Remote desktops (RDP) are a handy thing when you need to do something on a computer, but there is no physical opportunity to sit in front of it. Or when you need to get good performance from an older or less powerful device. The cloud provider Cloud4Y provides this service to many companies. And I could not get past the news about how SIM card hijacking (swap, substitution) scammers switched from bribing telecom employees to using RDP to gain access to the internal databases of T-Mobile, AT&T and Sprint.
Cyber scammers (the hand does not rise to call them hackers) are increasingly forcing employees of mobile operators to run software that allows them to penetrate the internal databases of companies and steal subscribers' mobile phone numbers. A special investigation recently conducted by the online magazine Motherboard led journalists to believe that at least three companies were attacked: T-Mobile, AT&T and Sprint.
This is a real revolution in the theft of SIM cards (they are stolen so that fraudsters can use the victim’s phone number to gain access to email, social networks, cryptocurrency accounts, etc.). Previously, scammers bribed mobile operator employees to swap SIM cards or use social engineering to lure out the right information by impersonating a real client. Now they are acting brazenly and rudely, hacking into the IT systems of operators and performing the necessary frauds on their own.
The new scam was raised in January 2020, when several U.S. senators asked FCC Chairman Ajit Pai about what his organization was doing to protect consumers from the ongoing wave of attacks. That this is not an empty panic is evidenced by the recent about stealing $23 million from a crypto account via SIM swapping. The accused is 22-year-old Nicholas Truglia, who "became famous" in 2018 for successfully hacking the mobile phones of some prominent Silicon Valley figures.
«Some ordinary employees and their leaders are absolutely inert and stupid. They give us access to all the data and we start stealing”, — on the rights of anonymity, one of the attackers involved in stealing SIM cards told the online magazine.
How it works
Crackers use the capabilities of the Remote Desktop Protocol (RDP). RDP allows the user to control the computer virtually from anywhere. As a rule, this technology is used for peaceful purposes. For example, when technical support helps to set up a client's computer. Or when working in the cloud infrastructure.
But attackers also appreciated the capabilities of this software. The scheme looks quite simple: a scammer disguised as a technical support employee calls an ordinary person and informs him about the infection of the computer with the most dangerous software. To solve the problem, the victim must enable RDP and let a fake help desk rep into their machine. And then it's a matter of technology. The scammer gets the opportunity to do whatever his heart desires with the computer. And she usually wants to visit an online bank and steal money.
It's funny that scammers have switched from ordinary people to telecom operators, convincing them to install or activate RDP, and then remotely plow open spaces to study the contents of databases, stealing the SIM cards of individual users.
Such activity is possible, since some mobile operator employees have the right to “port” a phone number from one SIM card to another. When a SIM card is spoofed, the victim's number is transferred to a SIM card controlled by the scammer. And then he can get the victim's two-factor authentication codes or password reset hints via SMS. T-Mobile uses a tool to change numbers , AT&T has .
According to one of the scammers, with whom the journalists managed to talk, the RDP program gained the most popularity. . It works with any telecom operator, but for attacks on T-Mobile, AT&T it is used most often.
Representatives of operators do not deny this information. For example, AT&T said they were aware of this particular hacking scheme and have taken steps to prevent similar incidents in the future. Representatives of T-Mobile and Sprint also confirmed that the companies are aware of a method of hijacking SIM cards via RDP, but for security reasons did not disclose the protection measures taken. Verizon did not comment on this information.
Conclusions
What conclusions can be drawn from what is happening if you do not use obscene language? On the one hand, I am glad that users have become more learned, since the criminals have switched to company employees. On the other hand, there is still no data security. On Habré and other sites about fraudulent actions committed by replacing SIM-cards. So the most effective way to protect your data is to refuse to provide it anywhere. Alas, this is almost impossible to do.
What else can you read on the blog?
→
→
→
→
→
Subscribe to our -channel, so as not to miss the next article! We write no more than twice a week and only on business.
Source: habr.com