Open 24/7/365

We Have A Life-Time Warranty /
Guarantee On All Products. (Includes Parts And Labor)

These Illicit SIM Cards Are Making Hacks Like Twitter’s Easier

Next time your phone rings and the caller ID says it’s your bank, telecom company or employer’s IT department, it might be someone else. These Illicit SIM Cards Are Making Hacks Like Twitter’s Easier

That’s because little-discussed types of SIM cards offer the ability to spoof any number, can be encrypted and in some cases allows the user’s voice to be altered and cloaked. Such SIM cards are favored by criminals, and they can make social engineering attacks like those that struck Twitter last month easier to execute.

A SIM (Subscriber Identity Module) card is essentially what stores information about a phone’s user, including country, service provider and a unique idea that matches it to its owner.

While spoofing a phone number is an old trick, these SIMs offer a streamlined way to do it. They underscore the wide array of vulnerabilities companies and individuals face when trying to protect against social engineering attacks.

Twitter was the victim of a phone spear-phishing attack, in which a person posing as a company insider (often supposedly from the IT department) calls a real employee to extract information. That attack, which led to the takeover of 130 accounts, including high-profile ones such as Elon Musk and Kanye West, to scam their followers out of $120,000 worth of bitcoin, has brought increased attention to the practice. Tools like these SIMs are one way for attackers to try and stay ahead of suspecting companies.

“Other companies might be a softer target for these same techniques,” said Allison Nixon, chief research officer at Unit221B, a cybersecurity firm. “And they’re just not going to be prepared in the same way that battle-scarred telecommunications companies have been.”

Indeed, since the Twitter hack, there has reportedly been a rise in spear-phishing attacks across companies, individuals, and cryptocurrency exchanges.

White SIMs

The cards are known as White SIMs, owing to their color and lack of branding.

“White SIMs make it extremely easy to conduct outgoing spoofed calls,” said Hartej Sawhney, Principal at cybersecurity agency Zokyo. “They are illegal basically everywhere.”

Given the wide array of services SIMs such as these offer, they make social engineering just a little easier, and sometimes that’s all an attacker needs. SIMS can generally be bought on the Dark Web or related sites, using bitcoin.

Social engineering often relies on an attacker tricking someone into doing something he or she shouldn’t. It can look as simple as a phishing attack, but can also involve more elaborate means such as SIM swapping, voice spoofing or extensive phone conversations, all to gain access to someone’s information or data.

For years the cryptocurrency community has been the target of SIM swaps, a subset of social engineering. It involves an attacker fooling a telecommunications company employee into porting the victim’s number to the attacker’s device, which lets them bypass two-factor authentication protections to an exchange account or social media profile.

“Spoof calling is a flaw at the protocol layer and is not something that can be fixed overnight. It requires essentially rewriting the internet,” said Sawhney. “What’s interesting to note is that 99% of telecom employees have access to all customer accounts, meaning you only need to social engineer one of them.”

These SIMs present challenges for those working to protect against social engineering, including banks and other financial institutions.

A Business Like Any Other

Social engineering attackers pick their targets by weighing the money, time and effort required to dupe them against the payoff, said Paul Walsh, CEO of the cybersecurity company MetaCert.

“It’s easier, cheaper and faster to compromise a person through social engineering than it is to try and take advantage of a computer or computer network,” said Walsh. “So any tools or processes like these that make that job quicker and easier for them is obviously good, in their eyes.”

The ability to mimic a specific phone number is what makes these SIMs dangerous. For example, spam callers often spoof their number to make it seem they’re calling from a number in the recipient’s local area. But these SIM cards allow an attacker to spoof a specific number, making it more likely someone will answer the phone.

See Also: A New Ultrasonic Hack Can Exploit Your Siri

A person with a number-spoofing SIM could easily imitate the number of Bank of America, for example, said Walsh, making it more likely people would give out sensitive personal information. If the number comes up as Bank of America, why would you have reason to immediately think otherwise?

Walsh also said a lot of systems will automatically detect the number you’re calling from, and use that as a piece of information verifying your identity.

“So you call your bank and if you can confirm with your phone number and maybe one other piece of information, you gain access to all kinds of information like your bank balance and last transaction,” said Walsh. “That information alone might be useful in the context of social engineering by calling the bank without additional information you need to target someone, and acquiring it through the bank.”

Voice-Mimicking Tech On The Way

What concerns Haseeb Awan, CEO of Efani, a company that specifically works to protect against SIM hacks, is the way these SIMs might be used with other tech, such as voice spoofing. Technology that can be used to recreate someone’s voice is readily available online, and people’s voices can be reconstructed from just a few snippets of speech.

“If you’re able to replicate anyone’s voice, and couple that with their phone number, that’s what starts to worry me the most,” said Awan. “A lot of companies are now using your voice as an authentication method, so this is where the risk of fraud is going to get really high.”

And while most people might think they’d be able to tell if someone’s voice was altered, or sounded off, Awan, who was born in Pakistan but lives in the U.S., is quick to point out the tech has gotten so good he’s seen it able to replicate his accent. In fact, one study found our brains fare poorly at differentiating a fake voice from a real one, even when we’re told it is going to be fake.

Unlike the near-universally illegal White SIMs, encrypted anonymous SIMs that also alter your voice in real time can be easily purchased in the open. For example, the U.K. company Secure Sims, which did not respond to a request for comment by press time, offers one for sale that disables your location and encrypts data, among a variety of other features.

It’s listed for sale for £600-£1,000 ($794-$1,322).

Related Articles:

Uber Exec Allegedly Concealed 2016 Hack With $100K BTC ‘Bug Bounty’ Pay-Off

Senate Panel’s Russia Probe Found Counterintelligence Risks In Trump’s 2016 Campaign

Bockchain Based Surveillance Camera Technology Detects Crime In Real-Time

Trump Bans TicToc For Violating Your Privacy Rights While Giving US-Based Firm Go Ahead (#GotBitcoin?)

Facebook Offers Money To Reel In TikTok Creators

How A Facebook Employee Helped Trump Win—But Switched Sides For 2020

Facebook Rebuffs Barr, Moves Ahead on Messaging Encryption

Facebook Ad Rates Fall As Coronavirus Undermines Ad Spending

Facebook Labels Trump Posts On Grounds That He’s Inciting Violence

Crypto Prediction Markets Face Competition From Facebook ‘Forecasts’ (#GotBitcoin?)

Coronavirus Is The Pin That Burst Facebook And Google Online Ads Business Bubble

OpenLibra Plans To Launch Permissionless Fork Of Facebook’s Stablecoin (#GotBitcoin?)

Facebook Warns Investors That Libra Stablecoin May Never Launch (#GotBitcoin?)

FTC Approves Roughly $5 Billion Facebook Settlement (#GotBitcoin?)

How Facebook Coin’s Big Corporate Backers Will Profit From Crypto

Facebook’s Libra Is Bad For African Americans (#GotBitcoin?)

A Monumental Fight Over Facebook’s Cryptocurrency Is Coming (#GotBitcoin?)

Alert! 540 Million Facebook Users’ Data Exposed On Amazon Servers (#GotBitcoin?)

Facebook Bug Potentially Exposed Unshared Photos of Up 6.8 Million Users (#GotBitcoin?)

Facebook Says Millions of Users’ Passwords Were Improperly Stored in Internal Systems (#GotBitcoin?)

Advertisers Allege Facebook Failed to Disclose Key Metric Error For More Than A Year (#GotBitcoin?)

Ad Agency CEO Calls On Marketers To Take Collective Stand Against Facebook (#GotBitcoin?)

Thieves Can Now Nab Your Data In A Few Minutes For A Few Bucks (#GotBitcoin?)

New Crypto Mining Malware Beapy Uses Leaked NSA Hacking Tools: Symantec Research (#GotBitcoin?)

Equifax, FICO Team Up To Sell Your Financial Data To Banks (#GotBitcoin?)

Cyber-Security Alert!: FEMA Leaked Data Of 2.3 Million Disaster Survivors (#GotBitcoin?)

DMV Hacked! Your Personal Records Are Now Being Transmitted To Croatia (#GotBitcoin?)

Lithuanian Man Pleads Guilty In $100 Million Fraud Against Google, Facebook (#GotBitcoin?)

Hack Alert! Buca Di Beppo, Owned By Earl Enterprises Suffers Data Breach Of 2M Cards (#GotBitcoin?)

SEC Hack Proves Bitcoin Has Better Data Security (#GotBitcoin?)

Maxine Waters (D., Calif.) Rises As Banking Industry’s Overseer (#GotBitcoin?)

FICO Plans Big Shift In Credit-Score Calculations, Potentially Boosting Millions of Borrowers (#GotBitcoin?)

Our Facebook Page

Your Questions And Comments Are Greatly Appreciated.

Monty H. & Carolyn A.

Go back

Leave a Reply