SIM Swappers Are Using RDP To Directly Access Internal T-Mobile, AT&T, and Sprint Tools

An anonymous reader quotes a report from Motherboard: Hackers are now getting telecom employees to run software that lets the hackers directly reach into the internal systems of U.S. telecom companies to take over customer cell phone numbers, Motherboard has learned. Multiple sources in and familiar with the SIM swapping community as well as screenshots shared with Motherboard suggest at least AT&T, T-Mobile, and Sprint have been impacted. The technique uses Remote Desktop Protocol (RDP) software. RDP lets a user control a computer over the internet rather than being physically in front of it. It's commonly used for legitimate purposes such as customer support. But scammers also make heavy use of RDP. In an age-old scam, a fraudster will phone an ordinary consumer and tell them their computer is infected with malware. To fix the issue, the victim needs to enable RDP and let the fake customer support representative into their machine. From here, the scammer could do all sorts of things, such as logging into online bank accounts and stealing funds.

This use of RDP is essentially what SIM swappers are now doing. But instead of targeting consumers, they're tricking telecom employees to install or activate RDP software, and then remotely reaching into the company's systems to SIM swap individuals. The process starts with convincing an employee in a telecom company's customer support center to run or install RDP software. The active SIM swapper said they provide an employee with something akin to an employee ID, "and they believe it." Hackers may also convince employees to provide credentials to a RDP service if they already use it. Once RDP is enabled, "They RDP into the store or call center [computer] [...] and mess around on the employees' computers including using tools," said Nicholas Ceraolo, an independent security researcher who first flagged the issue to Motherboard. Motherboard then verified Ceraolo's findings with the active SIM swapper.

You are the weakest link, goodbye

[bobstreo]

Social Engineering people into doing stupid things has worked for decades.

  It's the IT departments job to protect the stupid from themselves...

Re:

[BoogieChile]

How does that work for the majority of these provider's call centre workers, who all have east Indian accents themselves?

Re:

[gweihir]

Naaa, non-stupid people are more expensive, hard to find and, gasp!, may even point out things done wrong by "management"! We cannot have that. Better remain insecure but able to pay big fat bonuses to the least competent employees, i.e. upper management.

Re:

[StikyPad]

Also they're unlikely to be content working a call center job.

Re:You are the weakest link, goodbye

[AxisOfPleasure]

The big quesiton I have is how the hell are these phone support reps at the telecom companies allowed to install anything or change anything on their work PCs? Other than the position of the desktop icons or accessibility settings, average workers should not be allowed to change any system settings, especially things like enabling RDP.

Once again the middle management has screwed up at these companies and they're blaming everyone but themselves. Who's in charge of security at these telcos? Stop blaming opportunist hackers taking advantage of gullible employees, stop the problems by locking down the options on PCs. Oher than changing the accessibility settings on a PC, employees generally do not need to change anything else and especially not system settings like enabling RDP. Use Windows GPOs ( there's even a Wikipedia article about GPOs for god's sake! ) to control this stuff, secure audit trails and if a user has no business changing something then lock it down! Bad management and lack of control so let's blame the bogeymen lurking out there on the big bad internet rather than blame our own internal systems management incompetance.

Overpaid, poorly promoted middle management with the competance of pre-schoolers. As they say, you never fire the incomptenent employees, you simply promote them into middle management.

Re:

[kingbilly]

Whitelisting executable outside of privileged areas is already a good idea. However, that alone probably wouldn't have stopped this problem because if you read the article, in some instances RDP is already enabled since they work from home. The employees are simply being tricked into giving out their RDP credentials.

Scary

[YoMero]

This is so crazy, RDP is not the problem, the lack of any firewall or other kind of security measure that prevents RDP, SSH and other remote connection protocols from outside the so called secure internal network to internal computers. User education is important but the scary part is that these companies that hold all this information are so vulnerable to these kind of attacks. Sim swapping is one issue but I am sure they will eventually exploit a lot of other security vulnerabilities once inside the inter

Re:Scary

[chill]

"Now click 'Request Help'..." bypasses the firewall by establishing the request from the inside out and sets up a reverse shell.

Re:Scary

[TrekkieGod]

Which is why that's disabled where I work.

Re:

[PPH]

by establishing the request from the inside out

Block connections to any machines port number 3389 at the firewall going either way.

Re: Scary

[NagrothAgain]

Where I work, the call center machines are managed by group policies which don't allow any software installation, and there are firewalls on the network which only allow RDP to/from the actual IT department, and nothing can reach the internet regardless.

Re:

[taustin]

There's only on vulnerability being exploited: User stupidity. That's it. When that exists, there is nothing that can protect the company from it. Patch every vulnerability that exists, and the computer will still let the user perform functions it was designed to let the user perform, and some scammer will convince them to do so for malicious purposes.

Re:

[phantomfive]

It doesn't matter, there are things called "reverse shells" so even if you have a firewall, they can still break through.

Re:

[Ostracus]

It still can be made hard. Especially on equipment one owns. And there's the old standby of airgapping.

Re: Scary

[phantomfive]

If you air gap the computer, then the user can't connect to the internet. Sometime you should go to defcon and visit the social engineering village. It's eye opening. People will willingly give hackers their passwords.

Worse than this...

[DigitAl56K]

... companies like Google are still promoting your phone number either as a 2-factor via SMS or for account recovery.

You actually get warnings from Google about your security if you don't have a phone number set up for account recover, even in the face of years of SIM hijacking attacks.

Re:

[LesFerg]

Heey I will have you know my shoe size is in the double digits.

Re:

[hraponssi]

European shoe size or US shoe size?

Re:

[Mashiki]

Canadian. Though this isn't anything special, since we use triple digit shoe sizes.

Re:

[bill_mcgonigle]

> Canadian. Though this isn't anything special, since we use triple digit shoe sizes.

Those are the moose, Mike. We're talking bipedal Canadians, eh?

Re:

[bill_mcgonigle]

> European shoe size or US shoe size?

ohhhhhh, that's why Europeans do better on standardized tests.

Re:

[AHuxley]

Use the same smartphone and network all day to "trust" the "security" 2-factor via "SMS or for account recovery" is fun when the malware can collect on it all.
Make sure the internet account on the smartphone never knows about the one special secret SMS?
Make sure the SMS use never got seen by the daily internet use on the same smartphone?

That would need some really good OS code work to keep the phone part away from the internet smart phone part... on a free ad collecting OS...
Now its telco and other

Re:

[rufey]

I have mod points but posting instead.....

I setup 2FA for a few Google accounts over the past week. What I wanted to do was use TOTP with Google Authenticator (requires an app and not tied to a SIM and/or phone number). However, you don't even see that option when setting up 2FA until you have selected one of the other two methods that both require your cell phone tied to your phone number: Google Prompt and SMS. Only after you enable one of those two do you even see TOTP as an option, and then only as a

Re:

[rufey]

An addendum: Google Prompt isn't tied to a SIM and/or a phone number - just a cell phone for which you are logged into Google. Its Saturday and I try to not think about IT on the weekends... So Google Prompt should be safe from SIM swapping. But the SMS method definitely is vulnerable.

I still prefer TOTP, which doesn't even require the cell phone be logged into anything - doesn't require SMS, nor a push notification from the site you are trying to log into.

Re:

[bill_mcgonigle]

> You actually get warnings from Google about your security if you don't have a phone number set up for account recover, even in the face of years of SIM hijacking attacks.

The better to surveil you with, my dear.

You don't actually think they're stupid and ignorant, do you?

Not really "stupid users"

[joe_frisch]

Its easy to blame "stupid users", but very few people understand security because its extremely complex and standards vary tremendously. I recently received a request from a company for a whole load of personally identifiable information in order to process my account for a NASA proposal. I *still* don't know for sure if they are legit, nor could my IT department tell me for sure. The company claims that they do user account verification for NASA.

Many organizations use outside companies for various IT and other services, so even determining whether a web-site is inside your organization's network is not sufficient.

Where I work (a large government lab) we all had to take cyber security training. An email told us to go to the website of a company that provides training and enter our internal site ID and password. This turned out to actually be what we were supposed to do (!!!!), despite looking exactly like a hack.

The great variability in security procedures and systems between different organizations makes it very difficult for even intelligent careful employees to avoid being tricked.

Y'all did remember to disable IPMI right....

Re:Not really "stupid users"

[raymorris]

> Where I work (a large government lab) we all had to take cyber security training. An email told us to go to the website of a company that provides training and enter our internal site ID and password. This turned out to actually be what we were supposed to do (!!!!), despite looking exactly like a hack.

I worked at a SECURITY company which did that - probably the same vendor. I had some comments about that.

Re:

[bill_mcgonigle]

> This turned out to actually be what we were supposed to do (!!!!), despite looking exactly like a hack

I would use that to make a list of their people who need an extra day of training.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[joe_frisch]

Agreed. IPMI is the only one I know about, and its seem insanely complex for legitimate uses. So complex that the sites I've worked at (some with thousands of computers) still don't find it worth the effort to use to wake computers for update, but instead (at a huge power cost) require users to leave their computers on 24/7.

We use it a bit on hardware we build and it seems to have far more capabilities - and resulting complexity than users need. Of course its more likely just bloat rather than some sort

SHM...

[Anonymous Coward]

... they're tricking telecom employees to install or activate RDP software ...

Really??? Am I the only one that thinks this is bizarre???

Re:

[account_deleted]

Comment removed based on user account deletion

Sounds legit

[Anonymous Coward]

Sounds legit. Lol. I really doubt a telecom corporate would have rdp traffic wan to lan allowed on their firewall at all.