A recent supply chain breach at Kroll, the risk and financial advisory firm, affected downstream customers and exposed personal information on hundreds of claimants in bankruptcy proceedings related to crypto trading firms FTX, BlockFI, and Genesis. The incident is a stark reminder of the ongoing danger to organizations from SIM-swapping attacks, researchers noted, and the need to move away from SMS-based two-factor authentication.
The Kroll breach occurred when an adversary transferred an employee’s phone number to an attacker-controlled device and then used it to access sensitive information. SIM swapping, or SIM hijacking, is a kind of account takeover attack in which an attacker gains unauthorized access to a target’s mobile phone functions by tricking the mobile carrier into transferring the victim’s phone number to a SIM card that the attacker controls.
The attacks can take many forms. Some threat groups, such as China-based “Scattered Spider,” have pulled off SIM-swapping attacks at scale by breaking into systems belonging to mobile carriers and porting numbers on their own. In Kroll’s case, the attacker convinced T-Mobile to port a Kroll employee’s phone number to their own device. This gave them a way to access files containing the bankruptcy details; Kroll was retained to manage the filing and retention of proofs of claim in the proceedings for all three crypto firms.
“Specifically, T-Mobile, without any authority from or contact with Kroll or its employee, transferred that employee’s phone number to the threat actor’s phone at their request,” Kroll disclosed last week, noting that it learned of the breach on Aug. 19.
T-Mobile did not respond immediately to a Dark Reading request for comment.
In a notification to customers, FTX said the breach had exposed the names, addresses, email, and balances in their FTX accounts. Genesis described the breach as having a similar impact and warned victims to be on the lookout for phishing attempts designed to take control of their crypto currency accounts, wallets, and other digital assets.
Targeting SMS-Based Authentication
The main objective in SIM-swapping attacks often is to gain control of a victim’s incoming text messages in order to intercept two-factor authentication codes sent via SMS. These are then used them to access the victim’s bank and other accounts. In many instances, threat groups have also used SIM-swapped devices for phishing campaigns.
“SIM swapping attacks are used to defeat SMS-based multifactor authentication, commonly leading to account takeovers and paving the way to data breaches and cyberattacks,” says Zach Capers, senior security analyst at Capterra. “This is a real problem because Capterra’s research finds that 42% of businesses use SMS for multifactor authentication,” he says.
Mitigating SIM-Swapping Risks
Capers says SIM swapping typically begins with social engineering — often via phishing email and background research on the victim using social media, company staff pages, or other sources.
“The attacker uses this information to impersonate the victim, bypass the mobile phone carrier’s account security, and convince them to port the phone number to a new device. Once ported, the attacker intercepts authentication codes and gains access to anything using SMS-based authentication, from sensitive business information to financial accounts,” he says. SIM-swapping attacks are a good reason why businesses need to consider alternatives — such as biometrics and physical authentication keys — to SMS-based authentication, Capers said.
Individuals can minimize some of the risk by not posting personal data on social media platforms and other online forums, adds Georgia Weidman, security architect at Zimperium. Attackers often impersonate targets by using information such as the names of relatives, physical addresses and email addresses when trying to convince a phone carrier to port a phone number to a new SIM card, Weidman says.
“Businesses can also alert employees to the danger posed by SIM swapping,” she notes, “and recommend adding a port freeze to their mobile account.”