SIM Swappers Exploit eSIM Vulnerabilities for Financial Fraud: Report

SIM swapping crimes are on the rise globally, according to a new report. These crimes are mostly committed using eSIM (embedded subscriber identity modules) users. eSIMs are digitally stored SIM cards that are embedded into a device using software. Hackers are now reportedly using vulnerabilities in this technology to brute force a victim’s phone account to port the number to their own device. The findings also revealed that bad actors are mainly interested in the victim’s online bank accounts and other financial services.

The information comes from Russian cybersecurity firm FACCT, a spin-off of Group IB. In his report, he emphasized that he registered “more than a hundred attempts to log into personal accounts of customers in online services from just one financial institution.” He also stated that cybercriminals have been using this method globally for at least a year.

The modus operandi of cybercrime is clear. In the past, criminals used social engineering strategies or used insiders at telecommunications companies to illegally transfer numbers to their devices. However, the report states that hackers have now resorted to exploiting vulnerabilities within the eSIM. Although it doesn’t explain the technical details, the process involves accessing a victim’s phone account credentials by stealing them, accessing leaked details through data breach incidents, or brute force into the victim’s account.

Once SIM swappers get the credentials, they generate QR codes through the hijacked phone account, which can be used to port the device directly, bypassing the usual procedure. The report also added that the criminals were only focused on committing financial fraud by accessing the victim’s online bank accounts, crypto wallets, etc.

“After gaining access to the victim’s mobile phone number, cybercriminals can obtain access codes, two-factor authentication for various services, including banks, messengers, which opens up many opportunities for attackers to implement criminal schemes,” said Dmitry Dudkov, Specialist Department for fraud protection at FACCT.

FACCT also urged eSIM users to improve the security of their phone account by using two-factor authentication and saving a complex password that includes a random alphanumeric series and special characters. For added security, users can choose authentication apps.