A SIMple Attack: A Look Into Recent SIM Swap Attack Trends

A SIMple Attack: A Look Into Recent SIM Swap Attack Trends
October 14, 2023 8 mins

A SIMple Attack: A Look Into Recent SIM Swap Attack Trends

a SIMple attack

Stroz Friedberg Digital Forensics and Incident Response has observed an uptick in SIM swapping across multiple industries, with several recent incidents targeting crypto and crypto-adjacent companies.

Introduction

Stroz Friedberg Digital Forensics and Incident Response has observed an uptick in SIM swapping across multiple industries, with several recent incidents targeting crypto and crypto-adjacent companies. This increasing trend has been noted by the FBI in their internet crime report, with 1,611 complaints reported in 2021 and 2,026 complaints reported in 20221.

While SIM swap attacks are sometimes employed to gain unauthorized access to an individual’s personal email or cryptocurrency wallet, their impact becomes significant when leveraged to breach corporate network accounts. Whether aimed at bypassing multi-factor authentication (MFA) or resetting passwords, these attacks can leave companies with unexpected vulnerabilities. Notably, SIM swapping has been observed as an initial access technique in business email compromise incidents, which constitute a substantial portion of the incidents faced by organizations.

This post will provide an overview of SIM swapping techniques, discuss recent events that Stroz Friedberg has observed related to SIM swapping attacks, and provide detection methods and mitigations against this threat.

What is SIM Swapping?

Historically, SIM cards have contained sensitive user data such as phone numbers, security keys, contact lists, email accounts, social media profiles, and financial banking information2. These days SIM cards contain much less data and are primarily used to link a phone number to a device. A SIM swap attack is ultimately successful when a user’s phone number has been transferred to a SIM card controlled by the threat actor. SIM swapping leaves users unable to access accounts, make phone calls, or send texts.

Threat actors can obtain a target’s phone number through spear phishing, third-party breach databases, or free public resources such as data aggregator sites or social media. Therefore, individuals with a greater online presence may experience a higher risk for becoming the target of a SIM swap attack. Individuals should consider investing in greater individual privacy to help reduce the amount of information that is publicly and easily available.

Threat actors can use various methods to initiate a SIM swap attack, including but not limited to:

  • Social Engineering – Typically to change the device associated with a phone number, a wireless carrier requires personal information about the account owner. In many SIM swap attacks, threat actors gather information about their target that they then use to persuade the wireless carrier that they are the authorized user to facilitate the swap.
  • Affiliations with Employees of Wireless Carriers – Threat actors may offer financial incentives to employees of wireless carriers who can conduct SIM swaps without user authorization. These relationships with carrier employees might also be further leveraged by selling SIM swapping services on the dark web.
  • Compromised Credentials – Whether purchased or phished, compromised credentials to wireless carrier accounts grant threat actors direct access to request a SIM swap on the target’s phone number.

Once a threat actor takes control of the target’s phone number, this provides multiple opportunities for further exploitation or achieving their objectives. This includes the ability to reset passwords and/or receive MFA authentication codes via SMS.

Sample SIM swap attack workflow

Recent Events Observed by Stroz Friedberg

SIM swapping attacks are frequently used to compromise email accounts and single sign-on accounts with access to various applications, giving threat actors access to cloud storage and other sensitive organizational information. Targets may be at a greater risk if the user has access to administrative privileges or more applications than the average user. The following sections detail attack patterns identified in recent Stroz Friedberg matters involving SIM swapping.

Password Reset Flow Abuse

In contrast with common usage of SIM swapping as an MFA bypass technique, Stroz Friedberg’s analysis has found that threat actors are using SIM swaps to reset passwords without having the user’s credentials.

Threat actors may execute a series of password reset attempts on multiple accounts in quick succession, assessing the feasibility of exploiting SMS verification for password recovery. During the password reset process on widely used platforms such as Microsoft 365, malicious actors can identify the verification methods configured for a specific account. If SMS verification is active, they may also gain access to the last few digits of the associated phone number. In some cases, this reconnaissance on targeted accounts occurred several weeks prior to the actual SIM swap attack.

Upon successful completion of the SIM swap, the threat actor can reset the user’s password to compromise the account without ever having the user’s original password.

Impact of Attack

Many of these incidents have included rapid and noisy post-compromise activity. The threat actor has little incentive to act in a covert manner because a SIM swap is immediately observable to the target user. In addition to being notified by the carrier, users typically notice quickly that they are locked out of their account or have lost access to their mobile service. After a SIM swap, the threat actor often enters the account and downloads sizable quantities of data in a short period of time from cloud storage or other data-driven applications, such as Microsoft SharePoint and OneDrive. By the time the organization has removed the threat actor’s access, the threat actor already possesses the organization’s information.

Forensic Evidence of SIM Swapping

Mobile forensic artifacts typically lack conclusive evidence of SIM swapping. However, many wireless carriers provide notifications to alert users before their number is swapped to another device.

Forensic examiners can review a mobile device for evidence of text messages containing these notifications. These notifications have been observed when:

  • The SIM swap is requested, allowing the target several minutes to contact the carrier if the request is unauthorized
  • The target does not respond to the original notification, indicating to the target that the SIM swap is commencing
  • The SIM swap is complete
a-simple-attack-2

Example of a SIM swapping notification received from a wireless carrier

Some threat actors have inundated their target with a high volume of text messages around the time when the wireless carrier sends out its notification. Stroz Friedberg analysis has shown users receiving a large quantity of automated messages from various companies, likely intended to divert the target’s attention away from the carrier’s SIM swap notifications. Threat actors may generate these messages from websites capable of initiating text messages to a specified phone number, such as one-time passwords or invitations for mobile application installations.

Detecting SIM Swap Attacks

There are various detection methods to identify SIM swapping attacks or the resulting compromise that can help to alert either the user or the organization about unusual activity which include:

  • A user receives SIM change notifications from their carrier, or is unable to receive calls or texts on a known device
  • A user is locked out of their account due to unexpected password reset or MFA change
  • A user receives a large quantity of automated text messages around the time of the SIM swap
  • A new device is added to a user’s account to maintain persistence
  • Password reset flows are initiated, including multiple password reset attempts initiated in succession for different users
  • Mass or anomalous file downloads from cloud platforms
  • Anomalous IPs and locations are observed authenticating to user accounts
  • Unknown VPN activity is observed authenticating to user accounts

Mitigating Potential Impact of SIM Swapping

Individuals and organizations can protect themselves against SIM swapping attacks using the methods below:

  • Enabling carrier controls to help mitigate account takeover attempts. These controls can include:
    • Requiring a unique passcode or PIN whenever a SIM change is requested
    • Requiring a time-based one-time password (TOTP) to be sent to a known email or phone number whenever a SIM change is requested
    • Biometric account verification
  • Enforcing application-based MFA methods like TOTP or push notifications with code matching enabled
  • Security training to include awareness of SIM swapping attacks and detections
  • Encouraging users to limit personal information posted publicly online and to create strong security questions for wireless carrier accounts that cannot be easily researched
  • Enforcing mobile device management (MDM) registration of devices by an administrator so that unauthorized devices cannot authenticate to user accounts
Aon’s Thought Leader
  • Natasha Vij
    Consultant
  • Victoria Nyktas
    Consultant

About Cyber Solutions:

Aon’s Cyber Solutions offers holistic cyber risk management, unsurpassed investigative skills, and proprietary technologies to help clients uncover and quantify cyber risks, protect critical assets, and recover from cyber incidents.

General Disclaimer

This document is not intended to address any specific situation or to provide legal, regulatory, financial, or other advice. While care has been taken in the production of this document, Aon does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the document or any part of it and can accept no liability for any loss incurred in any way by any person who may rely on it. Any recipient shall be responsible for the use to which it puts this document. This document has been compiled using information available to us up to its date of publication and is subject to any qualifications made in the document.

Terms of Use

The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.

More Like This

View All
Subscribe CTA Banner