Hackers Claim They Breached T-Mobile More Than 100 Times In 2022 (krebsonsecurity.com) 14
An anonymous reader quotes a report from KrebsOnSecurity: Three different cybercriminal groups claimed access to internal networks at communications giant T-Mobile in more than 100 separate incidents throughout 2022, new data suggests. In each case, the goal of the attackers was the same: Phish T-Mobile employees for access to internal company tools, and then convert that access into a cybercrime service that could be hired to divert any T-Mobile user's text messages and phone calls to another device. The conclusions above are based on an extensive analysis of Telegram chat logs from three distinct cybercrime groups or actors that have been identified by security researchers as particularly active in and effective at "SIM-swapping," which involves temporarily seizing control over a target's mobile phone number.
Countless websites and online services use SMS text messages for both password resets and multi-factor authentication. This means that stealing someone's phone number often can let cybercriminals hijack the target's entire digital life in short order -- including access to any financial, email and social media accounts tied to that phone number. All three SIM-swapping entities that were tracked for this story remain active in 2023, and they all conduct business in open channels on the instant messaging platform Telegram. KrebsOnSecurity is not naming those channels or groups here because they will simply migrate to more private servers if exposed publicly, and for now those servers remain a useful source of intelligence about their activities.
Each advertises their claimed access to T-Mobile systems in a similar way. At a minimum, every SIM-swapping opportunity is announced with a brief "Tmobile up!" or "Tmo up!" message to channel participants. Other information in the announcements includes the price for a single SIM-swap request, and the handle of the person who takes the payment and information about the targeted subscriber. The information required from the customer of the SIM-swapping service includes the target's phone number, and the serial number tied to the new SIM card that will be used to receive text messages and phone calls from the hijacked phone number. Initially, the goal of this project was to count how many times each entity claimed access to T-Mobile throughout 2022, by cataloging the various "Tmo up!" posts from each day and working backwards from Dec. 31, 2022. But by the time we got to claims made in the middle of May 2022, completing the rest of the year's timeline seemed unnecessary. The tally shows that in the last seven-and-a-half months of 2022, these groups collectively made SIM-swapping claims against T-Mobile on 104 separate days -- often with multiple groups claiming access on the same days. In a written statement to KrebsOnSecurity, T-Mobile said this type of activity affects the entire wireless industry.
"And we are constantly working to fight against it," the statement reads. "We have continued to drive enhancements that further protect against unauthorized access, including enhancing multi-factor authentication controls, hardening environments, limiting access to data, apps or services, and more. We are also focused on gathering threat intelligence data, like what you have shared, to help further strengthen these ongoing efforts."
Countless websites and online services use SMS text messages for both password resets and multi-factor authentication. This means that stealing someone's phone number often can let cybercriminals hijack the target's entire digital life in short order -- including access to any financial, email and social media accounts tied to that phone number. All three SIM-swapping entities that were tracked for this story remain active in 2023, and they all conduct business in open channels on the instant messaging platform Telegram. KrebsOnSecurity is not naming those channels or groups here because they will simply migrate to more private servers if exposed publicly, and for now those servers remain a useful source of intelligence about their activities.
Each advertises their claimed access to T-Mobile systems in a similar way. At a minimum, every SIM-swapping opportunity is announced with a brief "Tmobile up!" or "Tmo up!" message to channel participants. Other information in the announcements includes the price for a single SIM-swap request, and the handle of the person who takes the payment and information about the targeted subscriber. The information required from the customer of the SIM-swapping service includes the target's phone number, and the serial number tied to the new SIM card that will be used to receive text messages and phone calls from the hijacked phone number. Initially, the goal of this project was to count how many times each entity claimed access to T-Mobile throughout 2022, by cataloging the various "Tmo up!" posts from each day and working backwards from Dec. 31, 2022. But by the time we got to claims made in the middle of May 2022, completing the rest of the year's timeline seemed unnecessary. The tally shows that in the last seven-and-a-half months of 2022, these groups collectively made SIM-swapping claims against T-Mobile on 104 separate days -- often with multiple groups claiming access on the same days. In a written statement to KrebsOnSecurity, T-Mobile said this type of activity affects the entire wireless industry.
"And we are constantly working to fight against it," the statement reads. "We have continued to drive enhancements that further protect against unauthorized access, including enhancing multi-factor authentication controls, hardening environments, limiting access to data, apps or services, and more. We are also focused on gathering threat intelligence data, like what you have shared, to help further strengthen these ongoing efforts."
Body Count (Score:3)
(Every Other Carrier) "Soo...*snicker*...what's ah...*snort*...your body count..."
Re: (Score:2)
(Every Other Carrier) "Soo...*snicker*...what's ah...*snort*...your body count..."
Tweeny-sebum. Uhh, make that tweeny-eight. Crap, tweeny nine. And here comes tirty through tirty-nine as we speak.
Official press statement of the above: What? Zero. Neber. Huh? Why you askin'? Stop lookin' at us! /snort
Two Factor (Score:3, Informative)
In each case, the goal of the attackers was the same: Phish T-Mobile employees for access to internal company tools, and then convert that access into a cybercrime service that could be hired to divert any T-Mobile user's text messages and phone calls to another device.
In other words, SMS as two factor authentication is worse than useless.
Which I've said repeatedly.
I told you so.
Re: (Score:1)
While I agree, there are problems with SMS 2FA, it's still better than nothing. Every entity relying on SMS for 2FA needs to change and at least allow other options, let me at the very least use my authenticator app, or even better my Yubikey. The real problem here though, is the phone companies and their protocols and training. Social networking and phishing is a human problem and training is the only fix.
Re: (Score:3)
Every entity relying on SMS for 2FA needs to change and at least allow other options, let me at the very least use my authenticator app, or even better my Yubikey.
Definitely. I use my YubiKey everywhere I can (which is not nearly enough places). My Github account has my YubiKey registered so my open source persona is secure! My bank doesn't support it. Go figure.
Re: (Score:2)
In each case, the goal of the attackers was the same: Phish T-Mobile employees for access to internal company tools, and then convert that access into a cybercrime service that could be hired to divert any T-Mobile user's text messages and phone calls to another device.
In other words, SMS as two factor authentication is worse than useless.
Which I've said repeatedly.
I told you so.
This is not intended to be off-topic. A large nationwide "security alarm" company makes me shake every time they visit the place I work to do service on equipment. The tech workers literally call in to the same main phone number a customer would call in to and mention they are an employee doing "test x, y, whatever" and it's on system ID [read the number right off the front of the easily-viewable unit here] and their employee identification number is 12345678. Or whatever. They can then have the system
Re:Two Factor (Score:4, Interesting)
>SMS as two factor authentication is worse than useless.
Depends. SMS as two factor authentication is still pretty good if it's used that way. If the attacker needs to keylog you AND intercept your text message via hacking your telco, that's better than either ONE of those, right?
The reason it's often, in practice, WORSE than useless, is that many things don't actually support 2FA at all. Sure, they make you type in a text message code and remember your password for access, but if you click "forgot my password" you can sometimes get access with JUST a text message. Or if they call the company, usually the text message is enough and they can take all your shit. For this reason, I avoid SMS when I can, as many places turn it into one factor auth in practice.
Easy fix (Score:2)
Require a sim swap be done in person at a store with photo id and address verification. Problem solved.
Not entirely (Score:3)
It's not only SIM-swap exploits. There's also an exploit being used where a malicious actor can reset your voicemail password (which then defaults to your 7 digit phone number) and then they are able to access your voicemail. If you have any accounts set up to use your phone number for password recovery via a voice call, the hacker will be able to listen to the resulting voice message and gain access to the account they've attempted to compromise. I've had it happen to me, and I wrote about it on Reddit. [reddit.com]
T-Mobile security is an oxymoron (Score:4, Informative)
T-Mobile accounts permit you to use TOTP for 2FA, but they DON'T permit you to disable SMS for 2FA on your account.
When you login with TOTP enabled you are presented with a pair of 2FA options: SMS or Google Authenticator. There is no way to remove or disable the SMS option from your account.
Re:T-Mobile security is an oxymoron (Score:4, Interesting)
Even better though, for literal years it took forever for me to log in to T-Mo each time. 60+ seconds while it would wait and wait and wait, wake up, move to another step and then wait and wait and wait. What was it doing? It was simply timing things out in the background, is what. See, I've had HTTPS-only enabled for years now, but had it fall back (used to, anyway, though I've since turned that off) to HTTP after a timeout for sites that didn't do HTTPS. And yeah, getting into my T-Mo took that long because they still had HTTP-only calls, a lot of them, in their LOGIN PROCESS. Even after getting logged in, most activities took forever for the same reason, as those HTTP-only calls were throughout the entire site.
They didn't correct any of that until at least late 2021, maybe early 2022, I can't remember exactly. Way, way, WAY too recently.
Every system has been compromised (Score:1)
I concluded about 10 years ago that every computer system of any value has been compromised in some way by some adversarial actor, and many if not most systems in total compromised either as a reserve against the future, as a side effect of shotgun attacks, or just because. The cracks reported by Krebs and others since then have simply reinforced that observation.
Best place to hide is right in the open. Usually. (Score:2)
...We are also focused on gathering threat intelligence data, like what you have shared, to help further strengthen these ongoing efforts.
"We don't have any other ideas. Do you, random person, with your threat intelligence arsenal? Anyone? Anyone? Bueller?"