Hackers are now getting telecom employees to run software that lets the hackers directly reach into the internal systems of U.S. telecom companies to take over customer cell phone numbers, Motherboard has learned. Multiple sources in and familiar with the SIM swapping community as well as screenshots shared with Motherboard suggest at least AT&T, T-Mobile, and Sprint have been impacted.
This is an escalation in the world of SIM swapping, in which hackers take over a target's phone number so they can then access email, social media, or cryptocurrency accounts. Previously, these hackers have bribed telecom employees to perform SIM swaps or tricked workers to do so by impersonating legitimate customers over the phone or in person. Now, hackers are breaking into telecom companies, albeit crudely, to do the SIM swapping themselves.
Motherboard's findings come as multiple Senators and Representatives wrote to Federal Communications Commission Chairman Ajit Pai on Thursday asking what the FCC is doing to protect consumers from the ongoing wave of SIM swapping attacks. An indictment unsealed this week in New York alleges a 22-year-old stole $23 million worth of cryptocurrency through SIM swapping.
"Some employees and managers are absolute brain dead and give us access to everything they own and that's when we start stealing," one SIM swapper said. Motherboard granted the SIM swapper anonymity to talk more openly about criminal practices.
Do you know anything else about SIM swapping? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com.
The technique uses Remote Desktop Protocol (RDP) software. RDP lets a user control a computer over the internet rather than being physically in front of it. It's commonly used for legitimate purposes such as customer support. But scammers also make heavy use of RDP. In an age-old scam, a fraudster will phone an ordinary consumer and tell them their computer is infected with malware. To fix the issue, the victim needs to enable RDP and let the fake customer support representative into their machine. From here, the scammer could do all sorts of things, such as logging into online bank accounts and stealing funds.
This use of RDP is essentially what SIM swappers are now doing. But instead of targeting consumers, they're tricking telecom employees to install or activate RDP software, and then remotely reaching into the company's systems to SIM swap individuals.
The process starts with convincing an employee in a telecom company's customer support center to run or install RDP software. The active SIM swapper said they provide an employee with something akin to an employee ID, "and they believe it." Hackers may also convince employees to provide credentials to a RDP service if they already use it.
Once RDP is enabled, "They RDP into the store or call center [computer] [...] and mess around on the employees' computers including using tools," said Nicholas Ceraolo, an independent security researcher who first flagged the issue to Motherboard. Motherboard then verified Ceraolo's findings with the active SIM swapper.
"Some employees and managers are absolute brain dead and give us access to everything they own and that's when we start stealing."
Certain employees inside telecom companies have access to tools with the capability to 'port' someone's phone number from one SIM to another. In the case of SIM swapping, this involves moving a victim's number to a SIM card controlled by the hacker; with this in place, the hacker can then receive a victim's two-factor authentication codes or password reset prompts via text message. These include T-Mobile's tool dubbed QuickView; AT&T's is called Opus.
The SIM swapper said one RDP tool used is Splashtop, which says on its website the product is designed to help "remotely support clients' computers and servers."
Ceraolo provided multiple screenshots of this process, one of which appears to show someone logged into a T-Mobile QuickView panel via RDP. Another shows someone using a RDP tool while logged into an AT&T system.
The SIM swapper said, "This works with mostly ever[y] carrier, but as of now I can say T-Mobile and AT&T are the carriers that are used the most."
When asked for comment, an AT&T spokesperson wrote in an email, "We are aware of this particular tactic in the industry and have taken steps to prevent it. Determined, sophisticated criminals employ fraudulent SIM swaps to commit theft. That is why we are working closely with our industry, law enforcement and consumers to prevent this type of crime."
Sprint also confirmed it is aware of SIM swappers using this RDP method.
"This works with mostly ever[y] carrier."
"Yes, we are aware of this technique, but for obvious security purposes, I am not going to detail exactly what controls our teams have in place to thwart fraudulent SIM swaps through this or similar methods," a Sprint spokesperson wrote in an email. "In addition to the system controls we have in place, any time we become aware of harmful techniques being utilized by bad actors or industry wide issues, we alert our frontline reps and refresh them on their training to further help protect our customers."
A T-Mobile spokesperson said in a statement, "These fraudulent SIM swaps are criminal attacks that impact the entire industry. We have a number of measures in place to identify and prevent them and as fraudsters evolve, so do we."
Verizon did not respond.
On Thursday, Senator Ron Wyden and other lawmakers' letter to the FCC read, “Consumers have no choice but to rely on phone companies to protect them against SIM swaps—and they need to be able to count on the FCC to hold mobile carriers accountable when they fail to secure their systems and thus harm consumers."
Update: This piece has been updated to include statements from AT&T and T-Mobile.
Subscribe to our cybersecurity podcast, CYBER.