‘SIM Swapping’ Attack Strikes Risk Advisory Firm

On Aug. 19, a threat actor transferred the phone number of a Kroll employee to the attacker's own phone in an attack method known as SIM swapping. The financial and risk advisory firm published a statement on the security incident on Aug. 25.

How are SIM swapping attacks like this one executed, and what can enterprises do to minimize the risk of this cyber threat?

SIM Swapping Attacks

SIM swapping attacks involve porting a mobile number to a SIM card controlled by a threat actor. The threat actor can then receive calls and texts from this number, allowing them to bypass multi-factor authentication (MFA) systems. With that access, the threat actor can receive one-time passwords (OTPs) and codes sent via SMS. 

“Most users have MFA deployed on their bank accounts … they send you an OTP code through your phone number that they have on file. You enter the code, and you’ll get access to your bank account, but if your SIM is hijacked, they [the threat actor] end up getting all the OTP codes,” Rohan Pinto, CTO of 1Kosmos, a distributed identity cloud service, explains via a phone interview.

SIM swapping attacks can be executed in a few different ways. One common method, referred to as “remo,” involves using the tablet that controls devices at a cellphone carrier store.

“You can actually find TikTok videos where swappers will run into a store -- pick your cellphone provider of choice -- they’ll grab one of the tablets that is used to manage devices. They’ll run out, they’ll port a number to a new SIM card, and that’s the SIM swap attack,” Mark Stamford, CEO of cybersecurity company OccamSec, said in an interview with InformationWeek.

Threat actors can also work with insiders, or “innys,” to execute SIM swapping attacks. Mary Ann Miller, fraud and cybercrime executive advisor and vice president of client experience at Prove Identity, a company that provides phone-centric and API authentication solutions, notes that innys at companies like T-Mobile, Verizon, and AT&T can be recruited via platforms like Telegram.

“There are going rates for different SIM swaps for different telcos. The bad actor will offer the insider say $1,000 a line,” she said.

SIM swapping is not a novel attack method. Threat actor group Lapsus$ gained a lot of attention for high-profile breaches of several companies using this method. In 2021 and 2022, the group executed attacks against several companies including Microsoft, Uber, Cisco, Samsung, T-Mobile, and Nvidia, according to Bleeping Computer.

The Kroll Security Incident

The threat actor contacted T-Mobile and requested the employee’s phone number be transferred. The transfer was completed without contacting the employee or Kroll. The SIM swapping attack allowed the threat actor to access three accounts relating to “personal information of bankruptcy claimants in the matters of [cryptocurrency industry companies] BlockFi, FTX and Genesis,” according to Kroll’s statement. The company notified the impacted individuals and took action to secure the impacted accounts. 

The breach involves sensitive information. How could this information be of value to the threat actor behind the attack?

Stamford suspects that the motivation behind this attack, like many others, is financial. The bankruptcy claimants likely have substantial funds, representing a ripe set of victims who have valuable assets for the threat actor to pursue.

Stamford imagines the thought process of the threat actors. “I think that it’s a really good way to find targets. I’m going to steal all the information on the claimants who have what must be large amounts of funds,” he explains. “I’m going to go find their cellphone numbers, and I’m just going to SIM swap them.”

The consequences of the attack, beyond the potential for reputational damage, are likely to become clearer over time. “I think the implications depend on whose hands the data ended up in,” says Miller.

SIM Swapping and MFA

The Cyber Safety Review Board (CSRB), an advisory board made up of 15 cybersecurity leaders from the federal government and private sector, released a report on the Lapsus$ attacks. In the report, the CSRB noted that “…multi-factor authentication (MFA) implementations used broadly in the digital ecosystem today are not sufficient for most organizations or consumers. In particular, the Board saw a collective failure to sufficiently account for and mitigate the risks associated with using Short Message Service (SMS) and voice calls for MFA.”

What should CIOs and other enterprise leaders using MFA be thinking about following the SIM swapping attack targeting Kroll?

“If you have any kind of MFA set up and it is sending out codes via SMS, that’s liable to SIM swapping,” says Stamford.

Attacks are typically targeted. “It is usually targeted. It’s not random because when you do a random SIM jacking, there is more work involved in finding out who had that number before and to get some information about that user via social engineering attacks,” Pinto explains. 

Attackers can also employ social engineering to get around MFA. If they already have the target’s username and password for a specific account, they just need the OTP. They may call their target posing as their bank, Miller explains. The attacker will ask to verify a charge. During the call, they will tell the user they are sending them a one-time code they need to see for verification purposes. The code will actually be sent to the victim’s phone as a result of the threat actor using the compromised credentials to attempt a log-in. Once the threat actor receives that code from the victim, they can use it to log into the target account on another device.

SIM swapping attacks could become more popular going forward. “I think we’re going to see more people jump on the SIM swapping bandwagon,” Stamford anticipates.  

SIM Swapping Prevention

If more attacks are possible, what can enterprise leaders do to prevent them?

If your organization is using MFA and OTPs, Miller stresses the importance of having SIM swapping detection in place. Determine if a SIM has been recently swapped, with 24 or 48 hours for example.

“If it has and there’s also a high-risk event occurring, that’s the reason to pause. That’s the reason to step up in a different mechanism, not to allow the user to authenticate in that manner,” says Miller.Enterprise leaders may also consider alternatives to MFA that rely on OTPs sent via SMS. “There are plenty of authenticator apps now that you can put on phones,” Stamford offers.

Organizations can also put more controls in place to make it more difficult to port phone numbers. If an organization issues cellphones to their employees, Pinto recommends adding portability blocks to all numbers.

“It is important for enterprises who issue cellphones to their employees to ensure that the numbers that they assigned to their employees all have the number portability block added on to that accounts so the number cannot be ported without re-verification of the employee’s identity,” he says.

Similar to how enterprises have log retention and data retention policies, Pinto emphasizes the importance of having a policy to regularly verify the authenticity of employee phone numbers.

SIM swapping attacks remind enterprises of just how vast the attack surface can be. Something as simple as walking into a cellphone store and taking that store’s tablet can lead to a SIM swapping attack. “We have to view that attack surface as a much larger area because there’s technology everywhere,” says Stamford.

Organizations may also need to prepare for regulations that would address the risk of SIM swapping. The CSRB “calls on telecommunications providers to employ stronger security protocols to prevent SIM swapping, and on federal regulators such as the Federal Communications Commission (FCC) and Federal Trade Commission (FTC) to ensure those improvements are made through appropriate regulatory oversight and supervision.” If more SIM swapping attacks occur, regulators could take action.

The potential for more SIM swapping and regulation in response means enterprise leadership may need to reevaluate how they approach access management.

“I think what will end up happening is organizations will have to speed up their ability to look at different ways to put different authentication and access management protocols in place,” says Miller.

What to Read Next:

How to Build True Cyber Resilience

Tesla Insider Data Breach Exposed Over 75,000

MOVEit Breach Continues to Snap Up Victims