Hacker exploits SIM card swap, hijacks SEC's social media account, exposing vulnerabilities in multifactor authentication. (IT World Canada)


January 23, 2024

In a recent security breach, an unidentified hacker took control of the U.S. Security and Exchange Commission's (SEC) account on a popular social media platform, referred to as X, by exploiting a SIM card swap through a cellphone carrier. The hacker manipulated the carrier into transferring control of an employee's cellphone by resetting the password for the @SECGov account. Notably, the account lacked multifactor authentication during the incident, although the SEC stated that it had been initially enabled but was later disabled upon staff request, offering no further clarification on this decision.

The unauthorized party's access to the phone number occurred through a SIM card swap, a process wherein the SIM card, responsible for registering a wireless device with a carrier, is shifted from one device to another. The hacker, relying on the susceptibility of support staff, convinced the carrier to change the device associated with the SIM card. Gaining control over the victim's smartphone is crucial for exploiting accounts that utilize mobile devices in their multifactor authentication processes.

The SEC highlighted that the breach did not involve their internal systems but rather exploited vulnerabilities in the carrier's processes. Once in control of the SEC X account, the attacker made a false post announcing the approval of spot bitcoin exchange-traded funds. Although untrue at the time, the SEC later confirmed certain financial platforms' ability to carry bitcoin ETFs a few days after the incident.

Investigations into the breach are underway, involving entities such as the SEC's Office of Inspector General, the FBI, and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency. SIM card swap attacks, a method employed by threat actors for years, pose a significant risk, allowing unauthorized access to accounts protected by multifactor authentication. In some instances, such attacks target organizations' IT networks, as exemplified by the Lapsus$ gang, while in others, like this case, social media accounts are compromised to promote cryptocurrency scams.

Notably, this incident aligns with a trend where several prominent X accounts, including those of Mandiant, the city of Peterborough, Ont., and a Canadian Senator, were temporarily hijacked to promote cryptocurrency-related activities. SIM card swaps may not be the sole tactic in every case, as some attackers exploit unprotected social media accounts by guessing or brute-forcing passwords. Mandiant, for instance, admitted to disabling multifactor authentication during a staff transition.

Highlighting the severity of SIM card swap threats, the FBI issued a warning in 2022, urging carriers to educate employees on SIM swapping risks, scrutinize incoming emails for potential fraud, implement strict security protocols for changing customer numbers, and authenticate calls from authorized third-party retailers requesting customer information. As cybersecurity concerns continue to evolve, addressing vulnerabilities in communication and authentication processes becomes imperative to prevent unauthorized access and potential exploitation.

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

You may also like

Alphabet climbs as AI bets drive ad strength, quelling market fears

Alphabet, the parent company of Google, saw its shares rise nearly 4% on Friday after it posted strong quarterly results.....

EV Interest Dips Among Canadians for Third Year Straight

A recent AutoTrader survey reveals that interest in electric vehicles (EVs) among Canadians is steadily declining, despite a noticeable drop....

Nations Boost Digital Defences as Cyber Threats Grow

In a troubling sign of the times, hackers backed by Russia’s government infiltrated a water facility in the small Texas....

Google to Challenge Part of US Court's Ruling in Monopoly Case

Google, part of Alphabet Inc., has announced plans to appeal a portion of the recent court ruling in the ongoing....

Google Faces £5B UK Lawsuit Over Search Engine Control

Google is now facing a massive £5 billion lawsuit in the United Kingdom, accusing the tech giant of using its....

Meta CEO Zuckerberg eyed Instagram split in 2018, email reveals

According to an internal email revealed during an ongoing antitrust trial, Meta CEO Mark Zuckerberg considered splitting Instagram from Facebook....

Meta’s Monopoly Trial Begins: What’s at Stake for Instagram and WhatsApp

In a major legal showdown, Meta CEO Mark Zuckerberg appeared in court on Monday as part of a historic antitrust....

 Future Legislation Must Address AI’s Role in News Compensation

As the media landscape evolves, researchers in Canada suggest future laws aimed at balancing the power between tech giants and....

Ireland Investigates Musk’s X Over AI Data Collection Practices

Ireland’s Data Protection Commission (DPC) has launched a formal investigation into Elon Musk’s platform X, formerly known as Twitter, over....

Google Cuts Prices for U.S. Government to Compete with Microsoft

In a bold move to expand its presence in the public sector, Google is now offering deep discounts on its....

Alphabet Sticks to $75B Spending Plan Amid Tariff Concerns

Alphabet, the parent company of Google, has confirmed its decision to invest a staggering $75 billion in 2025, mainly to....

TSMC Faces Over $1B Fine Over Huawei Chip Link: US Probe

Taiwan’s leading chipmaker, TSMC, may be hit with a fine of over $1 billion after a U.S. investigation revealed one....