This month the UK’s National Crime Agency (NCA) arrested eight suspects who targeted famous sports stars and musicians in the US and stole from victim’s bank accounts and crypto wallets.
We hadn’t heard much from the SIM-swapping side of cybercrime in quite a while. This method of tricking a carrier and anyone using a phone number as a form of authentication is accomplished by swapping out the legitimate SIM of the victim with one controlled by the criminal to take over the mobile number of their target.
Once in control of the mobile phone number, it becomes far easier to reset passwords, gain access to bank accounts, etc. as many businesses lean on the possession of a mobile device as the second form of authentication. In all, the NCA estimates that the gang took over $100 million in money and cryptocurrency over the course of 2020.
It’s not clear whether the gang used social engineering to trick their victims into giving up logon details, hacked into a cellular carrier’s network and gained access to their internal systems, or had inside help to modify the SIM on the target mobile account. But the NCA was able to monitor the gang during their investigation and notify some victims of the SIM swap before any malicious actions could be taken.
While this attack targeted celebrities in the US, this could just as easily be an attack targeting CEOs in an attempt to impersonate and commit fraud. Organizations should be mindful of any social engineering involving their mobile device and its associated user account, as well as any communication from an executive's mobile device that involves money-related transactions.