Advisory ID: ngCERT-2023-0035
Summary: In a concerning development, cyber criminals have intensified their focus on the general public through sim-swap attacks. Notably, a recent instance involved a remarkably advanced cyber threat actor who successfully carried out a "SIM swapping" attack. The attack was directed at a T-Mobile US, Inc. account linked to an employee of Kroll, demonstrating the growing sophistication of these malicious activities. This incident underscores the urgency of cybersecurity awareness and protection against emerging threats.
Threat Type(s): Mobile Networks/Devices
Damage/Probability: CRITICAL/HIGH
Description: SIM swapping, also referred to as SIM splitting or simjacking, is a malicious technique where criminal actors target mobile carriers to gain access to victims' bank accounts, virtual currency accounts, and other sensitive information. Criminal actors primarily conduct SIM swap schemes using social engineering, insider threat, or phishing techniques.
Social engineering involves a criminal actor impersonating a victim and tricking the mobile carrier into switching the victim's mobile number to a SIM card in the criminal's possession. Criminal actors using insider threat to conduct SIM swap schemes pay off a mobile carrier employee to switch a victim's mobile number to a SIM card in the criminal's possession. Criminal actors often use phishing techniques to deceive employees into downloading malware used to hack mobile carrier systems that carry out SIM swaps.
Once the SIM is swapped, the victim's calls, texts, and other data are diverted to the criminal's device. This access allows criminals to send 'Forgot Password' or 'Account Recovery' requests to the victim's email and other online accounts associated with the victim's mobile telephone number. Using SMS-based two-factor authentication, mobile application providers send a link or one-time passcode via text to the victim's number, now owned by the criminal, to access accounts. The criminal uses the codes to login and reset passwords, gaining control of online accounts associated with the victim's phone profile.
Consequences: A successful SIM swapping attack allows cybercriminals to take over the victim's phone number, which can have serious consequences, including unauthorized access to sensitive information and accounts. Once executed, attackers can intercept SMS messages, monitor voice calls, and gain control over multi-factor authentication codes. This allows them to compromise online accounts, potentially leading to data breaches, financial loss, and identity theft.
Solution: Countermeasures to put into place include:
- Do not advertise information about financial assets, including ownership or investment of cryptocurrency, on social media websites and forums.
- Do not provide your mobile number account information over the phone to representatives that request your account password or pin. Verify the call by dialing the customer service line of your mobile carrier.
- Avoid posting personal information online, such as mobile phone number, address, or other personal identifying information.
- Use a variation of unique passwords to access online accounts.
- Be aware of any changes in SMS-based connectivity.
- Use strong multi-factor authentication methods such as biometrics, physical security tokens, or standalone authentication applications to access online accounts.
- Do not store passwords, usernames, or other information for easy login on mobile device applications.
References: