The Business of Fraud: SIM Swapping

August 25, 2021 • Insikt Group®

Insikt Group

Editor’s Note: The following post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.

Recorded Future analyzed current data from the Recorded Future® Platform, dark web sources, and open-source intelligence (OSINT) from June 2020 to June 2021 to review the current landscape of SIM swapping fraud. This report expands upon findings addressed in the first report of the Insikt Group’s Fraud Series, “The Business of Fraud: An Overview of How Cybercrime Gets Monetized.

Executive Summary

SIM swapping involves deceiving a mobile provider (usually through social engineering) into transferring a victim’s phone number to a SIM card controlled by a cybercriminal. Once the SIM card has been activated, a cybercriminal controls the phone number and can reset victim passwords and take control of social media, online banking, and cryptocurrency accounts. In some instances, even security measures such as two-factor authentication (2FA) can be bypassed. Among the primary targets for cybercriminals are organizations and services in telecommunications, banking, financial, cryptocurrency, and information technology (IT). There is a stable demand for SIM swapping services and how-to guides, predominantly on English- and Russian-language dark web marketplaces and forums. We look at those services in this report and identify several of the most active threat actors involved in fraud related to SIM swapping.

Key Findings

  • Threat actors advertise and request SIM swapping services mostly on English- and Russian-language dark web forums. Cybercriminals primarily advertise and sell SIM swapping tutorials and how-to guides on dark web marketplaces. 
  • Typical prices for SIM swapping how-to guides and tutorials range between $40 and $200; however, in rare cases, they can reach up to several thousand US dollars. 
  • Among the primary TTPs used to perform SIM swapping fraud are social engineering, phishing, insider threats, and purchasing compromised personally identifiable information (PII) data on dark web forums, marketplaces, and shops. 
  • We believe that insider threats, in which threat actors receive assistance from an employee of an organization that can assign the phone number to a different SIM, are currently one of the most popular and successful ways to perform SIM swapping attacks.
  • How-to guides on SIM swapping, for sale or freely available, outline some of the most popular TTPs for SIM swapping attacks. They show how to stay anonymous, outline how to gather intelligence on the carrier to conduct a social engineering attack (including test calls), and give advice on purchasing compromised PII on the targeted victim and acquiring SIM cards.

Editor’s Note: This post was an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.

New call-to-action