WEBINAR | A Deep-Dive into 2023 Cyber Threats
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
April 18, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
If you’ve made it to 2022 (congratulations), there’s a fairly good chance you own a mobile phone (again, congrats). You’re probably also aware that our increasing reliance on remote technology during the COVID-19 pandemic and the accompanying lenient security requirements have created a wider attack surface for cybercriminals. For instance, we’ve seen a growing number of SIM swapping attacks, aka SIM hijacking targeting the tiny, portable memory chip embedded in your cell phone. Without the SIM card inside your phone, you wouldn’t be able to connect to your wireless carrier’s cellular network to make phone calls, send text messages, or connect to that new, speedy 5G network that has just been rolled out in your city.
So what’s the danger here with these fancy microchips? The SIM card itself is not the issue (there are tracking and surveillance risks, but that’s not the focus of this blog). We’re talking about cybercriminals weaponizing your SIM card to conduct malicious activity. This blog will explore SIM swapping advertisements on cybercriminal forums, cybercriminal discussions about SIM swapping attacks, SIM swapping fraud methods, and real-world scenarios that have affected mobile device users.
SIM swapping occurs when an attacker takes control of a victim’s phone number by, in essence, deactivating their SIM and porting the allocated number over to an attacker-controlled SIM.
The goal of a SIM swap attack is to convince the mobile service carrier to update the SIM card associated with a victim’s account, thereby diverting service from the victim’s SIM and phone to other SIM cards in the adversary’s possession.
A SIM swap attack begins with research and social engineering attempts against mobile users to gather personal information that can be used to successfully impersonate the victim, either in communications with telecommunications companies’ customer service staff or when providing the information required by self-service apps or portals to request the SIM swap.
Perhaps the most common goal of cybercriminals with this type of attack is to bypass SMS two-factor authentication (2FA) to steal protected digital assets. We have witnessed some cybercriminals probing leaked databases for victims’ personal information, betting that this information would be utilized as common PIN codes for mobile providers’ verification processes. Let this serve as a reminder – it is a huge security risk to use personal information or provide answers to security questions that cybercriminals can guess easily. Not only can threat actors use this information to impersonate you, but it could allow them to unlock access to other connected accounts. For example, we have seen cybercriminals sharing screenshots of their alleged proof of siphoning money from victims’ bank or cryptocurrency accounts after conducting a SIM swapping attack.
Cybercriminals have also resorted to more creative methods for carrying out SIM swapping attacks, such as creating websites that could facilitate this type of malicious activity. For example, one member of a Russian-language cybercriminal forum actively sought a coder to create a website that could provide users with virtual telephone numbers for receiving SMS text messages. Their objective was to use a virtual telephone number that matched their intended victims’, increasing their chance of a successful impersonation attempt.
The popularity of SIM swapping attacks is reflected in the number of advertisements for SIM swapping services. Some cybercriminal forums even have an entire section dedicated to this type of malicious activity. In one recent example we saw on a high-profile Russian language cybercriminal forum, a user indicated they were interested in conducting SIM swapping attacks against “high-value targets” who have accounts with four named US-based telecommunications companies. They added that they have “runners” who could complete a SIM swap in-store with a fraudulent ID.
In a similar SIM swapping advertisement on the same forum, another user stated they were an insider at a named mobile service provider and insisted they could provide SIM swapping services for a fee of USD 300 per swap, claiming they could carry out such activity “in most countries”. These listings from cybercriminals, who advertise some utility in the form of insiders or “runners”, are common themes.
It is also common for cybercriminals to attempt to entice accomplices with a profit-sharing scheme. For instance, it is becoming increasingly popular for users of cybercriminal forums to facilitate SIM swapping attacks by using their privileged access to cryptocurrency logs, banking logs, and mobile-service carrier logs. Since cryptocurrency and banking accounts are usually inextricably linked to a user’s mobile device, threat actors have developed a bartering system by which information that enables SIM swap attacks (i.e. call logs, recent payment details, etc.) can be exchanged for cryptocurrency logs or vice versa; these are often coupled with a profit-sharing scheme.
On one high-profile Russian language cybercriminal forum, a user initiated a thread to express their interest in working with people with “crypto targets” to set up a profit-sharing scheme for a fixed percentage. The scheme involved rendering their SIM swapping services to forum users that have information about viable targets; in other words, individuals that have substantial amounts of money stashed away in the form of cryptocurrency.
In a similar post on the same forum, a user advertised SIM swapping services with a “crypto focus” in exchange for relevant “US logs”, with the focus of their scheme directed at users of a named mobile carrier. This user also sought to obtain cryptocurrency logs from users of the forum; in return, they would provide that user with a fixed percentage of a victim’s cryptocurrency account value upon completion of their SIM swapping attack.
As well as advertisements, we’ve also noticed cybercriminals openly sharing tradecraft and methodologies for conducting SIM swapping attacks. Many newcomers who see an opportunity in this arena actively seek out advice for SIM swapping attacks, inquiring how to identify lucrative targets. Experienced users freely share information that could facilitate such an attack.
For example, in March 2021, a user of one prominent Russian-language cybercriminal forum shared an article outlining methods for and benefits of conducting SIM card swapping. In their article, the user sought to expose some of the security loopholes that exist in modern mobile banking services, such as the shift to remotely onboarding new mobile service customers. Prior to the pandemic, it was more common for mobile users to share their details in-person at a mobile phone store and receive a SIM card on the spot. Now, cybercriminals have more ways to conjure SIM swaps through convincing, impersonated phone calls.
This user also detailed the verification methods used by 15 separate mobile providers, attempting to expose what they claimed were flaws in their verification processes. For example, they claimed that mobile customer service operators could be manipulated if they were fed a convincing story or were provided with personal details that only that customer would know.
Cybercriminals also attempt to monetize “exclusive” SIM swapping methods for mobile providers. For example, in December 2021, a user of one prominent Russian-language cybercriminal forum advertised an “instant SIM swap method” for a named mobile provider that they claimed could target approximately 95% of that mobile provider’s users. Without providing the specifics of their method, they offered to sell two copies for a price of BTC 0.5 (USD 39,297.10), later dropping the price to USD 5,000.
To illustrate the gravity of this problem, let’s look at how SIM swapping attacks have affected mobile users in the real world — especially in this new era of remote work in which the threat has been elevated. Both device users and mobile carrier providers should understand the risks and their potential mitigation.
The most high-profile instance in recent memory is likely a SIM swapping attack reported in November 2021, in which a Canadian teenager was arrested for allegedly stealing USD 36.5 million from a US-based victim’s cryptocurrency account. In that attack, the attacker allegedly duplicated the victim’s phone number after using a social engineering technique on the victim’s mobile service provider. After intercepting the victim’s 2FA request, the attacker took control of the victim’s accounts. This scheme turned out to be the biggest reported cryptocurrency theft conducted by one person as a result of a SIM swapping attack.
A different SIM swapping attack involved an insider threat. In December 2021, a manager of a telecommunications store in New Jersey, US, was arrested and charged with accessing customer information using a “protected computer.” The perpetrator stole personal information from customers’ accounts and used those details to bypass 2FA verification. After taking control of their victims’ devices and pivoting to cryptocurrency accounts, they laundered stolen money to a cryptocurrency wallet that they controlled. The attacker stole USD 5,000 from five customers.
As SIM swapping attacks often depend on personal information, some are inadvertently linked to other data breach events. For example, in December 2021, T-Mobile confirmed that a data breach led to multiple customers falling victim to SIM swapping attacks. The company reported that it had informed “a very small number of customers that the SIM card assigned to a mobile number on their account may have been illegally reassigned or limited account information was viewed.” T-Mobile urged its customers to be on the lookout for any suspicious text messages or email messages pretending to be from T-Mobile.
If you want to avoid becoming the victim of one of these real-world scenarios, these steps may mitigate the likelihood of a successful attack:
The SIM card might be the most forgotten piece of technology in our phones. Its utility has been overshadowed by the infinite number of mobile apps that have made us forget what life was like before the invention of the smartphone. And despite all we have to gain from these apps, we stand to lose even more if we don’t protect the information that protects our SIM card, the motherboard of our mobile phone apparatus. Consider how much money you’ve allocated to your cryptocurrency investments. Or maybe you care more about the 1,000 saved text messages from your significant other. All of this could be lost if you don’t take the proper steps to secure the personal details that protect your SIM card. Fortunately, now that you have been properly informed about the dangers that are out there and the steps you can take to avoid such a mobile catastrophe, you can continue scrolling away on your phone. But just remember: You can defeat the attacker if you remain proactive, saving yourself from a tremendous headache in the long run.
To stay in the know about recent cybercriminal developments, sign up to a 7-day free trial of Threat Intelligence with SearchLight. SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) clients receive real-time, actionable intelligence updates relating to new attack types, including analysis from our team of global analysts and intelligence on new posts to platforms across open and closed sources.