SIM swappers have adapted their attacks to steal a target’s phone number by porting it into a new eSIM card, a digital SIM stored in a rewritable chip present on many recent smartphone models.
Embedded Subscriber Identity Modules (eSIMs) are digital cards stored on the chip of the mobile device and serve the same role and purpose as a physical SIM card but can be remotely reprogrammed and provisioned, deactivated, swapped, deleted.
A user can typically add an eSIM to a device that supports the functionality by scanning a QR code from the service provider.
The technology is becoming increasingly popular among smartphone makers because eSIMs eliminate the need for a SIM card slot and can offer cellular connectivity on small wearables.
Russian cybersecurity firm F.A.C.C.T. reports that SIM swappers in the country and worldwide have been taking advantage of this shift to eSIMs to hijack phone numbers and bypass protections to access bank accounts.
“Since the fall of 2023, analysts from F.A.C.C.T.’s Fraud Protection have recorded more than a hundred attempts to access the personal accounts of clients in online services at just one financial organization,” reads the press release.
“To steal access to a mobile number, criminals use the function of replacing or restoring a digital SIM card: transferring the phone from the victim’s ‘sim card’ to their own device with an eSIM.”
Previously, SIM swappers relied on social engineering or worked with insiders at mobile carrier services to help them port a target’s number. However, as companies implemented more protections to thwart these takeovers, cybercriminals turned their attention to emerging opportunities in new technologies.
Now, attackers breach a user’s mobile account with stolen, brute-forced, or leaked credentials and initiate porting the victim’s number to another device on their own.
They can do this by generating a QR code through the hijacked mobile account that can be used to activate a new eSIM. They then scan it with their device, essentially hijacking the number.