Kroll, a prominent security consulting firm, reported a significant data breach resulting from a SIM-swapping attack targeting one of its employees. The breach has affected multiple cryptocurrency platforms that rely on Kroll’s services during their ongoing bankruptcy proceedings. Additionally, there are concerns that the stolen user information may already be exploited in phishing attacks.
Two cryptocurrency companies, BlockFi and FTX, confirmed data breaches this week as a result of the SIM-swapping attack against the Kroll employee. BlockFi and FTX both use Kroll for their bankruptcy restructuring. The attack occurred on August 19, 2023, when someone targeted a T-Mobile phone number belonging to the Kroll employee in a highly sophisticated SIM-swapping attack.
In a statement, Kroll revealed that T-Mobile transferred the employee’s phone number to the threat actor’s phone without any authorization or contact with Kroll or its employees. This allowed the threat actor to gain access to certain files containing personal information of bankruptcy claimants from BlockFi, FTX, and Genesis.
SIM-swapping attacks involve stealing someone’s phone number to gain unauthorized access to their entire digital life, including financial accounts, email, and social media. This is possible because many websites and online services use SMS text messages for password resets and multi-factor authentication. Cybercriminals can hijack these accounts by obtaining control over the victim’s phone number.
Groups specializing in SIM-swapping often employ tactics such as impersonating IT department representatives and tricking employees into visiting phishing websites that mimic legitimate login pages. T-Mobile employees have been targeted by these groups in numerous instances, allowing them to resell a service that diverts text messages and phone calls from any T-Mobile user to another device.
KrebsOnSecurity previously reported on SIM-swapping attacks against T-Mobile employees in more than 100 separate incidents during the second half of 2022. The cost to SIM swap a T-Mobile phone number averaged around $1,500.
The consequences of the SIM-swap attack against the Kroll employee extend beyond the initial breach. Individuals with financial ties to BlockFi, FTX, or Genesis now face an increased risk of becoming victims of SIM-swapping and phishing attacks themselves. There have already been reports of phishing emails targeting FTX users, indicating that fraudsters are exploiting the stolen data.
Kroll is a renowned provider of cybersecurity services and is often called upon to investigate data breaches. It also offers identity protection services to companies that have experienced a breach. It is expected that affected customers from BlockFi, FTX, and Genesis will receive free credit monitoring services as a result of the T-Mobile SIM swap.
The incident serves as a reminder of the importance of reducing reliance on mobile phone companies for security. Users are advised to minimize the use of phone numbers for account recovery and to explore more secure alternatives such as security keys or mobile authentication apps. Websites like 2fa.directory can help analyze and improve account security practices.
Despite the potential financial losses suffered by customers due to SIM-swapping attacks facilitated by mobile providers, it is challenging to hold them accountable legally. Earlier this year, a lawsuit against AT&T related to a 2017 SIM-swapping attack was dismissed by a California judge. The attack resulted in thieves stealing over $24 million worth of cryptocurrency.
In conclusion, the SIM-swapping attack on the Kroll employee has exposed sensitive user data from cryptocurrency platforms going through bankruptcy proceedings. The stolen information is already being used in phishing attacks, potentially putting affected individuals at further risk. This incident highlights the need for individuals and businesses to adopt more secure authentication methods and reduce reliance on mobile phone companies for security purposes.