Hacker exploits SIM card swap, hijacks SEC's social media account, exposing vulnerabilities in multifactor authentication. (IT World Canada)


January 23, 2024

In a recent security breach, an unidentified hacker took control of the U.S. Security and Exchange Commission's (SEC) account on a popular social media platform, referred to as X, by exploiting a SIM card swap through a cellphone carrier. The hacker manipulated the carrier into transferring control of an employee's cellphone by resetting the password for the @SECGov account. Notably, the account lacked multifactor authentication during the incident, although the SEC stated that it had been initially enabled but was later disabled upon staff request, offering no further clarification on this decision.

The unauthorized party's access to the phone number occurred through a SIM card swap, a process wherein the SIM card, responsible for registering a wireless device with a carrier, is shifted from one device to another. The hacker, relying on the susceptibility of support staff, convinced the carrier to change the device associated with the SIM card. Gaining control over the victim's smartphone is crucial for exploiting accounts that utilize mobile devices in their multifactor authentication processes.

The SEC highlighted that the breach did not involve their internal systems but rather exploited vulnerabilities in the carrier's processes. Once in control of the SEC X account, the attacker made a false post announcing the approval of spot bitcoin exchange-traded funds. Although untrue at the time, the SEC later confirmed certain financial platforms' ability to carry bitcoin ETFs a few days after the incident.

Investigations into the breach are underway, involving entities such as the SEC's Office of Inspector General, the FBI, and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency. SIM card swap attacks, a method employed by threat actors for years, pose a significant risk, allowing unauthorized access to accounts protected by multifactor authentication. In some instances, such attacks target organizations' IT networks, as exemplified by the Lapsus$ gang, while in others, like this case, social media accounts are compromised to promote cryptocurrency scams.

Notably, this incident aligns with a trend where several prominent X accounts, including those of Mandiant, the city of Peterborough, Ont., and a Canadian Senator, were temporarily hijacked to promote cryptocurrency-related activities. SIM card swaps may not be the sole tactic in every case, as some attackers exploit unprotected social media accounts by guessing or brute-forcing passwords. Mandiant, for instance, admitted to disabling multifactor authentication during a staff transition.

Highlighting the severity of SIM card swap threats, the FBI issued a warning in 2022, urging carriers to educate employees on SIM swapping risks, scrutinize incoming emails for potential fraud, implement strict security protocols for changing customer numbers, and authenticate calls from authorized third-party retailers requesting customer information. As cybersecurity concerns continue to evolve, addressing vulnerabilities in communication and authentication processes becomes imperative to prevent unauthorized access and potential exploitation.

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

You may also like

Bitcoin Investor Buys an Entire SpaceX Flight for the Ultimate Polar Adventure

A bold new chapter in space tourism unfolded as Chun Wang, a Bitcoin investor and entrepreneur, launched into orbit on....

Elon Musk’s xAI Acquires X in $33 Billion Stock Deal

Elon Musk’s artificial intelligence startup, xAI, has officially taken over his social media platform, X, in a deal valued at....

Trump Considers Lowering Tariffs to Seal TikTok Deal

Former U.S. President Donald Trump signalled on Wednesday that he might reduce tariffs on China to facilitate the sale of....

U.S. Robotics Firms Urge National Strategy to Compete China

American robotics companies are calling for a national U.S. robotics strategy to strengthen the industry and maintain a competitive edge....

Waymo Plans Self-Driving Taxi Service in Washington by 2026

Alphabet’s autonomous taxi service, Waymo, is expanding to Washington, D.C., with plans to launch in 2026. The announcement, made on....

Trump Aides Used Signal for Secret War Talks – What to Know

Top officials from the Trump administration reportedly used the encrypted messaging app Signal to discuss military plans, sparking concerns over....

PsiQuantum Secures $750M to Advance Quantum Computing

According to sources, Quantum computing startup PsiQuantum is securing at least $750 million in funding, pushing its valuation to $6....

Are We Ready to Mine Metals from Space? The Future of Asteroid Mining

Asteroid Mining: A Sci-Fi Dream or an Inevitable Future? For decades, space enthusiasts and scientists have imagined a future where....

Nvidia CEO Surprised By Public Quantum Computing Companies

Nvidia CEO Jensen Huang admitted he was unaware that publicly traded quantum computing firms existed when he previously commented on....

Tesla Faces Crisis: Cybertruck Recall & Musk’s Trump Ties

Tesla and its CEO Elon Musk are in hot water as controversy swirls around the company. One of Tesla’s strongest....

Humanoid Robots Could Arrive Sooner Than Expected, Says Nvidia CEO

The world may be closer to a robotics revolution than most people think. Nvidia CEO Jensen Huang believes humanoid robots....

Nvidia’s AI Vision: Jensen Huang Unveils Future at GTC 2025

Nvidia CEO Jensen Huang took center stage at the GTC 2025 conference, often dubbed “AI Woodstock,” to discuss the rapid....