Published on

How Do People Get SIM Swapping Tools?

Authors
  • avatar
    Name
    n0 Sec
    Twitter

SIM Swap Tools

SIM swaps have been a heavily covered topic on this blog yet I haven't covered one of the most common methods of conducting SIM swaps. n0sec has previously covered SIM swapping via livechat (which requires a fair bit to conduct), SIM swapping via insider, and SIM swapping via 'remo snatching', which is a form of obtaining tools, just fairly unusual. SIM swapping via tools is a very common method however requires the most upfront work out of any of the covered methods.

SIM swapping via tools is typically conducted via gaining remote access to a carrier's tools to work on customer's accounts. The companies use these tools for storefront employees to manage customer's devices, such as adding new lines onto a customer's plan or managing a customer's phone service plan. These tools are typically on mobile tablets, but not all work done on accounts is done on the storefront end of a store, there are computers and laptops kept behind counters and in backrooms of carrier stores which have access to even more customer data than the storefront tablets. The goal of fraudsters is to gain remote access to these computers, which are far too hard to steal physically, but not too hard to fool an employee into installing trojan software onto the computer.

RAT / Trojan

The fraudster will need a Remote Access Tool (RAT) to manage connections to victim carriers. These RAT softwares have been around for years and are a strong breed of malware with broad cabalities. The strongest capabilities of malware in the market is arguably the hVNC feature, hidden virtual network computing, which allows a fraudster to remotely connect to a victim's machine. This allows fraudsters to control the software used to manage customer's accounts through the carrier's computer directly, opposed to having to try to export the software and reverse engineer it. The reason why the fraudster cannot directly just export the software from the infected machine and use it is because the software is designed to only run on authorized machine, and it's hard to fool the software into believing that the software is running on an authorized machine. Some of the common authorization mechanics include IP whitelisting and VPN networks authorization such as Pulse and Citrix. While these restrictions in some cases can be bypassed, it is much easier for a fraudster to just use hVNC to directly connct to a victim machine and utilize it.

However, RATs are often hard to convince a person to install. RATs like malware tend to have many modules that are fraudulent and are detected by anti-virus softwares like Windows Defenders, opposed to a more minimal malware that uses less threatening modules. To summarize, the strengths of RATs can harm its detection rate to anti-virus softwares, however this limitation can be bypassed.

Crypting Softwares

A fraudster can check how detected a RAT is by an anti-virus software fairly simply, there are plenty of sites that will scan a RAT against many anti-viruses and report back whether or not the anti-virus detected the RAT as a harmful software. The most famous commercial site for this is VirusTotal, which will conduct heuristics on the file and try to analyze whether or not it is a threat or a safe software for a person to download. However, utilizing VirusTotal isn't a good idea for fraudsters, as it will increase the detection rate of their file. VirusTotal distributes the results of the scan via associating a filehash with each scanned file, and if a scanned file is noted as malicious, its file hash will be noted as malicious, which can distribute to other anti-virus softwares (thereby increasing the detection rate). There are two types of anti-virus scans, runtime and static. Static anti-virus scans use an anti-virus software to scan a file using built in tools, which just check if a file is hypothetically malicious, meanwhile runtime involves actually running the file with the anti-virus enabled and seeing if the anti-virus detects the virus. These results are often different because at runtime the anti-virus has the ability to pick up on more suspicious queues, while the static scan just checks in a more 'hypothetical' manner, scanning what it can. Sites that don't distribute disable the anti-viruses ability to locally save the file and upload it to their server for further analysis, sometimes by disabling internet access. The goal of many people who operate viurses is to check if their virus is running without a high detection rate, however they fear that their results are being distributed when being scanned, so they look for services that don't distribute results. There have been many services that offer such capabilities of scanning a virus for any runtime or scantime anti-virus detections without distributing the results. The most popular site that did this was NoDistribute, which was taken down a while ago, with numerous services popping up to replace it. However, these services are sometimes 'honeypots', services that look like they tend towards fraudsters, however they collect analytics on viruses to detect the strand of malwares easier.

Detection rate is typically lowered via a crypter, a software that was encrypts a given input file, making it hard to deobfuscate by the RATs. The harder to deobfuscate, the harder the virus is to detect, and thereby the more likely it is to work without any interruption from anti-virus system. This is the goal of crypting services, for the virus to go uninterrupted from any anti-virus monitoring suites, allowing the RAT to work at full power and have persistence. Persistence is the trait of a virus being consistent, staying on the client's machine undetected for long periods of time, even after the computer restarts.

How The Scheme Works

Once a fraudster has prepared a RAT and a crypter, the fraudster has a few options. Sometimes when dealing with an insider, a fraudster will remotely connect to the insider's work machine and use the softwares to conduct SIM swaps, normally done via Teamviewer or Anydesk. These softwares are good for temporary remote connections, however the host machine is able to disconnect the fraudster at any point and has full control over the session. Sometimes, fraudsters will sneak RATs onto the host machine when connected, giving the fraudster persistence even after the insider disconnects the fraudster from the remote desktop connection session. This is sometimes done with or without the consent of the employee, and allows for the fraudster to connect at any time, giving them nearly unrestricted access to the machine. At this point, if the fraudster managed to bypass the security suite of the back computer, only leaves the fraudster the problem of operating the machine when nobody is using it and managing to learn how to use the machine's software. The softwares on the backend computer of most carriers are not very user friendly and require a fair bit of trial and error to understand for most fraudsters. Keep in mind that the fraudster cannot use the hVNC function while a user is actually operating the machine, or the machine will be exposed as hacked as it will be obvious to the end user that their session is being interefered with by the fraudster operating the hVNC.

The fraudster, if they do not install it while on a session with an insider, can attempt to conduct a vishing attack. The fraudster will employ callers to attempt to fool employees at targeted carriers to install the RAT software, using typical mechanisms such as impersonating a high-ranking company employee, instructing a lower level employee to complete such actions or they will be fired. Another common technique is for the fraudster to pose as a technical support agent who needs to perform diangostics on a carrier machine. The caller will direct the employee to go to the back end PC, visit the URL to install the software, and try to convince the agent to run the software. This however can go wrong, the software sometimes will be detected as a virus on execution, resulting in the call failing. Another problem is "post-security suites" at companies, security suites that aren't a part of larger anti-virus softwares like Microsoft Defender, tailored to counter attacks such as this one. These include apps like AppLocker, that prevent executable files that aren't unauthorized from being executed, and will raise a flag to the management at the carrier that a machine is at risk of being compromised. Another common anti-malware mechanism that carriers input is restricting downloads in the browsers, so that an employee cannot download a file, even if they want to.

Post-Install

After the virus is installed, it is up to the fraudster to try to conduct SIM swaps. While I previously made it sound like the main struggles will be finding times to operate on the machine and understanding the software, it is worth mentioning that the carrier's also have internal security on tools to prevent abuse. The carriers somewhat anticipate these infections and implement user access management, preventing one machine from being able to conduct many SIM swaps idealistically. The fraudster needs to find bypasses to these restrictions, whether it be buying multiple high-level logins to the carrier's related software or finding bugs in the software that can be abused. The fraudsters typically will 'burn' machines, meaning accidentally flag the machine as potentially compromised, which will cause the carrier to suspend the computer. This is normally a semi-effortless process, because most machines are running virtualized images of Windows through virtualization and VPN systems such as Citrix. This security system limits the amount of time that fraudsters have to utilize their infected computer, hence why so many carriers are switching their backend systems to use Citrix. For instance, MetroPCS, which n0sec covered weeks ago as heavily insecure, has been trying to improve its security by implementing Citrix virtualizations.

The fraudster will eventually learn how to use the company's software and conduct swaps without raising flags as quickly at the company will be able to conduct a decent amount of swaps. This approach, while it can be costly, grants a lot of freedom to the fraudster. The fraudster doesn't have to wait or trust an insider, doesn't need a physical presence to steal a carrier's equipment, and is nearly unrestricted in the potential SIM swapping targets unlike the 'live chat' method.

Conclusion

SIM swapping via 'tools', or remotely infected machines, are one of the strongest forms of SIM swapping if properly executed. There are little restrictions but there is a large upfront time and financial cost, yet the fraudster's abilities are exponentially expanded.