eSIM Attacks Bring New SIM Swap Threats To Banking

Sim Swappers techniques are changing. In a troubling development, cybersecurity experts at FAC.C.T., a leading Russian cybercrime prevention firm, have uncovered a new attack vector targeted explicitly at those eSIMS vulnerabilities.

Since the fall of 2023, Fraud Protection analysts from FACCT have recorded more than a hundred attempts to enter clients’ personal accounts in online services from just one financial organization.

To steal access to a mobile number, attackers replace or restore a digital SIM card: they transfer the phone from the victim’s SIM card to their own device with an eSIM.

A Shift From Social Engineering To Credential Stuffing

eSIMs (Virtual SIM cards) have gained worldwide popularity among smartphone manufacturers since they were launched in 2017 because they eliminate the need for a physical SIM to be changed when porting a number.

The initial risks with eSIMs were social engineering and insider fraud. Hackers would attempt to recruit insiders at phone stores or Telecom call centers or simply social engineer customer service representatives through customer impersonation. But as Telecom providers have gotten better at stopping those attempts, the hackers have shifted.

Now, according to the researchers, hackers are resorting to brute force credential stuffing to take over victims’ mobile accounts and initiate a Sim Swap once they have gained access.

Researchers at FACCT call this method “Hijacking,” which they say emerged over a year ago but have seen hundreds of times in Russia.

How The eSIM Swapping Method Works

The typical eSIM Hacking Method has 5 steps;

Gathering information: Attackers collect personal information about the victim, such as their name, address, date of birth, and mobile phone number. This information can be obtained through phishing scams, social engineering, or data breaches.

Compromising accounts: Using the gathered information, attackers attempt to access the victim’s online accounts, such as their mobile carrier’s website or popular government services. They may use credential stuffing or social engineering to bypass security measures.

Once the attacker has access to the victim’s account, they initiate a process to transfer the victim’s mobile number from their physical SIM card to the attacker’s device using an eSIM. This is often done by requesting a new eSIM activation or QR code through the compromised account.

The attacker uses the obtained activation code or QR code to provision the victim’s mobile number on their own device. The victim’s physical SIM card is deactivated at this point, and they lose access to their mobile network.

Exploiting the hijacked number: With control over the victim’s mobile number, the attacker can intercept SMS messages, bypass two-factor authentication, and gain unauthorized access to the victim’s online banking, email, and social media accounts. They may also use the hijacked number to impersonate the victim and deceive their contacts.

eSIM and Physical Swapping Are Both Damaging

It’s important to note that eSIM’s can be just as easily SIM swapped as a physical SIM. Remote hackers only need to persuade your phone company or hack into accounts to transfer your calls and messages to a SIM under their control.

The only protection that eSIMs offer is that local attackers who have access to your phone cannot take your SIM card and put it into their own phone.