New evidence reveals that over the year 2022, three distinct cybercriminal organizations gained access to the internal networks of the massive communications company T-Mobile in more than one hundred individual instances. Phishing T-Mobile employees for access to internal company tools, and then converting that access into a cybercrime service that could be hired to divert any T-Mobile user’s text messages and phone calls to another device, was the goal of the attackers in each instance. In each instance, the attackers wanted to accomplish the same thing:
The aforementioned findings are the result of an in-depth investigation of the Telegram conversation logs of three separate cybercrime groups or actors. These groups or actors have been recognized by security experts as being very active in and successful at a technique known as “SIM-swapping.” This technique entails temporarily gaining control of a target’s mobile phone number.
SMS text messages are used by a large number of websites and online services for both the resetting of passwords and the multi-factor authentication of users. This indicates that obtaining someone’s phone number may often provide hackers the ability to take control of the target’s whole digital life in a short amount of time. This includes gaining access to any banking, email, or social media accounts that are linked to that phone number.
Although it is true that each of these cybercriminal actors occasionally offers SIM-swapping services for other mobile phone providers, such as AT&T, Verizon, and smaller carriers, the frequency with which these solicitations appear in these group chats is significantly lower than the frequency with which T-Mobile swap offers do. When such offers do finally materialize, however, they come at a significant premium in price.
During the later part of 2022, the costs listed for a SIM-swap against T-Mobile users were between USD $1,000 and $1,500, whilst the prices posted for SIM-swaps against AT&T and Verizon customers were often well over twice as much as T-Mobile consumers paid for their swaps.
In the year 2023, each of the three SIM-swapping operations that were investigated for this article are still operational, and they all conduct their business in public channels on the instant messaging network Telegram. T-Mobile was provided with a substantial chunk of the information that KrebsOnSecurity had obtained. The corporation did neither confirm or reject any of these purported incursions but instead chose to remain silent. T-Mobile, however, said in a written statement that this kind of action impacts the whole of the cellular sector that it is a part of.
T-Mobile made the announcement in January 2023 that a “bad actor” had stolen details on around 37 million of the company’s active customers. These records included the consumers’ names, billing addresses, email addresses, phone numbers, dates of birth, and T-Mobile account numbers.
T-Mobile admitted in August 2021 that hackers had stolen the names, dates of birth, Social Security numbers, and driver’s license or ID information of more than 40 million current, former, or prospective customers who had applied for credit with the company. These customers had applied for credit with T-Mobile either in the past or in the future. This security flaw was discovered when a hacker started selling the information on a site dedicated to crimes.
Any harm caused by the constant attacks carried out by these SIM-swapping gangs may seem inconsequential in light of the fact that such mega-breach incidents have occurred.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.