U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

SIM Hijacking – T-Mobile customers were victims an info disclosure exploit

Lorenzo Franceschi-Bicchierai published an interesting post on SIM hijacking highlighted the risks for the end users and their exposure to this illegal practice. In 2017, hackers stole some personal information belonging to T-Mobile customers by exploiting a well-known vulnerability. A video tutorial titled ‘T-Mobile Info Disclosure exploit’ showing how to use the flaw was also published […]

SIM SWAPPING

Lorenzo Franceschi-Bicchierai published an interesting post on SIM hijacking highlighted the risks for the end users and their exposure to this illegal practice.

In 2017, hackers stole some personal information belonging to T-Mobile customers by exploiting a well-known vulnerability.

A video tutorial titled ‘T-Mobile Info Disclosure exploit’ showing how to use the flaw was also published on the Internet.

Exploiting the vulnerability it is possible to access certain customers’ data, including email addresses, billing account numbers, and the phone’s IMSI numbers.

Such kind of info could be used by hackers in social engineering attack against T-Mobile’s customer support employees with the intent of stealing the victim’s phone number.

SIM hijacking

The attackers can use them to impersonate the target customer, crooks call the T-Mobile customer care posing as the victim with the intent to trick the operator to issue a new SIM card for the victim’s number.

The crooks activate the new SIM and take control of your phone number, then they can use is to steal the victim’s identity. This is the beginning of the nightmare for the victims that suddenly lose their service.

Many web service leverage on user’s phone number to reset their password, this means that the attackers once activated the new SIM can use it to carry on password reset procedures and take over the victims’ accounts on many web services.

Lorenzo reported many stories of SIM hijacking victims, this is the story of the T-Mobile customer Fanis Poulinakis

“Today I lived a nightmare.

My phone all of the sudden stopped working – I tried to contact T-Mobile through twitter—no phone right?—It took them an hour to let me know that someone must have transferred my number to another carrier and they asked me to call my bank to let them know.

I immediately log in on my bank account and voila! $,2000 were gone.

I’ve spent the whole day between T-Mobile, Chase Bank and trying to understand what happened. What a nightmare.

[…] It is unbelievable—and i think it’s also a negligence from T-Mobile’s side that they don’t make it mandatory to have a password connected to the phone number rather than the social number. […] It’s the first time I’m realizing how vulnerable our information is.”

SIM Hijacking could be a true nightmare for the victims, let me suggest reading the other witnesses reported by Lorenzo in his blog post.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – SIM Hijacking, T-Mobile)

[adrotate banner=”5″]

[adrotate banner=”13″]