Hackers are phishing workers at major U.S. telecommunication companies to gain access to internal company tools, Motherboard has found.
Once they have access to these tools, the hackers are then able to carry out SIM swapping, where they take control of a victim's phone number in order to break into email, social media, or cryptocurrency accounts.
Motherboard spoke to SIM swappers, security researchers, technology vendors that have obtained evidence of compromises, and former and current telecom company employees about the practice. The news follows our report showing that SIM swappers are getting telecom employees to run software that lets the hackers reach directly into company systems, and signals continued escalation in the world of SIM swapping.
The scammers will try to trick telecom employees into logging into fake login pages, which allows the scammer to harvest their credentials and reuse them to SIM swap later.
Do you know anything else about SIM swapping? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com.
"Yes, so they just login like they normally would no questions asked. And we got their credentials," one source who provided screenshots of internal telecom company systems said of telecom employees. Motherboard granted multiple sources in this story anonymity to speak more candidly about internal systems and criminal activities.
The phishers are trying to gain access to login panels that telecom workers use to run customer service tools. Telecom companies like Verizon, Sprint, and T-Mobile don't only have their own corporate stores, but also outsource to "authorized resellers." In some cases, this is the group of workers that hackers are targeting.
Phishers targeted a "reseller's portal for one of the major U.S. carriers," David Gill, vice president of global business development at cybersecurity company WMC Global, which runs a phishing detection platform, said. He declined to name the carrier the firm had identified phishing attacks against.
Ben Coon, vice president of network operations also from WMC Global, added, "The main phishing that we see that we have linked back to SIM swapping is […] phishing against the carrier internal systems that will allow them to gain access to create or modify accounts."
Independent security researcher Nicholas Ceraolo provided Motherboard with screenshots of login panels that Verizon, T-Mobile, and Sprint workers use. All of these were login pages for VPNs provided by tech infrastructure company Citrix. The VPNs let workers remotely connect to their employer's network to access internal systems.
"I actually had to warn everyone in our company about the whole SIM swap scam going on and to be safe about it."
One system SIM swappers have tried to access in particular is Omni, Verizon's customer support tool. Motherboard confirmed it is possible to perform SIM swapping via Omni with a former employee of an authorized Verizon reseller and a current independent Verizon representative.
"Omni is a site that employees use to process things that customers come in store for that’s account related. So device and SIM changes, billing, usage related things, plans, and activations are processed through there," the former employee said.
"Yes, it’s definitely possible," they added, referring to using Omni for SIM swapping. "Once you’ve logged into an account, you can edit the ICCID [a SIM card's unique identification code] for a line being used. From there you pop the SIM card you swapped into a phone and then it’ll have the victim’s number, which will then be used for identity theft.
The source who provided internal screenshots of internal telecom company systems said, "I can SIM swap anyone on Omni."
Verizon has also told resellers to be wary of phishing attempts.
The former employee said, "We had a mandatory online training where we were instructed to be careful about phishing, but nothing else."
"I actually had to warn everyone in our company about the whole SIM swap scam going on and to be safe about it," they added.
There are mitigations in place, but there may be workarounds. The former employee said that to access the Verizon tool a computer must have a specific token installed on the machine, but that sometimes employees can remotely access another computer that already has it installed, meaning they can use the tool from anywhere. T-Mobile and Sprint both told Motherboard in emails they use some form of two-factor authentication. Ceraolo said some SIM swappers will ask telecom company workers to read out a necessary authentication code over the phone, however.
"We're aware of recent fraud campaigns that target some employees and others using social engineering. Verizon is fully engaged in these issues," a Verizon spokesperson said in an email. "We're continually working to improve our security controls and are implementing enhancements in response to activities like this."
A Sprint spokesperson confirmed to Motherboard in an emailed statement that it is aware of SIM swappers trying to phish for access to internal tools. "We are aware of the technique and alerted our frontline reps to remind them of our security protocols," the email read.
"We see phishing attempts against our employee base regularly by different threat actors with a variety of motivations. We have active measures in place to detect and respond to this kind of activity and have not had incidents related to these attempts in the past," it added.
Subscribe to our cybersecurity podcast, CYBER.