THE BUSINESS OF SIM SWAPPING OLAKANMI OLUWOLE - Insights from Nigeria, Africa and beyond

Transcript

1. THE BUSINESS OF SIM SWAPPING OLAKANMI OLUWOLE 31-07-2021 Insights from

   Nigeria, Africa and beyond.

2. Our mission To monitor and alert users of immediate risk

   using a tactical approach, research, analyze and monitor the technical developments of various cyber trends and threat-actors in the following fields:

3. How we are doing it We gather massive amounts of

   data using various sources such as publicly available web references, social media channels and the deep dark web using a wide range of honey-pot techniques.

4. Cyber Threat Intelligence tailored for Africa

5. None
6. None

7. Global standards, Local expertise.

8. OUTLINE 1. Introduction to SIM Swap 2. How it works

   3. Key Findings 4. Business in Nigeria, Africa & beyond a) Timeline of cases in Nigeria b) Cases within Nigeria c) Cases involving Nigerians outside Nigeria d) Cases in Africa e) Interesting cases worldwide 5. How to protect yourself as a) An individual b) A business c) Victim 6. Conclusion

9. SIM swapping involves deceiving a mobile provider (usually through social

   engineering) into transferring a victim's phone number to a SIM card controlled by a cybercriminal. Once the SIM card has been activated, a cybercriminal controls the phone number and can reset victim passwords and take control of social media, online banking, and cryptocurrency accounts, etc. In some instances, even security measures such as two-factor authentication (2FA) can be bypassed. Among the primary targets for cybercriminals are organizations and services in telecommunications, banking, financial institutions, cryptocurrency and information technology. INTRODUCTION TO SIM SWAP

10. SIM-swapping attack requires threat actors to collect as much information

    as possible regarding a potential victim using the following attack vectors: • OSINT (Open Source Intelligence) • Social engineering • Phishing • Purchase of compromised PII data on dark web forums, marketplaces, and shops • Insider threats TECHNIQUE The primary steps to perform a successful SIM swapping attack through social engineering techniques are as follows: • Identify the phone number of the victim and their PII • Call the carrier to report the loss of the phone to block the SIM card. • Carriers transfer the phone number to the controlled SIM card. In this case, the attacker can use the SIM card on a separate mobile device and still maintain access to the victim’s contact list, make and receive phone calls, and send short message service (SMS messages. By intercepting SMS verification codes, cybercriminals gain access to most multi-factor authentication methods used by financial organizations.

11. SIM PORTING This is a tactic by which cybercriminals transfer

    a phone number from one carrier to another without the need to change the SIM card. Attackers will obtain user information via phishing and reconnaissance (using open sources, leaked databases, dark web forums, and marketplaces)and then use it to convince the victim’s carrier to transfer or “port” the victim’s number to the phone in the attacker’s possession. We observed cybercriminals showing interest in SIM porting; however, its popularity is significantly less than SIM Swapping.

12. “Among the primary targets for cybercriminals are organizations and services

    in telecommunications, banking, financial, cryptocurrency, and information technology (IT)” Image Source: PrivacyPros

13. KEY FINDINGS • Threat actors advertise and request SIM swapping

    services • Cybercriminals primarily advertise and sell SIM swapping tutorials and how- to guides on dark web marketplaces • Typical prices for SIM swapping how-to guides and tutorials range between $40 and $200; however, in rare cases, they can reach up to several thousand US dollars • How-to guides on SIM-swapping, for sale or freely available, outline some of the most popular TTPs for SIM-swapping attacks. They show how to stay anonymous, outline how to gather intelligence on the carrier to conduct a social engineering attack (including test calls), and give advice on purchasing compromised PII on the targeted victim and acquiring SIM cards

14. “We believe that insider threats, in which threat actors receive

    assistance from an employee of an organization that can assign the phone number to a different SIM, are currently one of the most popular and successful ways to perform SIM swapping attacks”

15. Business of SIM Swap in Nigeria Timeline of SIM Swap

    events and mentions in Nigeria

16. CASE 1 - EFCC Arrests Three for Seven Million SIM

    Swap Fraud Arrested on September 9, 2019, following intelligence about their activities. The petitioner alleged that on 18th of February 2018, he noticed his MTN line had stopped working as no calls or messages came to his phone and the phone displayed a message saying, 'invalid SIM card’. The threshold limit for online transfers on his account had also been increased above five hundred thousand Naira and the sum of Seven million, one hundred and seven thousand, five hundred and forty Naira (N7,107,540.00) removed from his account. Adewuyi A. Adebayo,31 Osikoya K. Gboyega, 44 Akintunde Ogunrinde, 47

17. CASE 2 - EFCC Arrests fake Military Officer & SIM

    Swap Fraud Operator Arrested January 3, 2019, at Ayara street, Nungu Uko in Ibesikpo Local Government Area of Akwa State, and found with a Nigerian Army 20 Battalion Identification Card. Investigations revealed that he carried out a SIM Card and fraudulently withdrew N700,000.00 from his victim Mrs. [REDACTED] account’s domiciled in First City Monument Bank, FCMB. He had previously stolen the victim’s Atm Card and reset her pin. He was found with Military Kits, Uniforms, bullet proof vest and a phone containing pictures of him and his other fake military friends. Asoqwo Henry Mfon

18. CASE 3 - EFCC Arrests Bank Security, Two Others for

    SIM SWAP & ATM Fraud in Makurdi The suspects, 36-year-old Michael Damhindi, (who is a security guard with an old generation bank), Chidi Emmanuel Aniekwe (32), and Terhemba Iorhen (35) would station themselves around ATM machines and ready to help bank customers who have difficulties actualising their transactions in ATM machines and in the process harvest their victim’s vital account details for their criminal purposes. They were arrested in the North Bank area of Makurdi, the Benue State capital. Items recovered from them included one Mazda Millennia car, 31 ATM cards of different banks, bearing different names, 19 phones, two laptops, 16 starter SIM packs, SIM cards of various networks, one Glo modem, a flash drive and fake currency notes.

19. CASE 4 – Nigerian led SIM Swap Gang in India

    The suspects arrested by the police in India includes Odafe Henry, one Nigerian living in Kolkata, 35- yr-old Rajat Kundu, 31-yr-old Ankan Saha, 52-yr-old Santosh Benerjee, 38-yr-old Sanjib Das and 42- yr-old Chandan Verma all residing in Kolkata but the mastermind, “Ebigbo Innocent a.k.a James” is still at large. All the 7 are said to have defrauded thirteen companies within Kolkata. James, the key person charged in the crime and carrying out operations from Nigeria, sent phishing e- mails to companies within India seeking to break into their systems. In this manner he garnered mobile number and online banking details which he shared with Santosh, Rajat and Henry via the Internet. The gang members used the details for creating duplicate rubber stamps and fake documents of the companies. They then submitted those forged papers and got issued fresh SIM cards. These SIM cards helped the criminals carry out dubious transactions via the targeted companies' accounts in different banks. From there they moved the money into their own A/Cs via utilizing the one-time passwords obtained from the fresh SIM cards on the hacked companies' cell- phone numbers

20. Business of SIM Swap in Africa Timeline of SIM Swap

    events and mentions in Africa

21. CASE 1 – Nairobi, Kenya. (Insider Threat) Maurice Musoti an

    employee of mobile telecommunication service provider Safaricom, and Rian Obaga Nyagaka a fourth-year student studying Bachelor of Science in Electronic Engineering at the Jomo Kenyatta University of Agriculture and Technology, were 2,160 unused SIM cards. The detectives also recovered 44 used SIM cards, five till agent numbers, three mobile money transfer registry books, an Internet Booster Router, and two mobile phones. The arrests came at a time of heightened vigilance following increased cases of fraudulent SIM swaps that have led to the siphoning of thousands of shillings from mobile money accounts.

22. CASE 2 – Cape Town, South Africa. (Social Engineering) Victim

    was a 78 years old man. The victim’s spokesperson said someone within a bank had to let someone from a cellphone company know there was money, and from there the scam was born, and they went after the details of the person and took over their number. There was a SIM swop in October without the victim’s knowledge, done by Vodacom. Criminals cleared out 50 years of savings by transferring Absa Money Market to Absa Cheque and created 15 new beneficiaries and the money was gone within five hours. Both Absa and Vodacom deny responsibility, The Victim had noticed that he had no cellphone service and thought he had run out of airtime. He then went to a local cellphone shop where he was told to go to Vodacom. He went to a Vodacom store where he was informed that he did have airtime but needed a SIM swop.

23. • A college student who stole more than $5 million

    in cryptocurrency by hijacking the phone numbers of around 40 victims https://www.vice.com/en/article/gyaqnb/hacker-joel-ortiz-sim-swapping-10- years-in-prison • T-Mobile Employee Made Unauthorized ‘SIM Swap’ to Steal Instagram Account https://krebsonsecurity.com/2018/05/t-mobile-employee-made-unauthorized- sim-swap-to-steal-instagram-account/ OTHER INTERESTING CASES • 8 Brits used sim swapping attacks to steal over $100m from celebrities in the US https://www.teiss.co.uk/sim-swapping-attacks-hackers-arrested/

24. BUSINESS ON THE DARKWEB

25. BUSINESS ON THE DARKWEB

26. BUSINESS ON THE DARKWEB

27. BUSINESS ON THE DARKWEB

28. BUSINESS ON THE DARKWEB Threat Actor Intelligence “Brand” In May

    2021, the threat actor advertised a SIM swapping course on [REDACTED] Forums for $200 that included the following learning objectives: • How to find and verify a carrier’s PIN • How to bypass MFA to gain access to a carrier’s online account • How to dox a victim and cash out (wire transfer tutorial)for Chase accounts Access to the course includes scripts for live chat. “Smaill00” In August 2020, the threat actor expressed interest on [REDACTED] Forum in partnering with US-based threat actors for their SIM swapping and SMS intercept services. The threat actor stated they also conducted fraudulent calls. Based on forum threads, the threat actor has successfully partnered with other users multiple times “asxushuai” In June 2020, the threat actor requested services and indicated an interest in cooperating with another in SS7 SMS interceptions on Hack Forums. The threat actor stated that candidates must prove their capabilities using phone numbers provided by asxushuai. The threat actor instructed interested partners to contact them [REDACTED]@protonmail[.]com

29. BUSINESS ON THE DARKWEB Threat Actor Intelligence “novaking” From June

    to November 2020, the threat actor offered SIM swapping services against T-Mobile and other US carriers to bypass SMS 2FA and to get access to victim’s bank accounts with subsequent cashing out of stolen funds on [REDACTED] Forum. The threat actor stated that their profit share for this service is 70%. novaking demonstrates SIM swapping against Wells Fargo bank account secured with 2FA Source: Insikt Group.).

30. BUSINESS ON INSTANT MESSAGING PLATFORMS

31. GENERAL MITIGATION • Set up a unique password or phrase

    that must be provided when calling a carrier’s customer support, which many carriers provide as an option • In place of SMS MFA, use authenticator applications such as Google Authenticator, Duo Mobile, FreeOTP, Authy, or Microsoft Authenticator to securely access devices. • Use one-time passwords or codes in addition to the primary password. Some services generate and display multiple one-time use codes that can later be used for authentication upon login. These codes can be printed out or written down and put in a safe place • Use hardware tokens based on Universal 2nd Factor U2F in place of SMS MFA. • End-users must use a unique, strong password to protect their online mobile carrier account

32. HOW DO YOU KNOW IF YOU’RE A VICTIM? • Sudden

    unexpected loss of mobile signal • Notification from the your mobile provider • Inability to access online accounts such as bank and credit card accounts, email and social media • Fraudulent bank and bitcoin transactions to unknown 3rd parties • Unexpected social media activity and posts • Sudden increase in phone calls or texts

33. WHAT TO DO AS A VICTIM? • ACT IMMIDIATELY, ACT

    SWIFTLY • Contact your financial organizations immediately, request a reference number for your call to them. • Contact your Mobile provider • Report the crime to local law enforcement • Keep a log of your actions – Prior to the attack and after. Note who you have contacted, who contacted you, when, what actions were agreed to be completed and when.

34. CONSLUSION SIM swapping remains a serious threat to carriers, social

    media organizations, and financial services, especially those involved in banking and cryptocurrency. It is a popular attack vector for many cybercriminals across the dark web and is tied toother fraudulent TTPs such as social engineering, insider threats, account takeovers, and money laundering. Based on reported intelligence, SIM swapping remains a popular attack vector among dark web cybercriminals who exclusively use forums as sources for advertising and requesting SIM swapping services, while dark web marketplaces and shops are primarily used for the sales and advertisements of SIM swapping tutorials and guides, as well as compromised PII data used in attacks. We believe that forums, marketplaces, and shops will remain popular and widely used sources for vendors and buyers to advertise, discuss, share, and purchase SIM swapping-related services for the foreseeable future and should be tracked closely.
35. None