In recent days, two major companies experienced significant data breaches involving phone numbers, underscoring the substantial cybersecurity risks associated with this seemingly benign piece of personal information.
On July 15, 2024, Disney disclosed a breach where a hacker group named Nullbulge claimed to have obtained 1 TB of data from the company's internal Slack channels. This data included sensitive information such as traffic and revenue data for Disneyland Paris, unreleased project details, raw images, and computer code.
Shortly before that, on July 10, 2024, AT&T announced that their customers' call logs had been compromised, with rumors suggesting that this data is now circulating on dark web forums. While financial information and passwords typically attract more attention during data breaches, the exposure of phone numbers can facilitate severe attacks like SIM swapping, which can have enduring consequences.
The Value of Phone Numbers to Cybercriminals
Phone numbers are highly valuable to cybercriminals because they are a gateway to executing potent SIM swapping attacks. On cybercrime forums, there are numerous threads of threat actors looking for partners to conduct SIM swapping attacks on targeted individuals, especially those with cryptocurrency holdings that can potentially lead to big payouts.
While people are generally quick to change passwords after a data breach, phone numbers are much harder to change since they are tied to so many accounts and aspects of life. This makes leaked phone numbers a persistent vulnerability that can haunt individuals for years. Cybercriminals know this and seek to acquire databases of phone numbers along with other personal details like names to compile detailed profiles of potential targets.
How SIM Swapping Attacks Work
In a typical SIM swapping attack, the cybercriminal will first gather as much personal information as possible about their target by combing through databases of leaked information or even scouring the target's social media. Armed with details like the target's name, phone number, date of birth, and answers to common security questions, the attacker will contact the victim's mobile carrier.
Posing as the legitimate customer, the cybercriminal will claim they lost their phone or SIM card and request that the number be transferred to a new SIM that they control. If the attacker successfully deceives the customer service representative, they can take over the victim's phone number. This allows them to intercept SMS one-time-passwords (OTPs) and gain unauthorized access to the victim's sensitive accounts.
In some cases, cybercriminals work with malicious insiders at mobile carriers to execute SIM swaps, especially when targeting high-profile or high-net-worth individuals. While some of the "insider" requests on cybercrime forums are likely scams, this is a real tactic used in targeted attacks when the potential payout is significant.
The Role of Leaked Phone Numbers
Databases of leaked phone numbers fuel SIM swapping attacks by providing a starting point for cybercriminals to identify targets and flesh out their profiles with additional research. As we saw with the AT&T breach, even a database containing only names and phone numbers is valuable to attackers, as it provides validated phone numbers that can be cross-referenced with other databases containing additional personal details on the same individuals.
While most people are unlikely to be singled out for a SIM swapping attack, those who are high-profile, wealthy, or have access to valuable systems are at greater risk, especially if their phone number is exposed in a breach. Public figures, business leaders, and IT staff are particularly attractive targets.
In addition to enabling SIM swapping, leaked phone numbers can also be exploited in other ways like OTP phishing (smishing). In these attacks, cybercriminals send deceptive SMS messages with links to phishing pages that steal OTPs, allowing attackers to bypass SMS-based two-factor authentication. Phone numbers are also used in impersonation scams and attempts to trick victims' friends, family or colleagues.
Mitigating the Risks of Mobile Threats
To mitigate mobile threats, it’s essential to implement defensive measures. iVerify's Advanced Mobile EDR offers a comprehensive solution by combining threat detection, mobile forensics, and automated response and remediation. This ensures enterprise-level protection against sophisticated threats such as mobile malware, unpatched vulnerabilities, smishing, and credential theft, providing maximum privacy and security.
Learn more and sign up by clicking this link.