If you stay up to date with cybersecurity news and events, you are likely bombarded with technical analysis of the latest ransomware, malware, dropper, trojan, or vulnerability that was exploited by bypassing controls and using “living off the land” techniques. While these tactics, techniques, and analyses are incredibly important and useful, we can often forget that it’s sometimes the simple, age-old ways of getting your information and property that can also harm us.
That’s where SIM swapping comes in.
If you stay up to date with cybersecurity news and events, you are likely bombarded with technical analysis of the latest ransomware, malware, dropper, trojan, or vulnerability that was exploited by bypassing controls and using “living off the land” techniques. While these tactics, techniques, and analyses are incredibly important and useful, we can often forget that it’s sometimes the simple, age-old ways of getting your information and property that can also harm us. That’s where SIM swapping comes in.
A SIM (subscriber identity module) card, or just called SIM for short, is a small chip or card put in your phone by your mobile provider that can be removed easily and swapped from phone to phone as needed. The tiny card contains information like your phone number, text messages, contacts, and authentication keys, allowing you to authenticate your provider’s mobile network, country code, and other data. Each SIM card stores different data depending on the carrier, but those are usually, at minimum, what it contains. It basically tells the phone that has the card in it, that this is your phone.
In today’s world, our phones have become the keys to the kingdom. We use them to authenticate our work networks, tools, and services. For a lot of careers, our phone is where most of the work is done. You can imagine, if a bad actor were able to obtain a SIM card from the right person in your organization, how devastating the consequences would be. To a hacker, getting control of a phone is as good as gold.
So, how does this sophisticated attack take place? Possible ways include desoldering the SIM [the removal of solder and components from a circuit board – a type of chip-off style forensic technique], flashing the card, or putting it on a new phone. The last one, maybe, but not likely. Two main ways this actually happens – social engineering and just stealing that little card right out of your phone.
In a social engineering style SIM swapping incident, the bad actor gathers as much intel about you as they can. There are multiple ways to do this, but it is likely they obtain this information through social media, open-source intelligence gathering, buying your info on the dark web, or through email phishing scams. The actor then takes what they have learned about you, contacts your phone provider, and convinces them they are you and that you’ve lost or had a SIM stolen. Then, they get a new one with all your information on it.
The second method, which is very sophisticated [not really], is just taking it out of your phone when you lay it down or have it out of your sight for a few minutes. Removing the SIM takes literally a few seconds. Once they have your card and access to your phone, there are a variety of methods to access your data and leverage it for their gain. One news outlet reported a man left his phone in the gym locker room, noticed his phone would not work properly, and a day or two later, the bad guy was trying to buy $40,000 worth of watches at a watch shop by leveraging SIM data.
In a more recent incident, an executive from the medical research company Advarra had their data stolen after a SIM swap. The information below was taken from Malwarebytes: (hxxps://Malwarebytes[.]com/blog/news/2023/11/medical-research-data-advarra-stolen-after-sim-swap):
In the case of Advarra, the ransomware group ALPHV reportedly managed to transfer the executive’s cellphone number, allowing them access to the company’s resources and copy information that the group is now threatening to sell.
However, Advarra isn’t willing to play ball, saying it doesn’t “pay digital terrorists”.
Advarra said it’s business as usual:
“An Advarra colleague was the victim of a compromise of their phone number. The intruder used this to access some of the employee’s accounts, including LinkedIn, as well as their work account.
We have taken containment actions to prevent further access and are investigating with third-party cyber experts. We also notified federal law enforcement. At this time we believe the matter is contained. We further believe that the intruder never had access to our clients’ or partners’ systems and it is safe to connect to Advarra’s systems. Importantly, we have no evidence that the Advarra systems and products that clients use to interface with us were compromised or accessed. At this time, our business operations have not been disrupted as a result of this activity and we continue to operate as normal. In addition, we continue to take steps to enhance the overall security of our systems in line with industry best practices.
Our investigation remains ongoing, and we will provide additional updates as appropriate.”
So, what are some ways to protect yourself from falling victim to SIM swapping?
These are just a few suggestions and by no means an all-inclusive list. By taking a few precautions, staying aware of your surroundings, and being mindful of what you are putting online, you can greatly reduce the risk of becoming a victim.