Cybercrime and Dark Web Research / Exploring SIM Swapping Services on Cybercriminal Forums

Exploring SIM Swapping Services on Cybercriminal Forums

Exploring SIM Swapping Services on Cybercriminal Forums
Photon Research Team
Read More From Photon Research Team
March 10, 2022 | 10 Min Read

If you’ve made it to 2022 (congratulations), there’s a fairly good chance you own a mobile phone (again, congrats). You’re probably also aware that our increasing reliance on remote technology during the COVID-19 pandemic and the accompanying lenient security requirements have created a wider attack surface for cybercriminals. For instance, we’ve seen a growing number of SIM swapping attacks, aka SIM hijacking targeting the tiny, portable memory chip embedded in your cell phone. Without the SIM card inside your phone, you wouldn’t be able to connect to your wireless carrier’s cellular network to make phone calls, send text messages, or connect to that new, speedy 5G network that has just been rolled out in your city.

So what’s the danger here with these fancy microchips? The SIM card itself is not the issue (there are tracking and surveillance risks, but that’s not the focus of this blog). We’re talking about cybercriminals weaponizing your SIM card to conduct malicious activity. This blog will explore SIM swapping advertisements on cybercriminal forums, cybercriminal discussions about SIM swapping attacks, SIM swapping fraud methods, and real-world scenarios that have affected mobile device users.

What are SIM swapping attacks?

SIM swapping occurs when an attacker takes control of a victim’s phone number by, in essence, deactivating their SIM and porting the allocated number over to an attacker-controlled SIM.

The goal of a SIM swap attack is to convince the mobile service carrier to update the SIM card associated with a victim’s account, thereby diverting service from the victim’s SIM and phone to other SIM cards in the adversary’s possession.

A SIM swap attack begins with research and social engineering attempts against mobile users to gather personal information that can be used to successfully impersonate the victim, either in communications with telecommunications companies’ customer service staff or when providing the information required by self-service apps or portals to request the SIM swap.

Perhaps the most common goal of cybercriminals with this type of attack is to bypass SMS two-factor authentication (2FA) to steal protected digital assets. We have witnessed some cybercriminals probing leaked databases for victims’ personal information, betting that this information would be utilized as common PIN codes for mobile providers’ verification processes. Let this serve as a reminder – it is a huge security risk to use personal information or provide answers to security questions that cybercriminals can guess easily. Not only can threat actors use this information to impersonate you, but it could allow them to unlock access to other connected accounts.  For example, we have seen cybercriminals sharing screenshots of their alleged proof of siphoning money from victims’ bank or cryptocurrency accounts after conducting a SIM swapping attack. 

Cybercriminal forum user shares a screenshot of allegedly extracting bank funds

Cybercriminals have also resorted to more creative methods for carrying out SIM swapping attacks, such as creating websites that could facilitate this type of malicious activity. For example, one member of a Russian-language cybercriminal forum actively sought a coder to create a website that could provide users with virtual telephone numbers for receiving SMS text messages.  Their objective was to use a virtual telephone number that matched their intended victims’, increasing their chance of a successful impersonation attempt.  

Cybercriminal forum user seeks a coder to create a website for creating virtual phone numbers

SIM swapping services on cybercriminal forums

The popularity of SIM swapping attacks is reflected in the number of advertisements for SIM swapping services. Some cybercriminal forums even have an entire section dedicated to this type of malicious activity. In one recent example we saw on a high-profile Russian language cybercriminal forum, a user indicated they were interested in conducting SIM swapping attacks against “high-value targets” who have accounts with four named US-based telecommunications companies. They added that they have “runners” who could complete a SIM swap in-store with a fraudulent ID. 

Cybercriminal forum user advertises SIM swapping service targeting four US-based telecoms companies

In a similar SIM swapping advertisement on the same forum, another user stated they were an insider at a named mobile service provider and insisted they could provide SIM swapping services for a fee of USD 300 per swap, claiming they could carry out such activity “in most countries”. These listings from cybercriminals, who advertise some utility in the form of insiders or “runners”, are common themes.

User on Russian-language cybercriminal forum advertises SIM swapping service as an insider

It is also common for cybercriminals to attempt to entice accomplices with a profit-sharing scheme. For instance, it is becoming increasingly popular for users of cybercriminal forums to facilitate SIM swapping attacks by using their privileged access to cryptocurrency logs, banking logs, and mobile-service carrier logs. Since cryptocurrency and banking accounts are usually inextricably linked to a user’s mobile device, threat actors have developed a bartering system by which information that enables SIM swap attacks (i.e. call logs, recent payment details, etc.) can be exchanged for cryptocurrency logs or vice versa; these are often coupled with a profit-sharing scheme.   

On one high-profile Russian language cybercriminal forum, a user initiated a thread to express their interest in working with people with “crypto targets” to set up a profit-sharing scheme for a fixed percentage. The scheme involved rendering their SIM swapping services to forum users that have information about viable targets; in other words, individuals that have substantial amounts of money stashed away in the form of cryptocurrency.  

User on Russian-language cybercriminal seeks cryptocurrency targets in exchange for SIM swapping services

In a similar post on the same forum, a user advertised SIM swapping services with a “crypto focus” in exchange for relevant “US logs”, with the focus of their scheme directed at users of a named mobile carrier. This user also sought to obtain cryptocurrency logs from users of the forum; in return, they would provide that user with a fixed percentage of a victim’s cryptocurrency account value upon completion of their SIM swapping attack.

User on Russian-language cybercriminal forum advertises SIM swapping service in exchange for cryptocurrency logs

Knowledge-sharing on cybercriminal forums

As well as advertisements, we’ve also noticed cybercriminals openly sharing tradecraft and methodologies for conducting SIM swapping attacks.  Many newcomers who see an opportunity in this arena actively seek out advice for SIM swapping attacks, inquiring how to identify lucrative targets. Experienced users freely share information that could facilitate such an attack.

For example, in March 2021, a user of one prominent Russian-language cybercriminal forum shared an article outlining methods for and benefits of conducting SIM card swapping. In their article, the user sought to expose some of the security loopholes that exist in modern mobile banking services, such as the shift to remotely onboarding new mobile service customers.  Prior to the pandemic, it was more common for mobile users to share their details in-person at a mobile phone store and receive a SIM card on the spot. Now, cybercriminals have more ways to conjure SIM swaps through convincing, impersonated phone calls. 

Russian-language cybercriminal forum user shares methods for conducting a SIM swapping attack

This user also detailed the verification methods used by 15 separate mobile providers, attempting to expose what they claimed were flaws in their verification processes. For example, they claimed that mobile customer service operators could be manipulated if they were fed a convincing story or were provided with personal details that only that customer would know.  

Cybercriminals also attempt to monetize “exclusive” SIM swapping methods for mobile providers. For example, in December 2021, a user of one prominent Russian-language cybercriminal forum advertised an “instant SIM swap method” for a named mobile provider that they claimed could target approximately 95% of that mobile provider’s users. Without providing the specifics of their method, they offered to sell two copies for a price of BTC 0.5 (USD 39,297.10), later dropping the price to USD 5,000. 

Russian-language cybercriminal forum user attempts to monetize SIM swapping method

Real-world fraud and mitigation

To illustrate the gravity of this problem, let’s look at how SIM swapping attacks have affected mobile users in the real world — especially in this new era of remote work in which the threat has been elevated. Both device users and mobile carrier providers should understand the risks and their potential mitigation. 

The most high-profile instance in recent memory is likely a SIM swapping attack reported in November 2021, in which a Canadian teenager was arrested for allegedly stealing USD 36.5 million from a US-based victim’s cryptocurrency account. In that attack, the attacker allegedly duplicated the victim’s phone number after using a social engineering technique on the victim’s mobile service provider. After intercepting the victim’s 2FA request, the attacker took control of the victim’s accounts. This scheme turned out to be the biggest reported cryptocurrency theft conducted by one person as a result of a SIM swapping attack. 

A different SIM swapping attack involved an insider threat. In December 2021, a manager of a telecommunications store in New Jersey, US, was arrested and charged with accessing customer information using a “protected computer.” The perpetrator stole personal information from customers’ accounts and used those details to bypass 2FA verification. After taking control of their victims’ devices and pivoting to cryptocurrency accounts, they laundered stolen money to a cryptocurrency wallet that they controlled. The attacker stole USD 5,000 from five customers.

As SIM swapping attacks often depend on personal information, some are inadvertently linked to other data breach events. For example, in December 2021, T-Mobile confirmed that a data breach led to multiple customers falling victim to SIM swapping attacks. The company reported that it had informed “a very small number of customers that the SIM card assigned to a mobile number on their account may have been illegally reassigned or limited account information was viewed.”  T-Mobile urged its customers to be on the lookout for any suspicious text messages or email messages pretending to be from T-Mobile.

If you want to avoid becoming the victim of one of these real-world scenarios, these steps may mitigate the likelihood of a successful attack: 

  • Adopt strong and complex passwords
  • Incorporate second-factor mobile applications or biometric-based authentication for 2FA
  • Do not use publicly available information in security questions, PIN codes, or passwords

The SIM card might be the most forgotten piece of technology in our phones. Its utility has been overshadowed by the infinite number of mobile apps that have made us forget what life was like before the invention of the smartphone. And despite all we have to gain from these apps, we stand to lose even more if we don’t protect the information that protects our SIM card, the motherboard of our mobile phone apparatus. Consider how much money you’ve allocated to your cryptocurrency investments. Or maybe you care more about the 1,000 saved text messages from your significant other. All of this could be lost if you don’t take the proper steps to secure the personal details that protect your SIM card. Fortunately, now that you have been properly informed about the dangers that are out there and the steps you can take to avoid such a mobile catastrophe, you can continue scrolling away on your phone. But just remember: You can defeat the attacker if you remain proactive, saving yourself from a tremendous headache in the long run.

To stay in the know about recent cybercriminal developments, sign up to a 7-day free trial of Threat Intelligence with SearchLight. SearchLight clients receive real-time, actionable intelligence updates relating to new attack types, including analysis from our team of global analysts and intelligence on new posts to platforms across open and closed sources.