Hackers are now getting telecom employees to run software that lets the hackers directly reach into the internal systems of U.S. telecom companies to take over customer cell phone numbers, Motherboard has learned. Multiple sources in and familiar with the SIM swapping community as well as screenshots shared with Motherboard suggest at least AT&T, T-Mobile, and Sprint have been impacted.
This is an escalation in the world of SIM swapping, in which hackers take over a target’s phone number so they can then access email, social media, or cryptocurrency accounts. Previously, these hackers have bribed telecom employees to perform SIM swaps or tricked workers to do so by impersonating legitimate customers over the phone or in person. Now, hackers are breaking into telecom companies, albeit crudely, to do the SIM swapping themselves.
The technique uses Remote Desktop Protocol (RDP) software. RDP lets a user control a computer over the internet rather than being physically in front of it. It’s commonly used for legitimate purposes such as customer support. But scammers also make heavy use of RDP. In an age-old scam, a fraudster will phone an ordinary consumer and tell them their computer is infected with malware. To fix the issue, the victim needs to enable RDP and let the fake customer support representative into their machine. From here, the scammer could do all sorts of things, such as logging into online bank accounts and stealing funds.
This use of RDP is essentially what SIM swappers are now doing. But instead of targeting consumers, they’re tricking telecom employees to install or activate RDP software, and then remotely reaching into the company’s systems to SIM swap individuals.
The process starts with convincing an employee in a telecom company’s customer support center to run or install RDP software. The active SIM swapper said they provide an employee with something akin to an employee ID, “and they believe it.” Hackers may also convince employees to provide credentials to a RDP service if they already use it.
Certain employees inside telecom companies have access to tools with the capability to ‘port’ someone’s phone number from one SIM to another. In the case of SIM swapping, this involves moving a victim’s number to a SIM card controlled by the hacker; with this in place, the hacker can then receive a victim’s two-factor authentication codes or password reset prompts via text message. These include T-Mobile’s tool dubbed QuickView; AT&T’s is called Opus.
The SIM swapper said one RDP tool used is Splashtop, which says on its website the product is designed to help “remotely support clients’ computers and servers.”