The most commonly used computer platform nowadays is no longer a desktop or a laptop — it’s a phone. According to Bank My Cell, as of August 2019, there are more than 5 billion mobile devices worldwide. A staggering 67 percent of the population has some kind of mobile device, and research suggests the average person spends five hours a day on their phone — about a third of the time the average person is awake. It’s no wonder attackers are targeting the mobile phone market.
Concern is growing about subscriber identification module (SIM) swapping and SIM cloning attacks. Recent news involving high-profile individuals — such as reports of a CEO falling victim to SIM swapping schemes and the infamous TrickBot Trojan adding a feature to aid in carrying out SIM-swap fraud — is drawing increasing attention to these mobile cybersecurity threats. IBM X-Force Incident Response and Intelligence Services (IRIS)’s findings from dark web research also reveal attackers’ interest in carrying out these types of attacks.
SIM Double Trouble: Swapping and Cloning
SIM swapping and SIM cloning are two distinct methods by which a third party can attempt to compromise a mobile phone, both aiming to duplicate its subscriber identification module card. SIM cards, which are smart cards inserted into a phone for the purposes of identifying it on a cellular network, store data and help identify and serve the subscriber who owns the device.
What happens when someone else has your SIM? Just as you would insert your SIM into a new device (or when changing devices for any other reason), anyone with access to your SIM can connect to your phone number and receive all the services you would receive from your mobile carrier. That includes receiving your phone calls and SMS messages.
Nowadays, with a large variety of service providers opting to send their customers SMS messages as a second factor of authentication to their online accounts, SIM cards have become a choke point for hackers to prey on. If they manage to obtain their target’s SIM card, they can take over those codes and use them to impersonate the victim, log in to their accounts and perform transactions in their name.
These attacks are usually targeted and high-value, and victims are often left out of pocket or left to discover that all their accounts have been taken over by a cybercriminal.
Let’s take a closer look at SIM-based attacks — more specifically, SIM swaps and SIM cloning.
A SIM swapping attack works by convincing call center representatives working for a mobile phone provider to port a phone number to a new device. If they do that, they will unwittingly transfer control of the victim’s phone number to the attacker.
This process in itself is not illegal. It is there to help people report a new phone purchase or lost phone or to request a replacement for a broken mobile device. An attacker doesn’t necessarily need a lot of information to be successful; sometimes just a name, number and birthdate will suffice for the process to be approved on the carrier’s side.
But unwitting help is not the only culprit. In some cases, cybercriminals sometimes recruit insiders to help the port target numbers at scale. In May 2019, nine people were charged in the U.S. with theft via SIM swapping. Three of the nine were employees of two major mobile providers, resulting in a $224 million lawsuit.
A SIM swap can be considerably easier when there is a collaborative insider to leverage. With someone working for the mobile carrier, an attacker doesn’t even need to carry out a social engineering ruse to gather the necessary information about the victim. It has become increasingly popular for cybercriminals to recruit mobile phone provider employees through social media accounts to scale their SIM swapping attacks. By posing as company hiring for open positions through these accounts, attackers have an avenue to recruit insiders through the promise of monetary gain.
SIM cloning has the same goal as SIM swapping, but cloning does not require calling the mobile carrier. Rather, it is more about technical sophistication.
The cloning attack uses smart card copying software to carry out the actual duplication of the SIM card, thereby enabling access to the victim’s international mobile subscriber identity (IMSI) and master encryption key. Since the information is burnt onto the SIM card, physical access to it is a requirement. That means taking the SIM card out of the mobile device and placing it into a card reader that can be attached to a computer where the duplication software is installed. SIM cards can also be hacked remotely if the attacker can abuse over-the-air (OTA) communication to break the encryption that protects updates sent to the SIM via SMS.
After the initial stealthy SIM replication takes place, the attacker inserts that SIM into a device they control. Next, the victim has to be contacted. The ruse may begin with a seemingly innocuous text message to the victim asking them to restart their phone within a given period of time. Then, once the phone is powered off, the attacker starts their own phone before the victim restarts and, in doing so, initiates a successful clone followed by an account takeover. Once the victim restarts their phone, the attack is complete, and the attacker will have successfully taken over the victim’s SIM and phone number.
Attackers have also cloned SIM cards through the use of surveillance toolkit known as SIMJacker. This tool uses instructions to the SIM Application Toolkit (STK) and SIM Alliance Toolkit (S@T) browser technologies installed on various SIM cards to covertly obtain confidential information about the device and its location.
This stealthy access scheme allows an attacker to send an SMS message to a SIM card and have the SIM send out information to a third party. In this case, the SIM is forced to send a message containing private information to the attacker. SIMJacker’s ability to access this communication channel is further described in CVE-2019-16256.
This SIM-level message happens on the hardware level of the device. As such, it is silent and is never seen by the victim. The information it sends out can be used to pinpoint a device’s location data as well as International Mobile Equipment Identity (IMEI) codes.
Many mobile device manufacturers are reportedly vulnerable to this attack, making it particularly dangerous. To date, research publications about SIMJacker say it has been used by an unnamed private surveillance company and not more widely by cybercriminals. This does not mean the toolkit hasn’t yet fallen into the hands of state-sponsored threat groups or cybercriminals who have not yet been reported about.
Though the techniques are different, the end result of SIM swapping and SIM cloning is the same: a compromised mobile device. Once this happens, the victim’s device can no longer make calls or send and receive text messages. All phone calls and text messages are delivered to the new device associated with that SIM — the attacker’s phone. The attacker in turn can use the acquired SIM for a variety of malicious purposes.
Why Would Attackers Want My Phone Number, Anyway?
Once a SIM is swapped or cloned, threat actors can potentially gain access to the victim’s account information, financial information and personally identifiable information (PII). Many sensitive accounts, including banking applications, use SMS or a call as part of their multifactor authentication (MFA) formats. By hijacking the victim’s phone number, the attacker can now log in to these accounts even without a password. Based on X-Force IRIS dark web research, threat actors frequently post requests for SIM cloning services to underground forums to gain access to a targeted bank account. In exchange, a threat actor may offer a portion of what they’re able to steal from that account.
Figure 1: Example of a dark web posting for SIM swap to target banking data
In addition to online banking access, attackers could use a swapped or cloned SIM card to change the password on any account connected with the SIM card’s phone number, including social media, email and other accounts. Attackers have been known to extort victims by offering them the opportunity to pay a ransom to regain access to accounts that have been hijacked in this manner — another method for cybercriminals to realize monetary gain through SIM card operations.
Attackers are also able to route all text messages and calls directed at a hijacked number to their own device, creating opportunities for additional scams or extortion of the victim’s contacts.
What Does This Mean for Organizations?
These attacks are indiscriminate, and it’s a target-rich environment due to the endless number of devices in operation, which keeps growing every day. Nearly every pocket or purse nowadays holds a target for attackers to send their nefarious text messages or emails containing malicious links.
Corporate mobile phones and devices used under a bring-your-own-device (BYOD) policy are potentially vulnerable. A quick online search for publicly disclosed mobile device vulnerabilities and exploits yields resources that an attacker can leverage to compromise an enterprise-issued or BYOD mobile phone.
These attacks aren’t as overt as other threats such as malware and brute-force attacks, so they can be challenging for traditional mechanisms to detect. However, there are proactive measures organizations can take. Below are some mitigation tips to help better protect enterprise users from SIM takeover attacks.
- Have your organization’s mobile provider add a PIN to all corporate mobile accounts for added security. Do the same for your personal devices.
- Use enterprise controls to enforce rules disabling links in text messages, and educate users about the security implications of this step.
- Educate users on the hazards of responding to and/or acknowledging text messages from unknown but seemingly reputable sources.
- In a BYOD environment, watch for intrusions entering through BYOD vectors. This can be accomplished, in part, by requiring BYOD users to install company security software on their device — such as mobile antivirus, a data protection application and a second-factor authentication generator — before connecting to the network.
- When possible, disable mobile syncing with company-owned computer systems to limit the opportunity for malicious mobile applications to exfiltrate company information. If data must be synchronized with the network, monitor data traffic from data stores that are accessible by mobile devices for unusual activity.
- Set up a VoIP phone number that can be given to prospective clients instead of having them call the mobile phone. This can limit the number of people who have the mobile device’s number and, in turn, reduce the overall risk of takeover.
To keep abreast of new developments in the threat landscape, read more IBM Security research on SecurityIntelligence. For technical information on threats and threat actors, join us on X-Force Exchange. Finally, learn how X-Force IRIS can help you proactively manage threats and respond to attacks.