By Caique Barqueta: SIM swap ping poses a significant threat to organizations. Criminals can gain access to sensitive accounts and data by swapping phone chips. Companies, especially telecommunications and process outsourcing companies, are prime targets. Security measures are essential to protect against this type of attack.
To shed some light on the subject, we detail how the SIM swap scam works, with some details of identified attacks and tips on how to protect yourself.
Below is a diagram of a SIM swap attack, with a detailed description of the scam in a later section.
What is SIM Swap?
SIM swapping, also known as "SIM card cloning", is a tactic employed by malicious individuals in order to gain access to email accounts, social networks and other services that use the phone number as a means of verification. It is important to note that this type of attack is often used to improperly acquire personal information, make online purchases or even to assume the victim's identity.
How does it work?
The SIM swap scam begins when a criminal contacts the victim's telephone operator and impersonates them. The criminal provides the victim with personal information, such as their name, social security number and date of birth, in order to request a SIM card swap.
After changing the SIM card, the criminal gains access to all SMS messages sent to the victim's number, including verification codes sent by services such as Instagram, Facebook and WhatsApp, and then asks to change the passwords of personal accounts, since many of these accounts use the SMS service as a form of security authentication.
Identified groups of threat actors using the technique
One of the actors that have been mapped using this technique are the so-called "Scattered Spider" actors (UNC3944/ Scatter Swine and Muddled Libra) which have existed since May 2022.
The actors carry out SIM swap, email and SMS phishing attacks and sometimes send phishing messages to other people within an organization after hacking into employee databases.
According to Mandiant and Trellix, the targets of the threat group are generally telecommunications and business process outsourcing (BPO) companies, but other research has identified that the group focuses on other segments, such as ICS.
On August 28, 2023, Anatel (the National Telecommunications Agency) said that new rules for fraud prevention and number portability would come into force, with the user now having to reply to an SMS confirming the process of changing operator while keeping the phone number. These rules, according to the agency, are designed to prevent SIM swap scams.
One of the most common scams perpetrated by criminals, after carrying out the SIM swap attack, is to access the victim's Instagram account and then apply the PIX scam. With this, the criminals end up making posts, sending messages to followers and offering a supposed investment with a certain return, usually up to 1,000%, as well as holding fake raffles. These acts lead followers to believe that it really is authentic.
Recently, an individual in Florida was arrested after carrying out the SIM swap scam and allegedly stealing nearly $1 million in cryptocurrencies from dozens of victims.
Another scam was reported by Ethereum co-founder Vitalik Buterin, who said he had been the victim of SIM swap. One of the types of methods used by the actors was to post on X, formerly Twitter, about a fake offer for NFTs, leading users to click on a malicious link that would have resulted in the victims collectively losing more than $691,000 .
How to protect yourself?
There are some measures that users can take to protect themselves and avoid falling victim to SIM swap scams:
Don't use two-step verification via SMS
If the cybercriminal manages to swap SIMs, it's possible to "reset" accounts that have SMS recovery options enabled.
Activate two-step verification in WhatsApp
After enabling the six-digit PIN code in WhatsApp, it is also important to set an e-mail address to retrieve this PIN.
Activate the PIN and PUK codes on your SIM card
The PIN and PUK codes are your SIM card's last line of defense, since every time it is inserted into a new cell phone or the device is restarted, the PIN will be requested to be released. The PUK code is used to unlock the SIM card if the PIN is entered incorrectly several times, and is the SIM card's master key.
If the PUK is entered incorrectly 10 times, the SIM card will be permanently blocked; the user will have to go to the operator's store to retrieve the number on another SIM card.
Heimdall by ISH Technology