Online Credential Scam Becomes a Phone Port Attack and then Turns into a Sextortion Scam



PhishingOneMinuteIf experiencing a single cyberattack isn’t enough, this complex attack that shifted mid-stream demonstrates how attackers take advantage of victim details as an attack unfolds.

Toronto businessman Randall Baran-Chong received a notification on his phone one night that his device was no longer in service. This was the initial indicator of an attack that began with a simple phone SIM port attack – used to take over someone’s phone account and then use the newly ported phone as a second form of authentication as part of an online credential compromise attack.

Baran-Chong had become the victim of an attack bent on accessing his email, bank accounts, credit cards, and anything else the cybercriminals responsible could find. And find they did… Baran-Chong had videos of himself engaged in sex acts with women on cloud storage – something that caused the scam to shift from a rather simple online identity theft to full-blown extortion, threatening to expose Baran-Chong if he didn’t pay up.

Attacks like this in Canada have led to calls for more strict porting laws to make it more difficult for cybercriminals to port a phone’s SIM to a criminal-controlled device. Currently, all that’s needed in some cases is little more than the phone number and associated account number.

The real issue here for organizations is that often times, a user’s mobile phone is the device used as part of a secondary authentication – whether via text, using an app, or via email, mobile devices are the medium by which multi-factor authentication is achieved. With control over this device, the possibilities of what a cybercriminal can do is somewhat unlimited.

Organization’s wanting to ensure the security of their accounts – and the systems, applications, and data those accounts can access – need to ensure their mobile carriers have strict policies in place to make porting difficult for the would-be scammer.

At the same time, what also puts the organization at risk is users who are like Baran-Chong – those who maintain compromising photos, videos, and content that can be used to extort money, passwords, and access. Cybercriminals today are keenly aware of the business opportunities that an extortion affords. Organizations should educate users via Security Awareness Training on secure online personal practices, as well as good security hygiene – both at home and work.


Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

https://www.knowbe4.com/phishing-security-test-offer



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews