in widely used technologies. Passionate about offensive security, he continuously explores new attack surfaces to stay ahead of emerging threats.