Security consulting giant Kroll disclosed today that a SIM-swapping attack against one of its employees led to the theft of user information for multiple cryptocurrency platforms that are relying on Kroll services in their ongoing bankruptcy proceedings. And there are indications that fraudsters may already be exploiting the stolen data in phishing attacks.
Cryptocurrency lender BlockFi and the now-collapsed crypto trading platform FTX each disclosed data breaches this week thanks to a recent SIM-swapping attack targeting an employee of Kroll — the company handling both firms’ bankruptcy restructuring.
In a statement released today, New York City-based Kroll said it was informed that on Aug. 19, 2023, someone targeted a T-Mobile phone number belonging to a Kroll employee “in a highly sophisticated ‘SIM swapping’ attack.”
“Specifically, T-Mobile, without any authority from or contact with Kroll or its employees, transferred that employee’s phone number to the threat actor’s phone at their request,” the statement continues. “As a result, it appears the threat actor gained access to certain files containing personal information of bankruptcy claimants in the matters of BlockFi, FTX and Genesis.”
T-Mobile has not yet responded to requests for comment.
Countless websites and online services use SMS text messages for both password resets and multi-factor authentication. This means that stealing someone’s phone number often can let cybercriminals hijack the target’s entire digital life in short order — including access to any financial, email and social media accounts tied to that phone number.
SIM-swapping groups will often call employees on their mobile devices, pretend to be someone from the company’s IT department, and then try to get the employee to visit a phishing website that mimics the company’s login page.
Multiple SIM-swapping gangs have had great success using this method to target T-Mobile employees for the purposes of reselling a cybercrime service that can be hired to divert any T-Mobile user’s text messages and phone calls to another device.
In February 2023, KrebsOnSecurity chronicled SIM-swapping attacks claimed by these groups against T-Mobile employees in more than 100 separate incidents in the second half of 2022. The average cost to SIM swap any T-Mobile phone number was approximately $1,500.
The unfortunate result of the SIM-swap against the Kroll employee is that people who had financial ties to BlockFi, FTX, or Genesis now face increased risk of becoming targets of SIM-swapping and phishing attacks themselves.
And there is some indication this is already happening. Multiple readers who said they got breach notices from Kroll today also shared phishing emails they received this morning that spoofed FTX and claimed, “You have been identified as an eligible client to begin withdrawing digital assets from your FTX account.”
A phishing message targeting FTX users that went out en masse today.
A major portion of Kroll’s business comes from helping organizations manage cyber risk. Kroll is often called in to investigate data breaches, and it also sells identity protection services to companies that recently experienced a breach and are grasping at ways to demonstrate that they doing something to protect their customers from further harm.
Kroll did not respond to questions. But it’s a good bet that BlockFi, FTX and Genesis customers will soon enjoy yet another offering of free credit monitoring as a result of the T-Mobile SIM swap.
Kroll’s website says it employs “elite cyber risk leaders uniquely positioned to deliver end-to-end cyber security services worldwide.” Apparently, these elite cyber risk leaders did not consider the increased attack surface presented by their employees using T-Mobile for wireless service.
The SIM-swapping attack against Kroll is a timely reminder that you should do whatever you can to minimize your reliance on mobile phone companies for your security. For example, many online services require you to provide a phone number upon registering an account, but that number can often be removed from your profile afterwards.
Why do I suggest this? Many online services allow users to reset their passwords just by clicking a link sent via SMS, and this unfortunately widespread practice has turned mobile phone numbers into de facto identity documents. Which means losing control over your phone number thanks to an unauthorized SIM swap or mobile number port-out, divorce, job termination or financial crisis can be devastating.
If you haven’t done so lately, take a moment to inventory your most important online accounts, and see how many of them can still have their password reset by receiving an SMS at the phone number on file. This may require stepping through the website’s account recovery or lost password flow.
If the account that stores your mobile phone number does not allow you to delete your number, check to see whether there is an option to disallow SMS or phone calls for authentication and account recovery. If more secure options are available, such as a security key or a one-time code from a mobile authentication app, please take advantage of those instead. The website 2fa.directory is a good starting point for this analysis.
Now, you might think that the mobile providers would share some culpability when a customer suffers a financial loss because a mobile store employee got tricked into transferring that customer’s phone number to criminals. But earlier this year, a California judge dismissed a lawsuit against AT&T that stemmed from a 2017 SIM-swapping attack which netted the thieves more than $24 million in cryptocurrency.
I know how easily I give up my phone number just out of wanting to be a nice person and being gullible. The more I read these types of stories, the more it makes me more defensive about giving away personal information. I think it takes these types of stories to become better protectors of our personal information. I just wish it was more well known to people that don’t care about IT.
You’re absolutely right, and your awareness of the importance of protecting personal information is a significant step in safeguarding yourself against potential cyber threats. It’s a common misconception that cybersecurity is solely the concern of IT professionals. In reality, everyone who uses digital devices and the internet should be vigilant about safeguarding their personal information.
Always Be cautious with personal information
Had my debit card skimmed recently and the perps added it to Apple Wallet. The bank only required 3 forms of authentication all of which are weak:
a. SMS text
b. e-mail
c. call the bank
Got 2 SMS text messages back to back, I have T-mobile, looks like someone could have done a brief SIM swap. Reached out to TMO and they said no changes were done to my account. I don’t believe it.
eSIM doesn’t do jack in this case.
If you suspect that your bank’s authentication methods are not sufficient, it’s essential to reach out to them again and express your concerns. Ask if there are more secure authentication options.
I’m sorry to hear about your recent experience, Educate yourself and others about common cyber threats like SIM swapping and phishing, as well as how to recognize and avoid them.
You’d be amazed how quickly this problem would be solved if the mobile companies AND the companies using SMS 2FA were held liable for all losses.
Mobile companies never agreed to secure access to something, so there’s no reason they should be liable.
Exactly. Let’s just stack our security on someone without telling or funding them.
How is that? Was the “SIM swap” request genuine or not? I guess it was not. So the T-Mobile should have not done that in the first place. If someone else goes to my bank and asks for money transfer from my account to somewhere else and my bank does allow it, the bank will not be responsible? They are liable at least for some part. Of course they are not fully liable, because its not their fault that the client builds his security around the mobile numbers.
Mobile number for security is like sending PIN to debit card over mail…. and there was time when Banks did use this approach. 🙁
And that phish domain is still active. Registrar listed in whois is tucows but they’re using njalla nameserver. Probably njalla acted as tucows reseller.
Kinda surprised that Kroll used phones as identification. I can’t do much about my bank allowing it. But Kroll could’ve required employees to use a more secure form of 2FA. Why didn’t they?
I’ll reluctantly accept that mobile phone companies aren’t responsible for securing my identity. But it seems reasonable to hold a security consulting company to a higher standard.
It’s a “security consulting giant”? Problem #1?
I’m not a lawyer, but what does a “security consulting giant” have to do with bankruptcy restructuring?
Also, I didn’t know “SIM swapping” was sophisticated.
Its the typical poor reporting from Krebs – the issue happened within an entirely different division of the company from the cybersecurity consulting/DFIR portion. Duff and Phelps (the parent company) bought the Kroll cybersecurity company several years ago and then adopted the Kroll name/logo for the entire parent company. This issue had zero impact on any of Kroll’s cybersecurity clients.
Spoken like someone who works at Kroll. You might notice that despite the statement they published, the company did not respond to questions. They didn’t say where the breach happened, nor did they say it had zero impact on any of their clients.
We need more of you SIM Swapping and the skimmer series, it’s by far your best and most entretaining content, I stick to those articles like a grandma to soap operas
Less Washington Post style articles and more quality articles like those would your readerbase soar.
Maybe yes, maybe no. I am wondering if Kroll’s clients will see that same way like you do.
The fix for this problem:
https://www.wired.com/story/sim-swap-fix-carriers-banks/
What do folks think about using a VOIP number like Google Voice instead of one’s true phone number for SMS verifications?
Some businesses (for instance Coinbase) do not allow voip services like Google Voice. Very stupid. I know.
VoIP services can be susceptible to various forms of abuse, including spam calls, robocalls, and phishing attempts. These can pose security risks to the organization. and those are harder to detect.
It is more secure in the sense that Google may have higher security using hardware keys, but many entities disallow Google Voice numbers “for security” – in which they need to ensure US residents only for legal reasons.
Some sites don’t allow settings up a voip style number for that purpose. BUT if you set the number up and then move it to googlevoice. they dont recheck.
My number is a GV, my email is 2FA with yubikeys, the security linked email is another gmail with 2FA.
side not: I also added my accounts as the security reset account to my parents email addresses to prevent them losing access to phish/spam/forgetfulness.
Where 2FA codes must be issued via SMS, suggest configuring using a Google Voice number because it cannot be SIM-swapped. (have not looked into whether other VOIP providers function in the same way)
Most of my accounts requiring a phone number for 2FA purposes allow the use of a Google Voice number but there are a handful that do not (i.e. the codes just never arrive or the site does not accept the number during configuration) in which case I must unfortunately use my cell number.
Where 2FA codes must be issued via SMS, suggest configuring using a Google Voice number because it cannot be SIM-swapped. (have not looked into whether other VOIP providers function in the same way)
I’ve found that most accounts requiring a phone number for 2FA purposes allow the use of a Google Voice number but there are a handful that do not (i.e. the codes just never arrive or the site does not accept the number during configuration) in which case one must unfortunately use a number linked to a cell phone.
Sort of an odd one. It sounds like the information obtained might be public information available from the bankruptcy court itself, for a fee, using the court’s PACER system.
I’d be more interested in the sim swapping and whether whatever it was got around T-Mobile’s SIM Protection feature. If that wasn’t used, seemingly the employee could have better protected their phone. Something for employers to consider.
In a world where security mattered, sms authentication would be the rarest 2fa, not the most common. I think a lot of people need to be educated if these sim swapping attacks are ever going to be stopped.
Love your work Brian, keep it up.
The connections Kroll has to the CIA are deep zero sympathy for these cockroaches
It is more secure in the sense that Google may have higher security using hardware keys, but many entities disallow Google Voice numbers “for security” – in which they need to ensure US residents only for legal reasons.
Where 2FA codes must be issued via SMS, suggest configuring using a Google Voice number because it cannot be SIM-swapped. (have not looked into whether other VOIP providers function in the same way)
I agree with everything you said. However, my only hesitation in using google voice for SMS codes is google has been known to arbitrarily nuke accounts. Then what? Hope you have a backup plan.
Yes, Indeed It should be having that kind of security.
Highly Sophisticated: adj. (freq. used by PR representatives); see: “Successful”.
For company-owned mobile accounts, is SIM-swapping still a vulnerability? And for personal phones, does a company MDM (e.g., Intune, AirWatch) for BYOD mitigate this threat?
I received a very similar phishing but claiming to be BlockFi
Never had any crypto account in my life