To achieve the goal, cybercriminals use darknet forums, threats and social engineering, exploiting the mistakes of American providers.
On the night of September, 2017, Salt Lake City resident Rachel Ostlund, as always, was going to go to bed when she received a phone notification that her SIM card was “updated”. Puzzling, she went to her personal mail and found dozens of notifications about changing passwords from different accounts with two-factor authentication through the phone.
Fears were confirmed – the girl became a victim of intruders who, using cunning and threats, hack and resell accounts from social networks, mostly Instagram. The main assistant of the unknown is the victim’s phone number: knowing it, they use social engineering and convince the provider representative to transfer the number to a duplicate SIM card. This is enough to steal accounts, bank data and crypto-currencies with subsequent resale on secret forums. In the details of the underground business, the Motherboard edition has been sorted out .
How a phone number is used against its owners
In February 2018, the German telecommunications group of companies T-Mobile sent out a massive warning to customers about the risk of hacking accounts with a SIM card. The bottom line is as follows: the attacker learns the mobile number of the victim, calls the service center and poses as its owner. He explains that he “lost” the SIM card, and asks to transfer the phone number to a new one, purchased in advance.
According to the rules, after that the consultant should ask for proof that the interlocutor is really the owner of the number. In the United States, in some cases, the date of birth or home address is suitable for this, which is used by intruders, posing as a victim. If the service accepts and transfers the number to a duplicate SIM card, the unknown restores access to accounts in social networks and bank data of the victim, using two-factor authentication at the phone number.
After this, a new stage begins – the sale of stolen accounts. Special profiles among social networks have profiles in Instagram. One of the largest and most active “shops” for buying pages is the OGUSERS forum. It was launched in April 2017 and has since become a popular place for those who need to sell “gangsta” (OG – original gangster). This is the name of accounts with colorful and unique user names like: “Sex”, “Infinity” and “Rainbow”, or with very short logins such as “t” and “ty”.
According to the administrators, in the spring of 2018 OGUSERS sold the Instagram-account with the @Bitcoin login for 20 thousand dollars, and the user name “Infinity” is estimated at one thousand dollars. Under the blow also fall accounts of popular bloggers and stars. In August 2017, unknown people hacked the profile of Selena Gomez (125 million subscribers at that time) and changed the name of the page in “Islah” – that’s the name of the active user OGUSERS, who, according to reports on the forum, runs a separate group of intruders.
Scope of the problem
According to the two moderators of the forum, OGUSERS is never openly discussing account hacking using a duplicate SIM card, but among members of the forum this is a common way to steal accounts. In addition, in the toolkit of burglars there is a darknet site Doxagram, which allows for $ 10 to buy a phone number and email address from a certain account in Instagram. The resource appeared after a loud leak of user data from the social network in 2017.
“It used to be [the hacking of accounts through a duplicate SIM card.” – Ed. ] was as easy as you can just call the phone company and ask to change the SIM card on your mobile phone. Now you need to know the people who work in the company, and pay $ 100 for cooperation, “- says OGUSERS in a conversation with Motherboard.
Other interlocutors familiar with the situation admit that many burglars pay 80-100 dollars to employees of communication companies for transferring a mobile number to a new SIM card. “It’s always easier and faster with your people inside the company,” one of the forum’s users said. Two moderators of the site Thug and Ace said that they do not have any remorse about burglaries and resale of accounts, crypto-currency wallets or bank data.
“I take their money and live my life. They themselves are to blame for not having monitored the security, “says Ace.
Moderator Thug justifies its actions by the fact that they do not harm anyone when they steal accounts in Instagram, but only take away the names of users. In this case, the specialist for cyber security of the technology company Recorded Future Andrei Barysevich (Andrei Barysevich) admits – on burglaries with the help of duplicates SIM-cards you can earn “a lot of money”.
In August 2017, on one of the largest crypto-exchanges, Coinbase committed several high-profile attacks with theft of crypto currency from users. In total, the attackers stole several million dollars, gaining access to the victim’s mobile numbers through a duplicate SIM card. I did not manage to return the funds.
Methods of struggle
AT & T, Verizon, Sprint and T-Mobile – all four US Internet giants recognized the existence of a scheme for stealing mobile numbers. However, none of the companies disclosed the number of hacking victims among their customers. AT & T called the number of victims “small and rare,” and a representative of T-Mobile said that the company has strengthened security measures to protect customers. The organization asked users to come up with a password, which will need to be called a consultant when requesting a change of SIM-card. Similar system in other companies was not reported.
In March 2018, AT & T, Verizon, Sprint and T-Mobile announced the creation of a “revolutionary” security system that will correct the problems and risks of two-factor authentication. However, since then nothing new has emerged about the initiative, and the details of her work are unknown. Moreover, it is unclear how it can correct the situation with the theft of SIM cards.
Like communications giants, the FBI does not keep statistics or wants to disclose data on the number of victims of duplicate SIM cards. The media are not sure that such a record is generally carried out by the authorities.
Many victims of hacking failed to regain themselves lost accounts, and sometimes also lost money from bank cards. The story of Rachel Ostlund was different. Shortly after the theft, the girl was called by an unknown person and threatened with “big problems” if she did not give him data from her profiles in Instagram and Twitter with the Rainbow login – they were not tied to the phone number, so the attacker could not access them themselves.
“Immediately change the email address on Twitter. I do not want to sound like a freak, but if you do not answer quickly, soon bad things will start to happen to you, “it was said in the message that the unknown person sent Ostlund. When someone called the second time, the police were already in the girl’s house. The patrolmen listened to the victim, but looked puzzled and did not say anything useful. With the support of T-Mobile, the girl still managed to regain control of the mobile number, but by that time the unknown had already controlled the account he needed in Instagram.
In September 2018, the year will turn out with that theft. Presumably, the girl’s account is still under the control of a member of the OGUSERS forum, who introduced himself as an 18-year-old participant in “hacker groups”. It is not known how reliable this information is. Another alleged attacker who participated in the hacking of the Ostlund account was hiding under the name Austin. According to the girl, the FBI managed to calculate it in Colorado Springs and “scare”, so he will not steal accounts anymore. As far as this is true, it is difficult to say, since federal agents rarely report to the press details of the investigations.
How vulnerable is the SIM-card to Russia?
All major Russian communication operators, including MegaFon, MTS, Beeline, and Tele2, provide a replacement service for the SIM card, which theoretically allows the attacker to make a duplicate. However, unlike the US, the passport data of the owner are needed to file a claim for recovery. Confirm the reliability of data over the phone can not be – you need to come to the service center or issue an online application, indicating the passport data.
There is an alternative option – self-duplication of the SIM-card, but this will require additional and not readily available tools:
- Duplicator SIM-card (similar to the card reader);
- A “clean” SIM card from the same provider. Most likely, intruders will have to look for an old map of the early 2000s, since modern ones are protected from duplication;
- Additional programs for creating a duplicate. Many of them do not work on modern operating systems.
On thematic forums, you can find individual enthusiasts who create duplicate SIM cards on order. In Moscow, the prices for such services vary around 1000-1500 rubles, but, according to forum participants, it often works only with SIM cards “Beeline”. At the same time to create a duplicate you still need to have an original card with you, which greatly complicates the work of intruders.
In a conversation with , MegaFon’s press office said that the company had not previously cloned SIM cards. According to the representative of the company, the authenticity of each card is confirmed by the encryption key “Ki”, stored on the card and in the database of the operator. That is, for successful copying the attacker will need to copy not only the SIM-card with its unique number, but also the key “Ki”.
We can say that modern encryption methods exclude the possibility of cloning SIM cards.
Representatives of Beeline rejected the opinion of the technical community that SIM cards of the company are most easily cracked and duplicated. The press service told that none of Beeline’s clients had ever complained that someone had duplicated their SIM card.
“VimpelCom” ( the owner of “Beeline” – note ) has long been buying USIM-cards with a reliable authentication algorithm, hacking which has not been fixed at the moment. We also have special information security measures that exclude potential data leakage from SIM-card providers.
Representatives of Tele 2 did not respond to request. The press service of MTS explained to the edition that “there are no vulnerabilities” in “modern SIM-cards”, and it is possible to replace the card only in the communication salon or in the personal presence of the owner of the contract.