A former manager at a telecommunications company in New Jersey pleaded guilty to conspiracy charges for accepting money to perform unauthorized SIM swaps that enabled an accomplice to hack customer accounts.
SIM swapping is an unauthorized porting of a targeted person's phone number to another physical SIM card or eSIM chip controlled by the attacker.
These types of attacks are usually conducted via social engineering attacks against customer support agents or through insiders at mobile companies.
This attack aims to take control of the target's phone number to receive SMS-based one-time passwords sent as part of two-factor authentication protection on online accounts.
Receiving these codes allows attackers to take over the target's accounts using stolen credentials, typically acquired through phishing or other data leaks.
Telecom service providers have now implemented measures to prevent such arbitrary number porting events without the involvement or authorization of the owner.
The former IT manager, Jonathan Katz, abused his managerial position and highly privileged account at a mobile telecommunications store to overcome security measures and perform unauthorized number ports.
An announcement and court documents published earlier this week by the U.S. Department of Justice explain that Katz performed the SIM swaps between May 10 and 20, 2021, while he was a manager for a telecom firm.
Court documents from December 2021, released following Katz's arrest, indicate five victims in Wyoming, New Jersey, California, and Tennessee.
Katz's actions enabled his accomplice to hijack victims' mobile phone numbers and subsequently gain access to accounts, including email, social media, and cryptocurrency wallets.
For carrying the unauthorized number porting, Katz received $1,000 in Bitcoin per SIM swap, plus an percentage of the profits earned from the illicit access to the victims' devices.
For his actions, Katz faces a statutory maximum of five years in prison and a fine of up to $250,000 or twice the financial gain or loss from the crime.
SIM swappers hijacking phone numbers in eSIM attacks.
Bitcoin Fog mixer operator convicted for laundering $400 million.
LockBit ransomware affiliate gets four years in jail, to pay $860k.
Vastaamo hacker traced via 'untraceable' Monero transactions, police says.
Court charges dev with hacking after cybersecurity issue disclosure.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Fri, 15 Mar 2024 15:30:17 +0000