We frequently talk about cyber attacks that result from human error, like clicking on a malicious email or inadvertently wiring money to a fraudulent account. But a new tactic is rapidly gaining traction among threat actors that completely bypasses interaction with a victim until the damage is done.

The attack method is known as SIM swapping, and it has the potential to upend the way we view other extortion-based cyber attacks, like ransomware.

As one brazen threat actor told Coalition Incident Response (CIR),* SIM swapping attacks have a 100% guaranteed success rate — so once a target is identified, it’s not a matter of if, but when they’ll be compromised.

What is SIM swapping?

Most smartphones contain a subscriber identity module, also known as a SIM card, that stores identification information and assigns the phone to a mobile network. SIM cards typically contain user identities, location information, phone numbers, contact lists, and other types of sensitive data.

SIM swapping is a type of fraud in which attackers transfer a victim's phone number to a new SIM card. Once the number is transferred to a new card, it can be inserted into a new phone and used to access data and other accounts associated with the phone number.

Threat actors may gather personal information about their target, either scraping it from social media or buying it from the dark web, then impersonate the victim and tell their mobile carrier they’ve lost or damaged their SIM card. Once the new SIM card is activated, all of the target’s calls and messages are routed to the threat actor’s phone, which allows them to bypass security controls like multi-factor authentication (MFA).

Approximately 82% of organizations actively enable a bring-your-own-device program for employees, according to Cybersecurity Insiders, which means a targeted SIM swap is more likely to impact a personal mobile device that has an established connection to a business network. The attack method is also making headline news this year, allegedly linked to the hacking of the SEC’s X account and three major U.S. insurance firms, the latter of which resulted in compromised data for more than 66,000 customers.

What makes SIM swapping possible?

First and foremost, a SIM swap depends on a mobile carrier, as they must transfer a phone number from one phone to another. In many cases, threat actors deceive the mobile carriers into performing the transfer through social engineering.

SIM-swapping attacks are also made possible by employees within the mobile carriers. CIR has learned firsthand that many threat actors have contacts at all of the major carriers in the United States and Canada, whom they pay to perform SIM swaps. 

Establishing insiders — people willing to risk their livelihoods and jail time —  at mobile carriers is no simple feat. However, a security feature that’s actively growing in popularity makes SIM-swapping attacks easier than ever: self-service password reset (SSPR).

SSPR allows users to change or reset their passwords without help from an administrator. Although SSPR isn’t new technology, it was widely publicized when Microsoft shifted from Azure to Entra. Under the default “one-gate” policy, non-administrative users with SSPR enabled only need one piece of authentication data to initiate a password reset, which means if a threat actor gained access to a mobile device, they could reset the password without the user ever knowing it.

Knowing this, threat actors can identify high-value targets and leverage these new security controls to their advantage.

Approximately 82% of organizations actively enable a bring-your-own-device program for employees, according to Cybersecurity Insiders, which means a targeted SIM swap is more likely to impact a personal mobile device that has an established connection to a business network.

Case study: SIM swapper exfiltrates protected health data

CIR recently worked a case in which the threat actor exploited SSPR to perform a SIM-swapping attack, exfiltrated highly sensitive data from both email and Microsoft SharePoint, and demanded a seven-figure ransom for its return.

First, the threat actor did their reconnaissance, looking for a target that would likely use Microsoft Entra and have access to privileged information, but wouldn’t use an admin account. They scanned corporate websites and landed on a healthcare company executive. 

By the time the incident was reported to Coalition, the threat actor had performed the SIM swap, gained access to the executive’s Microsoft SharePoint account, and exfiltrated 800 GBs of data, including customers’ protected health information. The medical company was notified of the compromise via internal communication channels, and the threat actor demanded a $5 million ransom.

Over the course of one week, CIR continuously communicated with the threat actor, who was determined not to be associated with a known ransomware group. During negotiations, the threat actor specifically noted the need for a certain amount of money to cover the cost of paying an insider at the mobile carrier for helping execute the SIM swap. Eventually, CIR negotiated the demand down to roughly $250,000. Upon payment delivery, the threat actor gave CIR access to their infrastructure to take down and delete the data.

Self-service password reset allows users to change or reset their passwords without help from an administrator, which means if a threat actor gained access to a mobile device, they could reset the password without the user ever knowing it.

Expect more SIM-swapping attacks going forward

SSPR gives threat actors an incredibly simplistic way to compromise accounts, which is why we expect to see more SIM-swapping extortion attacks in the future. This method doesn’t require anyone to click on a phishing email, nor does it rely on a ransomware payload. A target can be compromised even if they do everything correctly.

Coalition strongly recommends enabling two-gate SSPR or disabling SSPR entirely to reduce the likelihood of an unauthorized password reset. As a general best practice, we also recommend that businesses use a form of MFA that doesn’t rely on phone calls or text messages and limit employee access to only the accounts and tools they need to perform their jobs.

The Federal Communications Commission voted last year to establish rules designed to stymie SIM swapping, which are scheduled to take effect July 8, 2024. However, mobile carriers have begun to push back on the timeline for implementation.

For now, businesses will need to take matters into their own hands and mitigate the risks of SIM-swapping attacks.

*Coalition Incident Response services provided through Coalition’s affiliate are offered to policyholders as an option via our incident response firm panel.

The claim scenarios described here are intended to show the types of situations that may result in claims. These scenarios should not be compared to any other claim. Whether or to what extent a particular loss is covered depends on the facts and circumstances of the loss, the terms and conditions of the policy as issued and applicable law. Facts may have been changed to protect the privacy of the parties involved.

This blog post is designed to provide general information on the topic presented and is not intended to construe or the rendering of legal or other professional services of any kind. If legal or other professional advice is required, the services of a professional should be sought. The views and opinions expressed as part of this blog post do not necessarily state or reflect those of Coalition. Neither Coalition nor any of its employees make any warranty of any kind, express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product or process disclosed. The blog post may include links to other third-party websites. These links are provided as a convenience only. Coalition does not endorse, have control over nor assumes responsibility or liability for the content, privacy policy or practices of any such third-party websites.