DEFENSESTORM BLOG

SIM Swapping – A Tried and True Tactic

Thursday, November 9th, 2023

VIEW ALL INSIGHTS

Cyber security risk management solutions from DefenseStorm.

SIM Swapping is nothing new and if you stay up to date with cybersecurity news and events, you are likely bombarded with technical analysis of the latest in ransomware, malware, dropper, trojan, or vulnerability that was exploited by bypassing controls and using “living off the land” techniques. 

While these tactics, techniques, and analyses are incredibly important and useful, we can often forget that it’s sometimes the simple, age-old ways of getting your information and property that can also harm us.

If you stay up to date with cybersecurity news and events, you are likely bombarded with technical analysis of the latest ransomware, malware, dropper, banking trojans, or vulnerability that was exploited by bypassing controls and using “living off the land” techniques.  While these tactics, techniques, and analyses are incredibly important and useful, we can often forget that it’s sometimes the simple, age-old ways of getting your information and property that can also harm us.  That’s where SIM swapping comes in.

A SIM (subscriber identity module) card, or just called SIM for short, is a small chip or card put in your phone by your mobile provider that can be removed easily and swapped from phone to phone as needed.  The tiny card contains information like your phone number, text messages, contacts, and authentication keys, allowing you to authenticate your provider’s mobile network, country code, and other data.  Each SIM card stores different data depending on the carrier, but those are usually, at minimum, what it contains.  It basically tells the phone that has the card in it, that this is your phone.

In today’s world, our phones have become the keys to the kingdom.  We use them to authenticate our work networks, tools, and services.  For a lot of careers, our phone is where most of the work is done.  You can imagine, if a bad actor were able to obtain a SIM card from the right person in your organization, how devastating the consequences would be. To a hacker, getting control of a phone is as good as gold.

So, how does a sophisticated SIM Swapping attack take place? Possible ways include desoldering the SIM [the removal of solder and components from a circuit board – a type of chip-off style forensic technique], flashing the card, or putting it on a new phone.  The last one, maybe, but not likely.  Two main ways this actually happens – social engineering and just stealing that little card right out of your phone.

In a social engineering style SIM swapping incident, the bad actor gathers as much intel about you as they can. There are multiple ways to do this, but it is likely they obtain this information through social media, open-source intelligence gathering, buying your info on the dark web, or through email phishing scams.  The actor then takes what they have learned about you, contacts your phone provider, and convinces them they are you and that you’ve lost or had a SIM stolen. Then, they get a new one with all your information on it.

The second method, which is very sophisticated [not really], is just taking it out of your phone when you lay it down or have it out of your sight for a few minutes.  Removing the SIM takes literally a few seconds. Once they have your card and access to your phone, there are a variety of methods to access your data and leverage it for their gain.  One news outlet reported a man left his phone in the gym locker room, noticed his phone would not work properly, and a day or two later, the bad guy was trying to buy $40,000 worth of watches at a watch shop by leveraging SIM data.

 In a more recent incident, an executive from the medical research company Advarra had their data stolen after a SIM swap.  The information below was taken from Malwarebytes:

In the case of Advarra, the ransomware group ALPHV reportedly managed to transfer the executive’s cellphone number, allowing them access to the company’s resources and copy information that the group is now threatening to sell.

However, Advarra isn’t willing to play ball, saying it doesn’t “pay digital terrorists”.

Advarra said it’s business as usual:

“An Advarra colleague was the victim of a compromise of their phone number. The intruder used this to access some of the employee’s accounts, including LinkedIn, as well as their work account.

We have taken containment actions to prevent further access and are investigating with third-party cyber experts. We also notified federal law enforcement. At this time we believe the matter is contained. We further believe that the intruder never had access to our clients’ or partners’ systems and it is safe to connect to Advarra’s systems. Importantly, we have no evidence that the Advarra systems and products that clients use to interface with us were compromised or accessed. At this time, our business operations have not been disrupted as a result of this activity and we continue to operate as normal. In addition, we continue to take steps to enhance the overall security of our systems in line with industry best practices.

Our investigation remains ongoing, and we will provide additional updates as appropriate.”

So, what are some ways to protect yourself from falling victim to SIM swapping?

  • Talk to your mobile provider. Most big carriers have additional security layers in place now, but more than likely, they are not default and may require set up.
  • Keep personal information private and avoid posting too much personal information about yourself online.
  • Use some other form of Multifactor Authentication other than text message or text-based authentication.
  • Be aware of phishing scams and educate yourself on flags to look for to help identify phishing and social engineering attacks.
  • Avoid disclosing publicly about crypto assets or trading you may be involved in. Individuals heavily involved in cryptocurrencies are high-value targets.
  • Do not leave your phone unattended at the gym, airport, or anywhere else.
  • When navigating high density crowd areas, move valuables to the front pockets or inside zipped or buttoned pockets.
  • Have an out of the country travel plan for your phone and other assets. Take burners or pre-paid phones, if possible, when traveling internationally.

These are just a few suggestions and by no means an all-inclusive list.  By taking a few precautions, staying aware of your surroundings, and being mindful of what you are putting online, you can greatly reduce the risk of becoming a victim of SIM Swapping.

References:

ThreatDown.com – Medical research data Advarra stolen after SIM swap

James Bruhl

James Bruhl

Director of Cyber Threat Intelligence

James Bruhl is the Director of Cyber Threat Intelligence for DefenseStorm. He joined the company with 15 years of experience as a law enforcement officer, bringing extensive experience in crime prevention, evidence collection, investigative techniques, and crisis management. Driven by a passion for technological advancements and the ever-evolving landscape of digital threats, he transitioned to the field of digital forensics, incident response, and cybersecurity. In his role, he honed his skills in analyzing digital evidence, identifying cyber threats, and implementing robust security measures specializing in forensic examinations on various devices to uncover critical information and support investigations. James began at DefenseStorm as a security engineer in 2020 and developed DefenseStorm’s EDR Service. He was then appointed as Director of Cyber Threat Intelligence in 2022 and is responsible for nearly all facets of the EDR service. During his cyber career, James has been instrumental in proactively detecting and responding to cyber incidents and plays a vital role in incident response teams, coordination efforts to mitigate the impact of breaches, vulnerability identification, and strategy implementation to prevent future attacks. He continues to share his expertise by conducting training sessions, participating in conferences, and writing articles on topics related to digital forensics, incident response, and cybersecurity. James holds a bachelor’s in criminal justice from the University of North Georgia and a GCFE certification.