How to Understand Sim Swap Fraud Mechanisms

📱 I have not shared this publicly before, but about a year or so ago I was a victim of SIM swapping in which the criminals were able to hijack my phone and access my Coinbase account. In light of the news last week that the Department of Justice had charged three US persons for operating a massive SIM swapping operation that culminated in the theft of $400 million from FTX as the exchange was collapsing in late 2022, I thought it would be a good time to talk about what happened and how to ensure that you are not a victim. 😳 I will never forget the feeling of seeing a text message from AT&T pop up - "A request to move your number is in process . . ." 🙋♀️ What is SIM Swapping? SIM swapping is when someone gets your phone number moved to a SIM card that's in a phone they control. To conduct a SIM swapping scam, the fraudster could call your mobile carrier and imitate you (perhaps using personal information they've found or bought online). They may also use social engineering or bribery to convince a representative to move your number or hack into the mobile carrier's system so they can swap and port numbers. Once a criminal has control of your phone number, they'll receive the verification codes and other data sent to your number. They can then try to break into your accounts or reset your passwords using the verification codes. 🙋♂️ How do you protect against SIM Swapping? ☑️ All 3 major carriers allow you to add a passcode or other anti-account takeover features. Call or go to the website to turn those on. ☑️ Use account authentication measures that don’t depend on your phone number. For instance, many online accounts now allow options like authentication apps. For high-value accounts, you could consider a hardware authentication token – such as a keychain fob that produces a new code when you press it. ☑️ Add "extra security" measures to your wireless accounts. If you create a unique passcode on your AT&T account, in most cases we'll require you to provide that passcode before any significant changes can be made, including porting initiated through another carrier. You can learn more about passcodes at this link. ☑️ Don't share personal information online. 😕 Uh Oh! ☑️ Keep your personal email in box clean. Delete phone bills, bank statements and other emails that may include personal information. Don't store passwords, passcodes or pins in unencrypted or unsecure email accounts. This will help reduce the risk of your sensitive information falling into the wrong hands. ☑️ Be careful about sharing your mobile phone number. Limit sharing your mobile number anywhere it might be posted publicly or to many people, such as on social media, email signatures, and phone lists. ☑️ Store cryptocurrency in “cold storage” – an environment without online access. Don’t store cryptocurrency wallet credentials online. Instead, write them down and keep them in a secure physical location. Stay safe out there #cryptoverse. Any other tips? Add👇

Over the past few weeks, I’ve been reinvigorating a SIM swap detection platform we originally designed and built at Tagomi (Acquired by Coinbase, now CB Prime). The underlying concept was to safeguard customer accounts—especially those reliant on SMS-based MFA—by identifying whether a phone number had undergone a SIM swapping attack. This system was designed to be an early indicator of compromised accounts, even if users were using phishing-resistant MFA on our platform. We worked closely with well known mobile network security researchers, mobile virtual network operators, and other industry intelligence sharing groups. Our goal was to ensure the solution propagated rapidly and comprehensively across the industry, given the seriousness of SIM swapping attacks. SIM swapping remains a relatively cheap yet highly effective way to circumvent MFA, especially for high-value targets. While SMS-based MFA continues to be common for banks, investment accounts, and other critical financial platforms, it is also one of the most vulnerable methods of second-factor authentication. What is a SIM swap? A SIM swap occurs when a mobile network operator (MNO) reassigns a phone number to a new IMSI (International Mobile Subscriber Identity), whether for legitimate reasons (changing carriers, upgrading devices) or malicious purposes (intercepting SMS messages). Detection mechanism: By comparing the IMSI used during previous account activity with the current IMSI, we can identify a SIM swap event. At that point, service providers can apply stricter controls, such as restricting high-risk transactions or forcing more secure authentication flows. Implementation Challenges: TMSIs (Temporary Mobile Subscriber Identities) are insufficient for detection due to their short-lived nature. Accessing IMSI information directly has become more difficult over time, largely due to expanded "privacy" concerns that limit how carriers share network-level data. Industry Solutions: Twilio integrated this idea into a commercial API, partnering with carriers that support "SIM swap status checks". Other commercial providers like Vonage have launched similar services. These solutions are valuable, but not foolproof: If a phone number is transferred to a carrier that does not support these "SIM swap status checks", commercial API providers and service providers lose visibility. Additionally, carriers strictly control historical IMSI change logs for "privacy" reasons, preventing service providers from conducting deeper investigations or retrospective analysis. While HLR (Home Location Register) and VLR (Visitor Location Register) lookups can still yield some actionable data, true SIM swap prevention/detection will require architecture improvements at the carrier level and SS7 routing attacks will require network level architecture improvements.

My favorite way to hack in my ethical hacking is phone call based hacking with impersonation. Why? Because it has the highest success rate. This is what we're seeing in the wild right now, too. Let's talk about how phone call attackers think and how to catch Scattered Spider style attacks for Insurance companies (that are heavily targeted right now, Aflac recently): 1. *Impersonating IT and Helpdesk for passwords and codes* They pretend to be IT and HelpDesk over phone calls and text message to ask for passwords and MFA codes or credential harvest via a link 2. *Remote Access Tools as Helpdesk* They convince teammates to run business remote access tools while pretending to be IT/HelpDesk 3. *MFA Fatigue* They will send many repeated MFA prompt notifications until the employee presses Accept 4. *SIM Swap* They call telco pretending to be your employee to take over their phone number and intercept codes for 2 factor authentication Let's talk about the types of websites they register and how to train your team about them and block access to them. Scattered Spider usually attempts to impersonate your HelpDesk or IT so they're going to use a believable looking website to trick folks. Often times they register domains like this: - victimcompanyname-sso[.]com - victimcompanyname-servicedesk[.]com - victimcompanyname-okta[.]com Train your team to spot those specific attacker controlled look-alike domains and block them on your network. What mitigations steps can you take to help your team spot and shut down these hacking attempts? Especially if you work in Retail or Insurance and are heavily targeted right now, focus on: Human protocols: - Start Be Politely Paranoid Protocol: start protocol with your team to verify identity using another method of communication before taking actions. For example, if they get a call from IT/HelpDesk to download remote access tool, use another method of communication like chat, email, initiating a call back to trusted number to thwart spoofing to verify authenticity before taking action. More than likely it's an attacker. - Educate on the exact types of attacks that are popular right now in the wild (this above thread covers them). Technical tool implementation: - Set up application controls to prevent installation and execution of unauthorized remote access tools. If the remote access tools don't work during the attack, it's going to make the criminal's job harder and they may move on to another target. - Set up MFA that is harder to phish such as FIDO solutions (YubiKey, etc). Educate that your IT / HelpDesk will not ask for passwords or MFA codes in the meantime. - Set up password manager and require long, random, and unique passwords for each account, generated and stored in a password manager with MFA on. - Require MFA on for all accounts work and personal accounts, move folks with admin access to FIDO MFA solution first, then move the rest of the team over to FIDO MFA. - Keep devices and browsers up to date.

🔥 Not all #MFA are Equal. Following the SIM Swap attack on #Kroll which used SMS for MFA, I thought this information should be shared. CYBER THREATS TO MFA: Cyber threat actors have used multiple methods to gain access to MFA credentials: ✅ SIM Swap. SIM Swap is a form of social engineering in which cyber threat actors convince cellular carriers to transfer control of the user’s phone number to a threat actor-controlled SIM card, which allows the threat actor to gain control over the user’s phone. ✅ Push Bombing (also known as push fatigue). Cyber threat actors bombard a user with push notifications until they press the “Accept” button, thereby granting threat actor access to the network. ✅ Phishing. Phishing is a form of social engineering in which cyber threat actors use email or malicious websites to solicit information. ✅ Exploitation of SS7 protocol vulnerabilities. Cyber threat actors exploit SS7 protocol vulnerabilities in communications infrastructure to obtain MFA codes sent via text message (SMS) or voice to a phone. Guidelines for Phishing Resistant MFA from the #CISA can be found here: https://lnkd.in/eK8W2zRs #simswapping #Phishing #SS7Attacks #PushBombing #MFA #Kroll #Cybsersecurityawareness #cybersecuritytips

How To Investigate SIM Swap Fraud? Imagine your smartphone, your lifeline, suddenly losing signal. You've fallen prey to a SIM swap fraud, a malicious act granting control of your phone number to hackers. The impact extends beyond inconvenience; it's a direct threat to your finances and years of hard work. SIM swap attacks involve manipulating mobile carriers to hijack bank accounts, email, and cryptocurrency wallets. The hacker gathers personal details through phishing or the dark web, impersonates the phone's owner, and convinces the carrier to activate a new SIM card, redirecting all communications to the criminal's device. The FBI's alarming statistics reveal a concerning rise in SIM swap fraud, with financial losses reaching over $68 million in 2021. Understanding the attacker's modus operandi is crucial: 1. Social Engineering and Phishing Tactics: Criminals exploit personal data, initiate dialogue with carriers, and pose as users seeking a SIM replacement. Insider collaboration or phishing may be involved. 2. Role of 2FA and SMS Authentication: SIM swap fraud capitalizes on 2FA vulnerability, intercepting authentication codes sent via text. This grants unauthorized access to the victim's digital domains. Investigating SIM Swap Fraud: 1. Victim's Report and Carrier Collaboration: Leverage the victim's account to understand the incident's nature. Collaborate with carriers, seeking access to logs, call records, and relevant data. 2. Financial Transactions Monitoring: Trace the flow of funds, collaborate with financial institutions, and scrutinize transactions for money laundering patterns. 3. Dark Web Monitoring: Actively monitor dark web forums for stolen data. Analyze dark web purchases, identifying and tracking activities related to SIM swap schemes. 4. Coordinated Efforts to Shut Down Activities: Collaborate with cybersecurity agencies and international partners to disrupt dark web activities related to SIM swap schemes. The recent surge in SIM swap attacks underscores the need for advanced security measures.