February 28, 2023

Image: Shutterstock.com

Three different cybercriminal groups claimed access to internal networks at communications giant T-Mobile in more than 100 separate incidents throughout 2022, new data suggests. In each case, the goal of the attackers was the same: Phish T-Mobile employees for access to internal company tools, and then convert that access into a cybercrime service that could be hired to divert any T-Mobile user’s text messages and phone calls to another device.

The conclusions above are based on an extensive analysis of Telegram chat logs from three distinct cybercrime groups or actors that have been identified by security researchers as particularly active in and effective at “SIM-swapping,” which involves temporarily seizing control over a target’s mobile phone number.

Countless websites and online services use SMS text messages for both password resets and multi-factor authentication. This means that stealing someone’s phone number often can let cybercriminals hijack the target’s entire digital life in short order — including access to any financial, email and social media accounts tied to that phone number.

All three SIM-swapping entities that were tracked for this story remain active in 2023, and they all conduct business in open channels on the instant messaging platform Telegram. KrebsOnSecurity is not naming those channels or groups here because they will simply migrate to more private servers if exposed publicly, and for now those servers remain a useful source of intelligence about their activities.

Each advertises their claimed access to T-Mobile systems in a similar way. At a minimum, every SIM-swapping opportunity is announced with a brief “Tmobile up!” or “Tmo up!” message to channel participants. Other information in the announcements includes the price for a single SIM-swap request, and the handle of the person who takes the payment and information about the targeted subscriber.

The information required from the customer of the SIM-swapping service includes the target’s phone number, and the serial number tied to the new SIM card that will be used to receive text messages and phone calls from the hijacked phone number.

Initially, the goal of this project was to count how many times each entity claimed access to T-Mobile throughout 2022, by cataloging the various “Tmo up!” posts from each day and working backwards from Dec. 31, 2022.

But by the time we got to claims made in the middle of May 2022, completing the rest of the year’s timeline seemed unnecessary. The tally shows that in the last seven-and-a-half months of 2022, these groups collectively made SIM-swapping claims against T-Mobile on 104 separate days — often with multiple groups claiming access on the same days.

The 104 days in the latter half of 2022 in which different known SIM-swapping groups claimed access to T-Mobile employee tools.

KrebsOnSecurity shared a large amount of data gathered for this story with T-Mobile. The company declined to confirm or deny any of these claimed intrusions. But in a written statement, T-Mobile said this type of activity affects the entire wireless industry.

“And we are constantly working to fight against it,” the statement reads. “We have continued to drive enhancements that further protect against unauthorized access, including enhancing multi-factor authentication controls, hardening environments, limiting access to data, apps or services, and more. We are also focused on gathering threat intelligence data, like what you have shared, to help further strengthen these ongoing efforts.”

TMO UP!

While it is true that each of these cybercriminal actors periodically offer SIM-swapping services for other mobile phone providers — including AT&T, Verizon and smaller carriers — those solicitations appear far less frequently in these group chats than T-Mobile swap offers. And when those offers do materialize, they are considerably more expensive.

The prices advertised for a SIM-swap against T-Mobile customers in the latter half of 2022 ranged between USD $1,000 and $1,500, while SIM-swaps offered against AT&T and Verizon customers often cost well more than twice that amount.

To be clear, KrebsOnSecurity is not aware of specific SIM-swapping incidents tied to any of these breach claims. However, the vast majority of advertisements for SIM-swapping claims against T-Mobile tracked in this story had two things in common that set them apart from random SIM-swapping ads on Telegram.

First, they included an offer to use a mutually trusted “middleman” or escrow provider for the transaction (to protect either party from getting scammed). More importantly, the cybercriminal handles that were posting ads for SIM-swapping opportunities from these groups generally did so on a daily or near-daily basis — often teasing their upcoming swap events in the hours before posting a “Tmo up!” message announcement.

In other words, if the crooks offering these SIM-swapping services were ripping off their customers or claiming to have access that they didn’t, this would be almost immediately obvious from the responses of the more seasoned and serious cybercriminals in the same chat channel.

There are plenty of people on Telegram claiming to have SIM-swap access at major telecommunications firms, but a great many such offers are simply four-figure scams, and any pretenders on this front are soon identified and banned (if not worse).

One of the groups that reliably posted “Tmo up!” messages to announce SIM-swap availability against T-Mobile customers also reliably posted “Tmo down!” follow-up messages announcing exactly when their claimed access to T-Mobile employee tools was discovered and revoked by the mobile giant.

A review of the timestamps associated with this group’s incessant “Tmo up” and “Tmo down” posts indicates that while their claimed access to employee tools usually lasted less than an hour, in some cases that access apparently went undiscovered for several hours or even days.

TMO TOOLS

How could these SIM-swapping groups be gaining access to T-Mobile’s network as frequently as they claim? Peppered throughout the daily chit-chat on their Telegram channels are solicitations for people urgently needed to serve as “callers,” or those who can be hired to social engineer employees over the phone into navigating to a phishing website and entering their employee credentials.

Allison Nixon is chief research officer for the New York City-based cybersecurity firm Unit 221B. Nixon said these SIM-swapping groups will typically call employees on their mobile devices, pretend to be someone from the company’s IT department, and then try to get the person on the other end of the line to visit a phishing website that mimics the company’s employee login page.

Nixon argues that many people in the security community tend to discount the threat from voice phishing attacks as somehow “low tech” and “low probability” threats.

“I see it as not low-tech at all, because there are a lot of moving parts to phishing these days,” Nixon said. “You have the caller who has the employee on the line, and the person operating the phish kit who needs to spin it up and down fast enough so that it doesn’t get flagged by security companies. Then they have to get the employee on that phishing site and steal their credentials.”

In addition, she said, often there will be yet another co-conspirator whose job it is to use the stolen credentials and log into employee tools. That person may also need to figure out how to make their device pass “posture checks,” a form of device authentication that some companies use to verify that each login is coming only from employer-issued phones or laptops.

For aspiring criminals with little experience in scam calling, there are plenty of sample call transcripts available on these Telegram chat channels that walk one through how to impersonate an IT technician at the targeted company — and how to respond to pushback or skepticism from the employee. Here’s a snippet from one such tutorial that appeared recently in one of the SIM-swapping channels:

“Hello this is James calling from Metro IT department, how’s your day today?”

(yea im doing good, how r u)

i’m doing great, thank you for asking

i’m calling in regards to a ticket we got last week from you guys, saying you guys were having issues with the network connectivity which also interfered with [Microsoft] Edge, not letting you sign in or disconnecting you randomly. We haven’t received any updates to this ticket ever since it was created so that’s why I’m calling in just to see if there’s still an issue or not….”

TMO DOWN!

The TMO UP data referenced above, combined with comments from the SIM-swappers themselves, indicate that while many of their claimed accesses to T-Mobile tools in the middle of 2022 lasted hours on end, both the frequency and duration of these events began to steadily decrease as the year wore on.

T-Mobile declined to discuss what it may have done to combat these apparent intrusions last year. However, one of the groups began to complain loudly in late October 2022 that T-Mobile must have been doing something that was causing their phished access to employee tools to die very soon after they obtained it.

One group even remarked that they suspected T-Mobile’s security team had begun monitoring their chats.

Indeed, the timestamps associated with one group’s TMO UP/TMO DOWN notices show that their claimed access was often limited to less than 15 minutes throughout November and December of 2022.

Whatever the reason, the calendar graphic above clearly shows that the frequency of claimed access to T-Mobile decreased significantly across all three SIM-swapping groups in the waning weeks of 2022.

SECURITY KEYS

T-Mobile US reported revenues of nearly $80 billion last year. It currently employs more than 71,000 people in the United States, any one of whom can be a target for these phishers.

T-Mobile declined to answer questions about what it may be doing to beef up employee authentication. But Nicholas Weaver, a researcher and lecturer at University of California, Berkeley’s International Computer Science Institute, said T-Mobile and all the major wireless providers should be requiring employees to use physical security keys for that second factor when logging into company resources.

A U2F device made by Yubikey.

“These breaches should not happen,” Weaver said. “Because T-Mobile should have long ago issued all employees security keys and switched to security keys for the second factor. And because security keys provably block this style of attack.”

The most commonly used security keys are inexpensive USB-based devices. A security key implements a form of multi-factor authentication known as Universal 2nd Factor (U2F), which allows the user to complete the login process simply by inserting the USB key and pressing a button on the device. The key works without the need for any special software drivers.

The allure of U2F devices for multi-factor authentication is that even if an employee who has enrolled a security key for authentication tries to log in at an impostor site, the company’s systems simply refuse to request the security key if the user isn’t on their employer’s legitimate website, and the login attempt fails. Thus, the second factor cannot be phished, either over the phone or Internet.

THE ROLE OF MINORS IN SIM-SWAPPING

Nixon said one confounding aspect of SIM-swapping is that these criminal groups tend to recruit teenagers to do their dirty work.

“A huge reason this problem has been allowed to spiral out of control is because children play such a prominent role in this form of breach,” Nixon said.

Nixon said SIM-swapping groups often advertise low-level jobs on places like Roblox and Minecraft, online games that are extremely popular with young adolescent males.

“Statistically speaking, that kind of recruiting is going to produce a lot of people who are underage,” she said. “They recruit children because they’re naive, you can get more out of them, and they have legal protections that other people over 18 don’t have.”

For example, she said, even when underage SIM-swappers are arrested, the offenders tend to go right back to committing the same crimes as soon as they’re released.

In January 2023, T-Mobile disclosed that a “bad actor” stole records on roughly 37 million current customers, including their name, billing address, email, phone number, date of birth, and T-Mobile account number.

In August 2021, T-Mobile acknowledged that hackers made off with the names, dates of birth, Social Security numbers and driver’s license/ID information on more than 40 million current, former or prospective customers who applied for credit with the company. That breach came to light after a hacker began selling the records on a cybercrime forum.

In the shadow of such mega-breaches, any damage from the continuous attacks by these SIM-swapping groups can seem insignificant by comparison. But Nixon says it’s a mistake to dismiss SIM-swapping as a low volume problem.

“Logistically, you may only be able to get a few dozen or a hundred SIM-swaps in a day, but you can pick any customer you want across their entire customer base,” she said. “Just because a targeted account takeover is low volume doesn’t mean it’s low risk. These guys have crews that go and identify people who are high net worth individuals and who have a lot to lose.”

Nixon said another aspect of SIM-swapping that causes cybersecurity defenders to dismiss the threat from these groups is the perception that they are full of low-skilled “script kiddies,” a derisive term used to describe novice hackers who rely mainly on point-and-click hacking tools.

“They underestimate these actors and say this person isn’t technically sophisticated,” she said. “But if you’re rolling around in millions worth of stolen crypto currency, you can buy that sophistication. I know for a fact some of these compromises were at the hands of these ‘script kiddies,’ but they’re not ripping off other people’s scripts so much as hiring people to make scripts for them. And they don’t care what gets the job done, as long as they get to steal the money.”


36 thoughts on “Hackers Claim They Breached T-Mobile More Than 100 Times in 2022

  1. Gannon (J) Dick

    I’ve been a T-Mobile customer for years. It took me about 10 minutes way back when to figure out they were under the magic spell of social engineers. Germans who know about Max Planck know he played a dangerous game and paid dearly, nothing new there. I was eventually “forced” into a Smart Phone by the demise of 3G but get weekly nags to fully install my OS. That’s not what Max Planck would do.

    1. Phil

      Sounds more like your phone needs security updates, which otherwise leaves your device vulnerable to various malware & hacks

      “A new scientific truth does not triumph by convincing its opponents and making them see the light, but rather because its opponents eventually die and a new generation grows up that is familiar with it” – Max Planck

  2. Tink

    Brian, didn’t you say once that there is somewhere we can register to essentially freeze our SIM card, so to speak, like you put a freeze on your credit reports with the big 3 (4) credit bureaus. I vaguely remember the report and you saying that putting a freeze on your credit reports doesn’t likewise protect the SIM card/mobile number, so you had to put a separate freeze with a different company. What is that company, and do all mobile carriers honor that freeze?

    Or am I totally misremembering that article and there’s no comparable freeze mechanism to prevent SIM swaps?

    1. Alexandra

      It’s called a NOPORT. You must call T-Mobile and ask them to enable NO PORT on your number. If the agent doesn’t know what you’re talking about, end the call and call again to get an agent that does.

      1. Nancy

        Verizon calls it Number Lock, you can enable it in the phone app and I believe on the website. You don’t need to talk to a person to turn it on.

      2. mw

        No need to call in, you can do this from t-mobile account settings > privacy > sim lock.

        1. Lost in Tmobile settings

          Can you please give more detail on how to do this? I can’t find it in the settings.

          1. Ronald Harris

            Select Account then Privacy & Notifications, then SIM Protection, then enable it.

            1. SC54HI

              Just checked my T-Mo accounts & discovered that the SIM protection feature had somehow been turned OFF, who knows when, but definitely by T-Mo.

              I know that I turned it on as soon as that option was available to customers so beware & double check if you have previously used this security feature.

        2. G.Scott H.

          Very important not to confuse with another setting in the general phone settings called “SIM card lock”. This particular setting does NOT prevent a SIM swap.

      3. timeless

        @Brian
        > employee-issued phones or laptops

        That should be *employer-issued*

    2. BrianKrebs Post author

      You can and probably should take advantage of whatever protections are offered by the phone companies. But it’s important to point out that if an employee can put these restrictions in place, a phished (or collusive) employee can undo that in a second.

  3. The Sunshine State

    You forgot to mention another vector for SIM swapping, rouge cell service employees trying to make a quick buck by trying to take advantage of the company they work for . Another real good read !

    1. Dominik

      Thank you for the NOPORT term. good to know the specific ask. Hope this would prevent t-mobile insiders from sim-swapping but given t-mobiles security stance, I have no such hope and left t-mobile in disgust some time ago since they really don’t care about breaches or such, 80 BILLION revenue allows for many settlements and still walk away fat. Brian has done a great job illustrating the ramification of sim swaps. ouch!

  4. vaadu

    T-Mobile account login has a serious flaw when it comes to MFA. You can set up your account to use TOTP. But you are still presented with the option to use SMS for 2FA at every login.

    There is no way to disable the SMS option.

    1. Kary

      This is a shortcoming of a lot of 2FA systems. Seemingly they provide little protection because you can’t limit it to just one system, and eventually it will even lead into security questions to allow a log in.

      1. PHP

        Not everywhere.
        Azure AD does not have fallback.
        Fallbacks has to be designed into the solution

    2. js1

      Unfortunately I just discovered this. I thought I was helping to secure my T-Mobile account by implementing Google Authenticator. Then I discover that there’s no way to disable the SMS option. What the heck! Isn’t there a single Cyber Security engineer at T-Mobile who says “Wait, this is moronic.”

  5. Mat

    This is exactly what you get with dumbo CISOs with MBA and other unrelated disciplines.
    Like going to have a surgery with an attorney.
    Most US companies are like this. It’s not going to change because there is no skilled labor with needed skills in Cybersecurity in the US.

  6. unknownorigin

    honestly at this point they should just change their name to t-morrowwellgethackedagain

  7. G.Scott H.

    U2F can provide a fairly high level of security to the authentication process. But proper implementation is critical. Implementation of some backup factor is a very good idea, but frequently leads to the weak link. As “vaadu” noted in their comment above, T-mobile has implemented SMS as a backup to TOTP and has introduced a weaker link though SMS. That essentially makes TOTP of no use since the weaker SMS is always available. They could do the same to a U2F implementation.

    I have a primary and backup U2F keys which are both USB and NFC interfaced. There are precious few location where I can use U2F though. I use gmail, google voice, and have a family domain with google workspace where I use them. AT&T wireless uses SMS, so no go there. Outlook.com and Yahoo.com and a handful of others. Curiously, few financial institutions have implemented U2F, even worse most use SMS for 2FA.

  8. Bernard

    Does TMO not use MFA and phishing just needs a username and password to get into their internal systems? Or how was MFA phished too?

    1. Kevin Faraday

      “to social engineer employees over the phone into navigating to a phishing website and entering their employee credentials.”

  9. Matt

    It’s time to complain to your bank about not supporting FIDO2 (or at least TOTP).

    1. mealy

      Is there a list of banks that do? Complain with your feet/wallet.
      Or complain to your bank, that could work. In some definition of work.
      “Oh yes sir I agree sir, we’ll get right on that sir. Is there anything else?
      Have you seen our new rewards gimmick account? Oh you have?”

  10. Denney

    Brian,

    How does the new ESIM equate into this? Is it more likely to be breached or less likely?

    1. Mark

      Depends. All you need is QR code. 😉 Often no need to leave your house, no need to call anywhere. in Europe all you need is the victim’s account. They store passwords in plaintext. It’s bad bad.

  11. tim

    I just now called Tmo 611 tech Patricia and found you need both NOPORT and SimProtect. NOPORT keeps anyone from porting your number to a carrier outside of TMo, but you also need SimProtect which keeps anyone from changing your Sim card serial number to a different Sim card serial to be used on a new phone remotely, which is how simswap scammers work. SimProtect at TMo requires in-person visit and ID presentation at TMo to get your phone number assigned to a new Sim card serial number provided there.

  12. TIMOTHY

    please delete my last name from my previous post I just made

  13. Jason

    I just now called Tmo 611 tech Patricia and found you need both NOPORT and SimProtect. NOPORT keeps anyone from porting your number to a carrier outside of TMo, but you also need SimProtect which keeps anyone from changing your Sim card serial number to a different Sim card serial to be used on a new phone remotely, which is how simswap scammers work.

  14. Jan

    Can somebody tell me if in europe sim swapping is going on also or is this a specific US problem?

  15. SC54HI

    So T-Mobile is dropping auto-pay by credit card as of May 2023. To continue receiving the auto-pay discount on billing you have to replace the credit card with a debit card or a bank account.

    How safe are these options in the next T-Mobile security breach?

    1. Dominik

      Thank you for the NOPORT term. good to know the specific ask. Hope this would prevent t-mobile insiders from sim-swapping but given t-mobiles security stance, I have no such hope and left t-mobile in disgust some time ago since they really don’t care about breaches or such, 80 BILLION revenue allows for many settlements and still walk away fat. Brian has done a great job illustrating the ramification of sim swaps. ouch!

  16. Shelton Silver

    It is no fault, really, to know important information from selected targeted devices, attaining all variety communication access. Call logs, messages of both texts and social applications textlings, this is a possible method to providing essential answers for questions and doubts of spouse, tracking child safely, what so sever, there is many much more to view and control.

Comments are closed.