As two-factor authentication becomes more popular, threat actors have proven once again how this security feature can be exploited if not implemented properly.
Kaspersky researchers uncovered large-scale SIM swap fraud operations targeting users in both the Portugese-speaking nations of Brazil and Mozambique were able to use social engineering, bribery, and simple phishing attacks to ultimately steal money from victims.
Threat actors carried out these attacks by taking control of a victim’s phone number by hijacking accounts and intercepting two factor authentication methods in which the second authentication factor is a SMS message or a call placed to the mobile number, according to an April 11 blog post.
The scam begins with cybercriminals collecting reconnaissance information on the target using phishing emails, data purchased data from organized crime groups, and social engineering attacks before ultimately contacting the victim’s provider to claim that their phone has been lost or stolen.
Cybercriminals use the pilfered information to convince telephone providers to authorize and transfer and activate the number on a new SIM provider. The threat actor will then be able to access all one-time passwords and authentication codes sent to the user’s device.
Threat actors often then turn to bank accounts to transfer money or even apps such as WhatApp which allow users to send money within the platform to steal money from users.
Researchers noted these attacks are especially easy to carry out in markets where providers only ask for simple information to validate a customer’s identity as fraudsters can easily find this information on social media or by simply looking up the victim up online. These attacks can also be carried out against the cellular carriers.
“Sometimes the target is the carrier, and not the customer,” researchers said in the report. “This happens when a carrier’s employees working in branches in small cities are sometimes unable to identify a fraudulent or adulterated document, especially branches located in kiosks or shopping malls, allowing a fraudster to activate a new SIM card.”
Researchers also noted attacks carried out by insider threats or corrupt employees who accept between $10 and $40 to carry out SIM swaps for normal people while swaps for celebrities or politicians may cost thousands of dollars.
There are a few ways to combat this threat as researchers pointed out that in Mozambique where mobile operators made a platform available to the banks on a private API that flags up if there was a SIM swap involving a specific mobile number associated with a bank account over a predefined period in which the bank decides how to act on the alert.
In addition, researcher recommend mobile operators that rely on legacy protocols update their methods since because by today’s standards phone and SMS authentication measures are no longer considered a secure method of authenticity for protecting high-value information such as bank accounts.
Users should avoid two-factor authentication via SMS, opting instead for other ways, such as generating an OTP in a mobile app (like Google Authenticator) or using a physical token.