Adversaries may gain access to mobile devices through transfers or swaps from victims’ phone numbers to adversary-controlled SIM cards and mobile devices.[1][2]
The typical process is as follows:
Adversaries may use the intercepted SMS messages to log into online accounts that use SMS-based authentication. Specifically, adversaries may use SMS-based authentication to log into banking and/or cryptocurrency accounts, then transfer funds to adversary-controlled wallets.
ID | Name | Description |
---|---|---|
G1004 | LAPSUS$ |
LAPSUS$ has used SIM swapping to gain access to victims’ mobile devices.[3][4] |
G1015 | Scattered Spider |
Scattered Spider has used SIM swapping to maintain persistence on mobile carrier networks and SIM cards.[5] |
ID | Mitigation | Description |
---|---|---|
M1012 | Enterprise Policy |
Enterprises should monitor for SIM card changes on the Enterprise Mobility Management (EMM) or the Mobile Device Management (MDM). |
M1011 | User Guidance |
The user should become familiar with social engineering tactics that ask for Personally Identifiable Information (PII). Additionally, the user should include the use of hardware tokens, biometrics, and other non-SMS based authentication mechanisms where possible. Finally, the user should enable SIM swapping protections offered by the mobile carrier, such as setting up a PIN or password to authorize any changes to the account. |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0042 | User Interface | System Notifications |
The OS may show a notification to the user that the SIM card has been transferred to another device. |