SIM swapping robs victims of more than just phone or identity

August 27, 2018

Last February we reported on an emerging trend called ‘SIM hijacking.’ Essentially, using information found on the dark web, a cybercriminal calls your telephone company and verifies your identity. Then, they have your phone number transferred to a SIM card that is in their possession. At that point, you’ve lost control of your account.

In the past month, this phenomena has completely exploded. Every day seems to present a new story about SIM hijacking. As businesses increasingly rely on mobile workforces, this can put corporate data and assets at risk. Executives with large Instagram followers might be even more targeted.

Recently, Lorenzo Franceschi-Bicchierai of Motherboard reported that one of the most common reasons SIM hijackers are carrying out the attacks is to take over Instagram accounts with ‘valuable’ usernames. The hijacker wipes the account, and then sells the username on websites like OGUsers to the highest bidder. Unique usernames such as the handle ‘@bitcoin’ have sold for upwards of $20,000.

Other cybercriminals are going straight for the money, whether it be by ransom or even by using the new phone number to gain entry into a bank account to wire out all of the money.

Earlier this month, Krebs On Security reported that a cryptocurrency investor was suing AT&T for $224M for their role in a SIM hijacking that led to the theft of millions of dollars in Bitcoin. As Krebs pointed out, mobile phone numbers have become a means of identity. “In essence, mobile phone companies have become “critical infrastructure” for security precisely because so much is riding on who controls a given mobile number. At the same time, so little is needed to undo weak security controls put in place to prevent abuse,” he writes.

In a separate Motherboard article, Franceschi-Bicchierai detailed how this phenomenon is gaining traction. Reportedly, “plugs” at mobile service providers are being recruited by cybercriminals to aid in the SIM swapping process. Criminals either approach real-life friends that they know who work at the telecom companies, or find them through LinkedIn, Reddit, and other social media sites. They then offer them money to provide the victim’s personal details including name, phone number, and even a social security number and home address.

The payoff for these types of heists appears to be lucrative. A few weeks ago, a 20-year-old college student from Boston was charged with grand theft, identity theft, and computer hacking for hijacking the SIM cards of more than 40 phones to steal over $5 million. The cybercriminal even went as far as messaging the daughters of one of his victims with the message “TELL YOUR DAD TO GIVE US BITCOIN.”

As SIM swapping continues to make advances, mobile communications companies will need to find a way to reverse those charges.

Get the full story at Motherboard.