Cyber ​​fraudsters hack mobile operators to get to phone numbers of subscribers

Remote Desktops (RDP) is a convenient thing when you need to do something on the computer, but there is no physical opportunity to sit in front of it. Or when you need to get good performance, working from an old or not too powerful device. Cloud provider Cloud4Y provides this service to many companies. And I couldn’t get past the news about how scammers engaged in hijacking (swapping, swapping) SIM cards switched from bribing employees of telecommunications companies to using RDP to gain access to the internal databases of T-Mobile, AT&T and Sprint.

Cyber ​​fraudsters (the hand does not rise to call them hackers) are increasingly forcing employees of mobile operators to launch software that allows them to penetrate the internal databases of companies and steal subscribers' mobile phone numbers. A special investigation recently conducted by Motherboard, an online magazine, suggested that at least three companies were attacked: T-Mobile, AT&T, and Sprint.

This is a real revolution in the field of SIM card thefts (they are stolen so that fraudsters can use the victim's phone number to gain access to email, social networks, cryptocurrency accounts, etc.). Previously, scammers bribed employees of mobile operators to swap SIM cards or use social engineering in order to lure the necessary information, posing as a real client. Now they are acting brazenly and roughly, breaking into IT systems of operators and performing the necessary fraud themselves.

Speech about a new method of fraud was raised in January 2020, when several American senators asked the chairman of the Federal Communications Commission, Ajit Pai, what his organization was doing to protect consumers from an ongoing wave of attacks. The fact that this is not an empty panic is evidenced by the recent case of the theft of $ 23 million from crypto accounts via SIM swap. The accused is 22-year-old Nicholas Trulya, who became famous in 2018 due to the successful hacking of mobile phones of some prominent figures from Silicon Valley.

“ Some ordinary employees and their managers are completely inert and stupid. They give us access to all the data, and we begin to steal”, One of the attackers involved in theft of SIM cards told the online magazine on anonymity basis.

How it works

Crackers use the capabilities of the Remote Desktop Protocol (RDP). RDP allows the user to control the computer virtually from anywhere else. Typically, this technology is used for peaceful purposes. For example, when technical support helps a client configure a computer. Or when working in a cloud infrastructure.

But attackers also appreciated the capabilities of this software. The scheme looks quite simple: a fraudster, disguised as a tech support employee, calls an ordinary person and tells him about the infection of a computer with dangerous software. To solve the problem, the victim must turn on the RDP and let the fake support representative into his car. And then - a matter of technology. A fraudster gets the opportunity to do with the computer everything that the soul desires. And she usually wants to visit an online bank and steal money.

It's funny that scammers reoriented themselves from ordinary people to employees of telecom operators, convincing them to install or activate RDP, and then plow openly remotely exploring the contents of databases, stealing SIM-cards of individual users.

Such an activity is possible, as some employees of the mobile operator have the right to “transfer” the phone number from one SIM card to another. When replacing a SIM card, the victim’s number is transferred to the SIM card controlled by a scammer. And then he can get the victim’s two-factor authentication codes or password reset prompts via SMS. T-Mobile uses the QuickView tool to change the number , AT&T - Opus .

According to one of the scammers, with whom reporters managed to communicate, the most popular is the Splashtop RDP program . It works with any telecom operator, but for attacks on T-Mobile, AT&T it is most often used.

Representatives of the operators do not deny this information. So, AT&T said they knew about this specific hacking scheme and took steps to prevent similar incidents in the future. Representatives of T-Mobile and Sprint also confirmed that the company is aware of the method of hijacking SIM cards through RDP, but for security reasons they did not disclose the protection measures taken. Verizon did not comment on this information.

findings

What conclusions can be drawn from what is happening if you do not use foul language? On the one hand, I’m glad that users have become more educated, since criminals switched to company employees. On the other hand, there is still no data security. On Habré and on other sites articles about the fraudulent actions committed by means of substitution of SIM-cards slipped . So the most effective way to protect your data is to refuse to provide it anywhere. Alas, this is almost impossible to do. What else can be read on the Cloud4Y blog → CRISPR-resistant viruses build shelters to protect genomes from DNA-penetrating enzymes → How the bank broke →





The Great Theory of Snowflakes
→ Balloon Internet
→ Pentesters at the forefront of cybersecurity

Subscribe to our Telegram channel so you won’t miss another article! We write no more than twice a week and only on business.

Source: https://habr.com/ru/post/undefined/