Image:
Shutterstock.com
Three
different
cybercriminal
groups
claimed
access
to
internal
networks
at
communications
giant
T-Mobile
in
more
than
100
separate
incidents
throughout
2022,
new
data
suggests.
In
each
case,
the
goal
of
the
attackers
was
the
same:
Phish
T-Mobile
employees
for
access
to
internal
company
tools,
and
then
convert
that
access
into
a
cybercrime
service
that
could
be
hired
to
divert
any
T-Mobile
user’s
text
messages
and
phone
calls
to
another
device.
The
conclusions
above
are
based
on
an
extensive
analysis
of
Telegram
chat
logs
from
three
distinct
cybercrime
groups
or
actors
that
have
been
identified
by
security
researchers
as
particularly
active
in
and
effective
at
“SIM-swapping,”
which
involves
temporarily
seizing
control
over
a
target’s
mobile
phone
number.
Countless
websites
and
online
services
use
SMS
text
messages
for
both
password
resets
and
multi-factor
authentication.
This
means
that
stealing
someone’s
phone
number
often
can
let
cybercriminals
hijack
the
target’s
entire
digital
life
in
short
order
—
including
access
to
any
financial,
email
and
social
media
accounts
tied
to
that
phone
number.
All
three
SIM-swapping
entities
that
were
tracked
for
this
story
remain
active
in
2023,
and
they
all
conduct
business
in
open
channels
on
the
instant
messaging
platform
Telegram.
KrebsOnSecurity
is
not
naming
those
channels
or
groups
here
because
they
will
simply
migrate
to
more
private
servers
if
exposed
publicly,
and
for
now
those
servers
remain
a
useful
source
of
intelligence
about
their
activities.
Each
advertises
their
claimed
access
to
T-Mobile
systems
in
a
similar
way.
At
a
minimum,
every
SIM-swapping
opportunity
is
announced
with
a
brief
“Tmobile
up!”
or
“Tmo
up!”
message
to
channel
participants.
Other
information
in
the
announcements
includes
the
price
for
a
single
SIM-swap
request,
and
the
handle
of
the
person
who
takes
the
payment
and
information
about
the
targeted
subscriber.
The
information
required
from
the
customer
of
the
SIM-swapping
service
includes
the
target’s
phone
number,
and
the
serial
number
tied
to
the
new
SIM
card
that
will
be
used
to
receive
text
messages
and
phone
calls
from
the
hijacked
phone
number.
Initially,
the
goal
of
this
project
was
to
count
how
many
times
each
entity
claimed
access
to
T-Mobile
throughout
2022,
by
cataloging
the
various
“Tmo
up!”
posts
from
each
day
and
working
backwards
from
Dec.
31,
2022.
But
by
the
time
we
got
to
claims
made
in
the
middle
of
May
2022,
completing
the
rest
of
the
year’s
timeline
seemed
unnecessary.
The
tally
shows
that
in
the
last
seven-and-a-half
months
of
2022,
these
groups
collectively
made
SIM-swapping
claims
against
T-Mobile
on
104
separate
days
—
often
with
multiple
groups
claiming
access
on
the
same
days.
The
104
days
in
the
latter
half
of
2022
in
which
different
known
SIM-swapping
groups
claimed
access
to
T-Mobile
employee
tools.
KrebsOnSecurity
shared
a
large
amount
of
data
gathered
for
this
story
with
T-Mobile.
The
company
declined
to
confirm
or
deny
any
of
these
claimed
intrusions.
But
in
a
written
statement,
T-Mobile
said
this
type
of
activity
affects
the
entire
wireless
industry.
“And
we
are
constantly
working
to
fight
against
it,”
the
statement
reads.
“We
have
continued
to
drive
enhancements
that
further
protect
against
unauthorized
access,
including
enhancing
multi-factor
authentication
controls,
hardening
environments,
limiting
access
to
data,
apps
or
services,
and
more.
We
are
also
focused
on
gathering
threat
intelligence
data,
like
what
you
have
shared,
to
help
further
strengthen
these
ongoing
efforts.”
TMO
UP!
While
it
is
true
that
each
of
these
cybercriminal
actors
periodically
offer
SIM-swapping
services
for
other
mobile
phone
providers
—
including
AT&T,
Verizon
and
smaller
carriers
—
those
solicitations
appear
far
less
frequently
in
these
group
chats
than
T-Mobile
swap
offers.
And
when
those
offers
do
materialize,
they
are
considerably
more
expensive.
The
prices
advertised
for
a
SIM-swap
against
T-Mobile
customers
in
the
latter
half
of
2022
ranged
between
USD
$1,000
and
$1,500,
while
SIM-swaps
offered
against
AT&T
and
Verizon
customers
often
cost
well
more
than
twice
that
amount.
To
be
clear,
KrebsOnSecurity
is
not
aware
of
specific
SIM-swapping
incidents
tied
to
any
of
these
breach
claims.
However,
the
vast
majority
of
advertisements
for
SIM-swapping
claims
against
T-Mobile
tracked
in
this
story
had
two
things
in
common
that
set
them
apart
from
random
SIM-swapping
ads
on
Telegram.
First,
they
included
an
offer
to
use
a
mutually
trusted
“middleman”
or
escrow
provider
for
the
transaction
(to
protect
either
party
from
getting
scammed).
More
importantly,
the
cybercriminal
handles
that
were
posting
ads
for
SIM-swapping
opportunities
from
these
groups
generally
did
so
on
a
daily
or
near-daily
basis
—
often
teasing
their
upcoming
swap
events
in
the
hours
before
posting
a
“Tmo
up!”
message
announcement.
In
other
words,
if
the
crooks
offering
these
SIM-swapping
services
were
ripping
off
their
customers
or
claiming
to
have
access
that
they
didn’t,
this
would
be
almost
immediately
obvious
from
the
responses
of
the
more
seasoned
and
serious
cybercriminals
in
the
same
chat
channel.
There
are
plenty
of
people
on
Telegram
claiming
to
have
SIM-swap
access
at
major
telecommunications
firms,
but
a
great
many
such
offers
are
simply
four-figure
scams,
and
any
pretenders
on
this
front
are
soon
identified
and
banned
(if
not
worse).
One
of
the
groups
that
reliably
posted
“Tmo
up!”
messages
to
announce
SIM-swap
availability
against
T-Mobile
customers
also
reliably
posted
“Tmo
down!”
follow-up
messages
announcing
exactly
when
their
claimed
access
to
T-Mobile
employee
tools
was
discovered
and
revoked
by
the
mobile
giant.
A
review
of
the
timestamps
associated
with
this
group’s
incessant
“Tmo
up”
and
“Tmo
down”
posts
indicates
that
while
their
claimed
access
to
employee
tools
usually
lasted
less
than
an
hour,
in
some
cases
that
access
apparently
went
undiscovered
for
several
hours
or
even
days.
TMO
TOOLS
How
could
these
SIM-swapping
groups
be
gaining
access
to
T-Mobile’s
network
as
frequently
as
they
claim?
Peppered
throughout
the
daily
chit-chat
on
their
Telegram
channels
are
solicitations
for
people
urgently
needed
to
serve
as
“callers,”
or
those
who
can
be
hired
to
social
engineer
employees
over
the
phone
into
navigating
to
a
phishing
website
and
entering
their
employee
credentials.
Allison
Nixon
is
chief
research
officer
for
the
New
York
City-based
cybersecurity
firm
Unit
221B.
Nixon
said
these
SIM-swapping
groups
will
typically
call
employees
on
their
mobile
devices,
pretend
to
be
someone
from
the
company’s
IT
department,
and
then
try
to
get
the
person
on
the
other
end
of
the
line
to
visit
a
phishing
website
that
mimics
the
company’s
employee
login
page.
Nixon
argues
that
many
people
in
the
security
community
tend
to
discount
the
threat
from
voice
phishing
attacks
as
somehow
“low
tech”
and
“low
probability”
threats.
“I
see
it
as
not
low-tech
at
all,
because
there
are
a
lot
of
moving
parts
to
phishing
these
days,”
Nixon
said.
“You
have
the
caller
who
has
the
employee
on
the
line,
and
the
person
operating
the
phish
kit
who
needs
to
spin
it
up
and
down
fast
enough
so
that
it
doesn’t
get
flagged
by
security
companies.
Then
they
have
to
get
the
employee
on
that
phishing
site
and
steal
their
credentials.”
In
addition,
she
said,
often
there
will
be
yet
another
co-conspirator
whose
job
it
is
to
use
the
stolen
credentials
and
log
into
employee
tools.
That
person
may
also
need
to
figure
out
how
to
make
their
device
pass
“posture
checks,”
a
form
of
device
authentication
that
some
companies
use
to
verify
that
each
login
is
coming
only
from
employee-issued
phones
or
laptops.
For
aspiring
criminals
with
little
experience
in
scam
calling,
there
are
plenty
of
sample
call
transcripts
available
on
these
Telegram
chat
channels
that
walk
one
through
how
to
impersonate
an
IT
technician
at
the
targeted
company
—
and
how
to
respond
to
pushback
or
skepticism
from
the
employee.
Here’s
a
snippet
from
one
such
tutorial
that
appeared
recently
in
one
of
the
SIM-swapping
channels:
“Hello
this
is
James
calling
from
Metro
IT
department,
how’s
your
day
today?”(yea
im
doing
good,
how
r
u)i’m
doing
great,
thank
you
for
askingi’m
calling
in
regards
to
a
ticket
we
got
last
week
from
you
guys,
saying
you
guys
were
having
issues
with
the
network
connectivity
which
also
interfered
with
[Microsoft]
Edge,
not
letting
you
sign
in
or
disconnecting
you
randomly.
We
haven’t
received
any
updates
to
this
ticket
ever
since
it
was
created
so
that’s
why
I’m
calling
in
just
to
see
if
there’s
still
an
issue
or
not….”
TMO
DOWN!
The
TMO
UP
data
referenced
above,
combined
with
comments
from
the
SIM-swappers
themselves,
indicate
that
while
many
of
their
claimed
accesses
to
T-Mobile
tools
in
the
middle
of
2022
lasted
hours
on
end,
both
the
frequency
and
duration
of
these
events
began
to
steadily
decrease
as
the
year
wore
on.
T-Mobile
declined
to
discuss
what
it
may
have
done
to
combat
these
apparent
intrusions
last
year.
However,
one
of
the
groups
began
to
complain
loudly
in
late
October
2022
that
T-Mobile
must
have
been
doing
something
that
was
causing
their
phished
access
to
employee
tools
to
die
very
soon
after
they
obtained
it.
One
group
even
remarked
that
they
suspected
T-Mobile’s
security
team
had
begun
monitoring
their
chats.
Indeed,
the
timestamps
associated
with
one
group’s
TMO
UP/TMO
DOWN
notices
show
that
their
claimed
access
was
often
limited
to
less
than
15
minutes
throughout
November
and
December
of
2022.
Whatever
the
reason,
the
calendar
graphic
above
clearly
shows
that
the
frequency
of
claimed
access
to
T-Mobile
decreased
significantly
across
all
three
SIM-swapping
groups
in
the
waning
weeks
of
2022.
SECURITY
KEYS
T-Mobile
US
reported
revenues
of
nearly
$80
billion
last
year.
It
currently
employs
more
than
71,000
people
in
the
United
States,
any
one
of
whom
can
be
a
target
for
these
phishers.
T-Mobile
declined
to
answer
questions
about
what
it
may
be
doing
to
beef
up
employee
authentication.
But
Nicholas
Weaver,
a
researcher
and
lecturer
at
University
of
California,
Berkeley’s
International
Computer
Science
Institute,
said
T-Mobile
and
all
the
major
wireless
providers
should
be
requiring
employees
to
use
physical
security
keys
for
that
second
factor
when
logging
into
company
resources.
A
U2F
device
made
by
Yubikey.
“These
breaches
should
not
happen,”
Weaver
said.
“Because
T-Mobile
should
have
long
ago
issued
all
employees
security
keys
and
switched
to
security
keys
for
the
second
factor.
And
because
security
keys
provably
block
this
style
of
attack.”
The
most
commonly
used
security
keys
are
inexpensive
USB-based
devices.
A
security
key
implements
a
form
of
multi-factor
authentication
known
as
Universal
2nd
Factor
(U2F),
which
allows
the
user
to
complete
the
login
process
simply
by
inserting
the
USB
key
and
pressing
a
button
on
the
device.
The
key
works
without
the
need
for
any
special
software
drivers.
The
allure
of
U2F
devices
for
multi-factor
authentication
is
that
even
if
an
employee
who
has
enrolled
a
security
key
for
authentication
tries
to
log
in
at
an
impostor
site,
the
company’s
systems
simply
refuse
to
request
the
security
key
if
the
user
isn’t
on
their
employer’s
legitimate
website,
and
the
login
attempt
fails.
Thus,
the
second
factor
cannot
be
phished,
either
over
the
phone
or
Internet.
THE
ROLE
OF
MINORS
IN
SIM-SWAPPING
Nixon
said
one
confounding
aspect
of
SIM-swapping
is
that
these
criminal
groups
tend
to
recruit
teenagers
to
do
their
dirty
work.
“A
huge
reason
this
problem
has
been
allowed
to
spiral
out
of
control
is
because
children
play
such
a
prominent
role
in
this
form
of
breach,”
Nixon
said.
Nixon
said
SIM-swapping
groups
often
advertise
low-level
jobs
on
places
like
Roblox
and
Minecraft,
online
games
that
are
extremely
popular
with
young
adolescent
males.
“Statistically
speaking,
that
kind
of
recruiting
is
going
to
produce
a
lot
of
people
who
are
underage,”
she
said.
“They
recruit
children
because
they’re
naive,
you
can
get
more
out
of
them,
and
they
have
legal
protections
that
other
people
over
18
don’t
have.”
For
example,
she
said,
even
when
underage
SIM-swappers
are
arrested,
the
offenders
tend
to
go
right
back
to
committing
the
same
crimes
as
soon
as
they’re
released.
In
January
2023,
T-Mobile
disclosed
that
a
“bad
actor”
stole
records
on
roughly
37
million
current
customers,
including
their
name,
billing
address,
email,
phone
number,
date
of
birth,
and
T-Mobile
account
number.
In
August
2021,
T-Mobile
acknowledged
that
hackers
made
off
with
the
names,
dates
of
birth,
Social
Security
numbers
and
driver’s
license/ID
information
on
more
than
40
million
current,
former
or
prospective
customers
who
applied
for
credit
with
the
company.
That
breach
came
to
light
after a
hacker
began
selling
the
records
on
a
cybercrime
forum.
In
the
shadow
of
such
mega-breaches,
any
damage
from
the
continuous
attacks
by
these
SIM-swapping
groups
can
seem
insignificant
by
comparison.
But
Nixon
says
it’s
a
mistake
to
dismiss
SIM-swapping
as
a
low
volume
problem.
“Logistically,
you
may
only
be
able
to
get
a
few
dozen
or
a
hundred
SIM-swaps
in
a
day,
but
you
can
pick
any
customer
you
want
across
their
entire
customer
base,”
she
said.
“Just
because
a
targeted
account
takeover
is
low
volume
doesn’t
mean
it’s
low
risk.
These
guys
have
crews
that
go
and
identify
people
who
are
high
net
worth
individuals
and
who
have
a
lot
to
lose.”
Nixon
said
another
aspect
of
SIM-swapping
that
causes
cybersecurity
defenders
to
dismiss
the
threat
from
these
groups
is
the
perception
that
they
are
full
of
low-skilled
“script
kiddies,”
a
derisive
term
used
to
describe
novice
hackers
who
rely
mainly
on
point-and-click
hacking
tools.
“They
underestimate
these
actors
and
say
this
person
isn’t
technically
sophisticated,”
she
said.
“But
if
you’re
rolling
around
in
millions
worth
of
stolen
crypto
currency,
you
can
buy
that
sophistication.
I
know
for
a
fact
some
of
these
compromises
were
at
the
hands
of
these
‘script
kiddies,’
but
they’re
not
ripping
off
other
people’s
scripts
so
much
as
hiring
people
to
make
scripts
for
them.
And
they
don’t
care
what
gets
the
job
done,
as
long
as
they
get
to
steal
the
money.”
About Author
