SIM Swapping Communities EN

SIM Swapping Communities EN

Hey everyone!

Dear readers, in this new blog post we will refer to a relatively unknown cyber threat that has been affecting a multitude of individuals for some time now: the SIM swapping cybercriminal communities.

SIM Swapping is a cyber threat that predominantly affects end users of mobile devices, constituting a form of fraud whereby a cybercriminal attempts to obtain a duplicate SIM card associated with an individual's phone line by performing spoofing activities and subsequently allowing them to steal the financial capital available in their mobile online banking application, among other possibilities.

In order for a SIM Swapping campaign to be successful, as with any moderately sophisticated cyber-attack, several stages must occur, as noted below:

  • First, the cybercriminal collects information about the potential victim to be targeted. This can be done by using information from open sources and, in particular, from the individual's social networks. From these, all kinds of data can be collected to build a credible scam to start the campaign, from their first and last names, through their telephone number, the telephone company they belong to (this can be done using various online verification tools), place of residence, information about family and friends, and so on.
  • Before moving on to the next phase, the attacker must complement the SIM Swapping operation with another round of actions in case he wants to access services where credentials are used, since what SIM swapping allows is to obtain the codes that are usually used as a second authentication factor. To do this, the credentials of interest to the attacker must first be obtained, for which complementary phishing, pharming or spoofing activities can be carried out, trying to get the user to provide the necessary data to continue the compromise.
  • Next, the cybercriminal makes a call to the phone provider of the individual he is trying to defraud, pretending to be the owner of the SIM card to be duplicated, using social engineering tactics to get the company to provide the duplicate to the attacker, using various lures such as the loss or theft of the SIM card. It has even been observed that cybercriminals who carry out this kind of fraud and impersonation activity often present themselves at the headquarters of the user's telephone company with false allegations of the theft of their mobile phone and a false photocopy of the owner's ID card. Given that telephone providers generally use lax identity verification methods based on personal questions, it is relatively easy for a malicious third party to obtain a duplicate SIM card.
  • Usually, when the duplicate SIM is produced and the second card is activated, the one that was being legitimately used by the user is deactivated and the mobile device is therefore left without coverage, which would allow a malicious third party to gain control over the duplicate phone number. In a small percentage of situations, the attacker requests the activation of a multiSIM service, in which case both the attacker's card and the card being used by its legitimate owner would work, making it much more difficult to detect and remedy the spoofing, although this requires sophisticated deception tactics. In any case, once the attacker obtains the duplicate SIM card, they are given the ability to access the scam victim's mobile line, make calls or send messages on their behalf, receive communications intended for the impersonated individual, and receive two-factor authentication (2FA) codes, among other possibilities. A potential threat actor could therefore gain access to a wide range of sensitive or confidential information.
  • Finally, the attacker carries out all kinds of scams and frauds that affect the individual who is being impersonated, generally from the moment the legitimate user loses telephone line coverage, it being common for cybercriminals specialised in carrying out campaigns of this kind to focus on gaining access to the user's online banking services and then making transfers to accounts belonging to them. In this way, the funds available in the impersonated individual's account are transferred to them or even loans are taken out in their name without their real authorisation. In order to successfully complete the above procedure, the attackers request the sending of a one-time password (OTP code) through SMS messaging, which is usually used by financial institutions as a double authentication factor. By having access to the duplicate SIM card, attackers can view this message, which in theory should only be transmitted to the holder of the line, thus using it to their own advantage, i.e. to access the individual's bank account. Among other possibilities, it is also common for the SIM swapping cyber-attack to end with the user's email account access credentials or those corresponding to their social media profiles.

Although it may seem difficult for a cyberattack of this type to take place, as it requires sophisticated preparatory and planning phases, there have been many cases of individuals who have seen their bank account balances reduced to zero after becoming victims of a campaign of this type. In the first days of August 2022, for example, the National Police in Spain arrested a 20-year-old man who had obtained up to 72,000 euros by perpetrating cyber-attack campaigns related to this type of cyber-threat. In 2019, several cybercriminals even gained access to the Twitter profile of the platform's co-founder and CEO, Jack Dorsey, using SIM Swapping techniques during the process, which was subsequently used to disseminate messages with racist and abusive content. More recently, during April 2022, in Argentina, SIM Swapping cyberthreats affected public figures such as Nicolás Kreplak, Minister of Health of the Province of Buenos Aires; Sabina Frederic, former Minister of Security of the nation; Myriam Bregman, national deputy of Frente de Izquierda; and Mara Brawer, deputy of Frente de Todos. These facts therefore show that SIM Swapping activities could even affect the path of politics, with messages contradictory to the guidelines of a given political movement and undermining confidence in parties and electoral processes.

Considering the simplicity with which this type of cyber threat is carried out and its high probability of success, it has been observed that sophisticated cybercriminal actors are starting to incorporate SIM Swapping techniques into their campaigns. In this regard, the threat actor LAPSUS$, who at least since March this year has been using social engineering tactics based on SIM Swapping activities to gain access to personal and corporate email accounts of users employed by organisations they intend to compromise and subsequently extort money from, has been notorious. In this sense, the LAPSUS$ actor compromised the T-Mobile phone company in April 2022, gaining access to the company's internal tools and even to the software used within the entity to validate SIM swaps. Fortunately, internal disagreements among the group's members and a quick response from T-Mobile, which demanded additional checks before accepting any SIM swaps from high-profile individuals, meant that the cyberattack did not have a major impact, as LAPSUS$ members debated between using the software to make a high and quick profit by executing scams and using it to facilitate a successful cyberattack on the FBI and the US Department of Defence.

On the other hand, more recently, a wave of physical violence has been detected in which different disorganised actors in the SIM Swapping community confront and intimidate each other in order to neutralise rivals who might be competing with them by operating in the same environment. In fact, last September one of the members of a SIM Swapping community known as "Foreshadow" was kidnapped and assaulted by a competitor group who demanded a sum of around $200,000 in exchange for releasing the individual alive. If one thing is clear, it is that SIM Swapping actors do not seem to be willing to lose the ability to profit from this criminal modality, being able to adopt criminal behaviour more usually related to the mafia than to cybercrime.

To conclude, according to the above, SIM Swapping activities mostly affect individual end users who own mobile devices, although the first traces of activity directed towards corporate environments have begun to be observed. This is evidence of the current success of this type of cyberthreat, as they are beginning to be used in advanced campaigns by sophisticated threat actors that are aimed at larger targets and whose impact will therefore undoubtedly be greater. As has already happened in Argentina, failure to remedy SIM Swapping scams could even result in reputable organisations or even government entities seeing their reputation undermined by the dissemination of messages and publications that are not legitimately endorsed by them, a circumstance that shows that a cyberattack of this type could even affect public opinion on issues of high social relevance.

In order to prevent the rise of SIM Swapping, which has been on the rise since the beginning of 2022, a multitude of measures have been imposed on a national and international level. For example, on a national level, the AEPD (Spanish Data Protection Agency) has increased sanctions against the nation's main telephone providers, such as Vodafone, Orange and Telefónica, with high penalties ranging from 70,000 euros to 4 million euros in the event that they violate the data protection policy currently in force in the country and provided that the negligence results in the successful commission of a cyber-attack of this type. In this regard, last April the AEPD imposed the largest sanction in these terms known to date, €3.94 million on Vodafone for failing to adequately protect its customers' data against SIM Swapping scams.

On an individual level, as with other types and forms of cybercrime, it is advisable to be aware of the sensitivity of the information surrounding each person as a first measure of protection against SIM Swapping scams, since the human being is always the most fragile link in the security chain. In this regard, personal and/or confidential data should not be given to any third party that could be the object of suspicion, such as unknown callers, e-mails or SMS messages that demand to know certain data in a hurry. Nor should valuable information be entered into the browser when using public WiFi networks, as the data circulating through them could be intercepted by malicious third parties. In addition, to prevent any individual from becoming the target of a cyberattack, it is advisable to restrict access to social networks that you own, to ensure that only those close to you have access both to what you post and to your personal information.

An important sign that could alert you to the possibility of becoming a victim of a SIM swapping scam is if your mobile device has lost all signal and coverage for no plausible and logical reason. In this case, it is highly recommended to contact the mobile phone provider as soon as possible and report the error, in order to identify the reason for the failure at an early stage. If a successful SIM swapping cyber-attack is confirmed, i.e. if a cyber-attacker has obtained a duplicate SIM card from the owner of a mobile phone line and it has been activated, the user's access credentials to services must be changed immediately, especially online banking, email and social networking resources, and report the identity theft and the duplicate SIM card to the relevant authorities in order to have the SIM card blocked as soon as possible and to investigate any unauthorised transactions.

So much for the article on SIM Swapping! What did you think, did you know about this type of cyber threat?

Don't hesitate to share it so that it can be useful to more people.

See you soon! :)