Next time your phone rings and the caller ID says it’s your bank, telecom company or employer’s IT department, it might be someone else.
That’s because little-discussed types of SIM cards offer the ability to spoof any number, can be encrypted and in some cases allows the user’s voice to be altered and cloaked. Such SIM cards are favored by criminals, and they can make social engineering attacks like those that struck Twitter last month easier to execute.
A SIM (Subscriber Identity Module) card is essentially what stores information about a phone’s user, including country, service provider and a unique idea that matches it to its owner.
While spoofing a phone number is an old trick, these SIMs offer a streamlined way to do it. They underscore the wide array of vulnerabilities companies and individuals face when trying to protect against social engineering attacks.
Twitter was the victim of a phone spear-phishing attack, in which a person posing as a company insider (often supposedly from the IT department) calls a real employee to extract information. That attack, which led to the takeover of 130 accounts, including high-profile ones such as Elon Musk and Kanye West, to scam their followers out of $120,000 worth of bitcoin, has brought increased attention to the practice. Tools like these SIMs are one way for attackers to try and stay ahead of suspecting companies.
“Other companies might be a softer target for these same techniques,” said Allison Nixon, chief research officer at Unit221B, a cybersecurity firm. “And they’re just not going to be prepared in the same way that battle-scarred telecommunications companies have been.”
Indeed, since the Twitter hack, there has reportedly been a rise in spear-phishing attacks across companies, individuals, and cryptocurrency exchanges.
The cards are known as White SIMs, owing to their color and lack of branding.
“White SIMs make it extremely easy to conduct outgoing spoofed calls,” said Hartej Sawhney, Principal at cybersecurity agency Zokyo. “They are illegal basically everywhere.”
Given the wide array of services SIMs such as these offer, they make social engineering just a little easier, and sometimes that’s all an attacker needs. SIMS can generally be bought on the Dark Web or related sites, using bitcoin.
Social engineering often relies on an attacker tricking someone into doing something he or she shouldn’t. It can look as simple as a phishing attack, but can also involve more elaborate means such as SIM swapping, voice spoofing or extensive phone conversations, all to gain access to someone’s information or data.
For years the cryptocurrency community has been the target of SIM swaps, a subset of social engineering. It involves an attacker fooling a telecommunications company employee into porting the victim’s number to the attacker’s device, which lets them bypass two-factor authentication protections to an exchange account or social media profile.
“Spoof calling is a flaw at the protocol layer and is not something that can be fixed overnight. It requires essentially rewriting the internet,” said Sawhney. “What’s interesting to note is that 99% of telecom employees have access to all customer accounts, meaning you only need to social engineer one of them.”
These SIMs present challenges for those working to protect against social engineering, including banks and other financial institutions.
A business like any other
Social engineering attackers pick their targets by weighing the money, time and effort required to dupe them against the payoff, said Paul Walsh, CEO of the cybersecurity company MetaCert.
“It’s easier, cheaper and faster to compromise a person through social engineering than it is to try and take advantage of a computer or computer network,” said Walsh. “So any tools or processes like these that make that job quicker and easier for them is obviously good, in their eyes.”
The ability to mimic a specific phone number is what makes these SIMs dangerous. For example, spam callers often spoof their number to make it seem they’re calling from a number in the recipient’s local area. But these SIM cards allow an attacker to spoof a specific number, making it more likely someone will answer the phone.
A person with a number-spoofing SIM could easily imitate the number of Bank of America, for example, said Walsh, making it more likely people would give out sensitive personal information. If the number comes up as Bank of America, why would you have reason to immediately think otherwise?
Walsh also said a lot of systems will automatically detect the number you’re calling from, and use that as a piece of information verifying your identity.
“So you call your bank and if you can confirm with your phone number and maybe one other piece of information, you gain access to all kinds of information like your bank balance and last transaction,” said Walsh. “That information alone might be useful in the context of social engineering by calling the bank without additional information you need to target someone, and acquiring it through the bank.”
Voice-mimicking tech on the way
What concerns Haseeb Awan, CEO of Efani, a company that specifically works to protect against SIM hacks, is the way these SIMs might be used with other tech, such as voice spoofing. Technology that can be used to recreate someone’s voice is readily available online, and people’s voices can be reconstructed from just a few snippets of speech.
“If you’re able to replicate anyone’s voice, and couple that with their phone number, that’s what starts to worry me the most,” said Awan. “A lot of companies are now using your voice as an authentication method, so this is where the risk of fraud is going to get really high.”
And while most people might think they’d be able to tell if someone’s voice was altered, or sounded off, Awan, who was born in Pakistan but lives in the U.S., is quick to point out the tech has gotten so good he’s seen it able to replicate his accent. In fact, one study found our brains fare poorly at differentiating a fake voice from a real one, even when we’re told it is going to be fake.
Unlike the near-universally illegal White SIMs, encrypted anonymous SIMs that also alter your voice in real time can be easily purchased in the open. For example, the U.K. company Secure Sims, which did not respond to a request for comment by press time, offers one for sale that disables your location and encrypts data, among a variety of other features.
It’s listed for sale for £600-£1,000 ($794-$1,322).