SIM Swap Fraud is Nothing to “Chuckle” About

Jack Dorsey’s Twitter account was just one benign example. SIM swap attacks are actually widespread, and highly destructive.

The world got a chance to chuckle a bit recently when it emerged that Jack Dorsey’s own Twitter account was hacked. Jack Dorsey is, of course, the CEO and Co-Founder of the social media giant, and at first glance, there was a certain ironic delight in seeing him victimized on his own platform.

That laughter quieted quickly, however, as details about the hack emerged. It turns out it was the work of a group of hackers that have been targeting a number of high-profile influencers on social media, as reported on by Quartz:

“Calling themselves the “Chuckling Squad,” the hackers tweeted the n-word and Nazi propaganda, as well as a bomb threat directed at Twitter’s headquarters, over the course of about 20 minutes. In the past week, the hacking collective also appears to have targeted YouTubers Shane Dawson and James Charles, among others.”

By all accounts, this appears to have largely been some sort of publicity stunt, with the end result being a combination of press coverage for the hackers and some embarrassment and confusion for both the victims and those in their social networks.

If that were all one can expect from a SIM swap attack, then there would only be so much concern. Unfortunately, that’s not the case. SIM swap accounts have the potential to be seriously damaging.

What Is SIM Swap Fraud?

As detailed on DataVisor’s Digital Fraud WIKI, SIM swapping is “a simple form of account takeover fraud that involves deceiving a service provider into transferring an existing phone number to a new phone.” These attacks involve several different malicious actions and strategies. Successfully convincing a service provider that you’re the legitimate owner of a number requires having enough personal data to pass verification processes. Techniques for obtaining this data include:

• Dark Web purchases: Fraudsters can purchases data stolen in breaches.
• Phishing: Fraudsters can use fraudulent and deceptive emails to trick victims into providing details.
• Social Engineering: Fraudsters can abuse trust to convince victims they’re communicating with a legitimate authority, and thereby deceive them into providing personal details.

Relying on illicitly obtained personal details, the fraudster will then deceive a provider into transferring the victim’s number to their phone. As detailed in a recent post from WIRED, once this step has succeeded, the real trouble begins:

“In a SIM swap, a hacker either convinces or bribes a carrier employee to switch the number associated with a SIM card to another device, at which point they can intercept any two-factor authentication codes sent by text message.”

Given the extensive reliance on Two-Factor Authentication (2FA) across industries, the thought of all those access codes falling into fraudulent hands is terrifying.

One of the more potent cautionary tales to emerge in recent times comes from Matthew Miller, a contributing author to ZDNet, who describes in detail the damage control he had to engage in after suffering a SIM swap attack. As the after-effects played out, the attack impacted not just his Twitter account, but also his Google accounts, and ultimately, even his bank account:

“Given that I had 2FA enabled for my bank account and the bank account info on Google Drive, it was just a matter of time before the thief started stealing my money. While my wife was concerned about my lost Twitter and Google account, it wasn’t until the criminal used my bank account to purchase $25,000 in Bitcoin that she went ballistic.”

SIMModern digital fraud happens at scale. It has to. Committing fraud one account at a time is too slow, and the odds are too low. Plus, most fraud attacks on their own produce very little profit. However, through coordinated efforts that leverage thousands — even hundreds of thousands — of accounts simultaneously, fraudsters up their odds, and increase their profits. In the case of something like a SIM swap attack, it only takes one success to open the floodgates.

So while the Dorsey hack was indeed a bit chuckle-worthy for those who like to see giants stumble, it’s important to remember that most fraudsters aren’t out for publicity. They’re out for money, and the more hidden their actions, the more successful their attacks.