iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
To say that T-Mobile has had a shocker of a couple of years when it comes to security is quite an understatement, but according to one security expert, the US telco’s situation could be far, far worse.
According to security specialist Brian Krebs, at least three separate threat actors have had access to T-Mobile’s internal systems throughout 2022, with over 100 discrete incidents of malicious access in the back half of the year alone. This was achieved through repeated phishing attempts to gain employee access to internal tools, which in turn allowed the actors to offer a SIM-swapping service.
Through this service, the threat actors were able to sell access to third parties wishing to intercept calls and text to specific mobile numbers.
“Countless websites and online services use SMS text messages for both password resets and multi-factor authentication,” Krebs writes on his blog, KrebsonSecurity.
“This means that stealing someone’s phone number often can let cyber criminals hijack the target’s entire digital life in short order — including access to any financial, email and social media accounts tied to that phone number.”
Krebs discovered the operation by monitoring the three hacking groups on their various Telegram channels, where they would announce the availability of a SIM swap with the message “Tmobile up!” or “Tmo up!”. All a customer of the hackers would need to do is supply a target mobile number and the serial number of the SIM card that the intercepted messages are meant to be sent to.
Krebs contacted T-Mobile to warn of the unauthorised access to its systems, but T-Mobile played the hacking down, saying that it was rather an industry-wide issue. But according to Krebs, that’s not exactly the case.
“While it is true that each of these cyber criminal actors periodically offer SIM-swapping services for other mobile phone providers — including AT&T, Verizon and smaller carriers — those solicitations appear far less frequently in these group chats than T-Mobile swap offers,” Krebs said in response to T-Mobile’s claims.
“And when those offers do materialise, they are considerably more expensive.”
The threat actors utilised what they term “callers”, or people hired by them to specifically call up and phish T-Mobile employees by directing them to fake employee login pages, where the victims enter their credentials. Once those details are passed on to the original threat actors, they can simply log into T-Mobile’s internal systems and re-route calls and SMSes.
According to the timestamps of some of the Telegram posts, while most access was limited to around an hour, in some cases, that access extended to days at a time.
It does appear that T-Mobile may have been aware of the access, however, as instances of SIM-swapping being advertised decreased steadily in the last months of 2022.
“T-Mobile declined to discuss what it may have done to combat these apparent intrusions last year,” Krebs said.
“However, one of the groups began to complain loudly in late October 2022 that T-Mobile must have been doing something that was causing their phished access to employee tools to die very soon after they obtained it.”
This news comes after the revelation that T-Mobile suffered a data breach affecting 37 million customers late last year. That hack, in turn, came after the company was forced to pay out US$350 million to settle a lawsuit over a previous data breach in August 2021.
At the time, T-Mobile was also ordered to spend $150 million on improving its security posture.
Money not well spent, apparently.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
