In what looks to be a co-ordinated campaign, a number of executives in the fast-moving cryptocurrency sector suffered a major mobile phone breach last week, in some cases leading to significant loss of money.
The targets, many of them sitting on a hoard of virtual currency like Bitcoin and Ethereum, had their mobile phones remotely hijacked by a technique called SIM-swapping – a kind of account take over or ATO attack where a cybercriminal uses social engineering techniques to obtain a person’s mobile phone and account information.
They then fraudulently transfer the victim’s phone number to their own SIM card, and use it to receive two-factor authentication codes that enable them to change passwords and take control of protected accounts, or in this case, cryptocurrency wallets.
One crypto executive who was successfully breached admitted to losing $100,000 in a sweep of his Coinbase digital wallet account.
Appropriating your phone’s unique identifiers
SIM-swapping (sometimes called SIM-jacking) attacks have been with us for at least five years and have typically been used against the cryptocurrency community. They died down when law enforcement started successfully tracking and arresting hackers behind the campaigns.
The cybercriminal gets hold of the target’s information by a number of methods.
- Sometimes they bribe an employee at a mobile kiosk to help with the crime.
- In other cases a current and/or former employee of the mobile phone company – an insider with privileged access – get hold of the customer data.
- There have also been cases where a mobile shop employee will trick associates at other locations into swapping a target’s current SIM card with a new one.
As effective as it is for enabling identity theft, SIM-jacking is risky for cybercriminals. It leaves behind a breadcrumb trail of detailed logging information on the mobile provider’s network that investigators can use to identify the perpetrator(s).
New economy, old targets
Senior executives find themselves on cybercriminals’ radar because they have direct access to the most valuable commercial information in the organisation.
In the sometimes murky world of crypto, executives also sit on stores of personal cash – digital money which can be rapidly accessed and stolen with the right end user credentials.
Whether they’re running a successful tech startup or sat behind a mahogany desk, people at the top of the business ladder are as vulnerable as anyone else to social engineering attempts to access login credentials.
Along with suborning corrupt insiders, cybercriminals will also conduct a thorough investigation into the target’s personal and professional life, including in-depth monitoring of the company website and associated social media accounts of employees and their extended networks.
Mobile devices are obviously a keen area of interest for hackers, as highlighted in last year’s iPass Mobile Security Report.
As they rank amongst an organisation’s most mobile employees, it’s no surprise that 40 per cent of CISOs say that senior leadership comprises their biggestcyber security risk.
Protecting the C-Suite
Not even the world’s richest man is immune to a mobile phone breach. Amazon CEO Jeff Bezos had his phone hacked this past April. Thieves broke in and stole highly personal photos, then shared them online.
While celebs may have the resources to avoid having their phone security cracked, the security protections are much the same for everyone. So are the vulnerabilities.
Better training is key to protecting senior leadership and securing a company’s information assets, by making staff at every level in the hierarchy aware of how their own actions can open the door to breach.
The Ponemon Institute says security breaches caused by insiders can cost a business as much as £6.9 million per year.
With the cyber threat growing in both scale and complexity, it’s no surprise that more and more organisations are looking to create a culture of cybersecurity at work.
Having C-Suite executives promote and take part in security training – and lead by exhibiting the behaviours of cyber awareness — has to be part of that effort.
Want to learn more about empowering your employees security defences? Why not sign up for a free demo and find out how we’re already helping organisations just like yours.