There has been a rise in underground posts discussing insiders who can perform SIM swaps, according to recent reports. These posts, often found on the popular Cybersixgill Telegram channel, reveal that threat actors are actively seeking telecom insiders, also known as “innys,” from major organizations such as T-Mobile, AT&T, Metro, and Verizon. These insiders are sought after for various reasons, including SIM swapping, obtaining credentials, customer data, and general information.
In some cases, these threat actors are willing to pay large sums of money for the assistance of insiders. For example, one actor offered $1,200 for a SIM swap, while another offered $2,000 per swap and even provided proof of their previous successful collaborations with an insider. This highlights the financial motivation behind these activities and the potential risks posed by insiders who are lured by such offers.
The scope of these underground activities expands beyond SIM swapping. Threat actors also seek telecom insiders for customer data, particularly targeting specific regions such as Vodafone insiders in one case, and insiders in Russia, Ukraine, Kazakhstan, Belarus, and Uzbekistan in another instance. There is also evidence of actors seeking employees of Claro Colombia to answer their questions. These requests for insiders’ assistance highlight the need for organizations to protect sensitive customer information and be vigilant against potential insider threats.
Interestingly, it is not only threat actors who actively seek insiders, but insiders themselves sometimes reach out to offer their services. In one case, a self-described “disgruntled telecom employee” offered to sell information regarding eSIMs, a technology that enables porting numbers with minimal effort. This highlights the varied motivations and opportunities that can drive insiders to engage in illicit activities.
In addition to the telecom industry, threat actors also target insiders in the retail sector. One common scheme involves refund fraud, where insiders assist actors in claiming undeserved refunds for products. These actors may seek insiders responsible for returns at major retailers like Walmart, offering significant sums of money for their assistance. Other actors target insiders at Amazon, particularly those in positions of authority who can authorize returns or unblock suspended accounts.
Shipping and logistics companies are also susceptible to insider threats. Threat actors often seek insider assistance to perform fraudulent tracking scans, which are then used to deceive e-commerce stores and obtain refunds. This requires the collaboration of insiders within shipping companies who can scan shipping labels and confirm that the items are in transit. These fraudulent scans enable actors to claim refunds without actually sending the items, resulting in substantial financial losses for retailers.
Social media companies and financial institutions are not immune to insider threats either. Threat actors target insiders at social media companies to ban or un-ban accounts, as well as to access customer data. They may specifically seek employees at Instagram, Twitter (now known as X), Snapchat, and other major platforms. These insiders are often sought after for their ability to authorize or verify accounts and provide personal information about users.
Insiders at banks and other financial institutions are also targeted for their ability to execute large-scale fraudulent schemes. Threat actors seek them to approve payments and money transfers, enabling them to move and launder money. These actors may claim to have insiders at banks such as Metro, Santander, Barclays, and Bank of America who can help facilitate these activities. Insider assistance in the form of loading money into accounts controlled by the actors or converting money into cryptocurrency is also sought after.
The severity of insider threats is further highlighted by instances where threat actors solicit insiders with access to classified information or government databases. These actors seek insiders who can provide citizen data from national databases or classified information from entities such as US military contractors. While posts soliciting such insiders are rare, they nonetheless demonstrate the potential risks of insiders leaking sensitive information.
Defending against insider threats is crucial for organizations across various industries. While most employees are not malicious and can be trusted with access to data and systems, there are always potential vulnerabilities. Organizations must implement robust security measures, including employee training, strong access controls, and monitoring mechanisms to detect and prevent insider threats. Regular auditing and risk assessments can help identify and mitigate potential risks posed by insiders. Additionally, organizations should establish clear policies and procedures for reporting and addressing suspected insider threats to maintain the integrity and security of their systems and data.