The IT Nerd

I was at a wedding in Niagara On The Lake with my wife last weekend when I got a series of iMessages from a client of mine. He first said that his email inbox was being flooded with all sorts of garbage email. As in hundreds of them. He asked if he could stop them from coming in and I texted back discreetly that no he couldn’t and that I would call him later.

Fast forward about two hours and I get another series of iMessages from the same client saying that he got a phone call from one of Canada’s “big three” telcos that his account had an issue and they would have to take his cell phone offline for 24 hours to resolve it. That immediately got my attention as that is not any of Canada’s cell phone providers, “big three” or otherwise behave. Since the actual ceremony was over, I texted a friend who is married to a person who holds a significant position in the telco in question to confirm that I wasn’t delusional. Which that person did. At the same time, I noted that the iMessages were coming from his iCloud account as opposed to his cell phone number. That confirmed that he was the victim of a SIM Swap Attack.

Now I went down the rabbit hole of what a SIM Swap Attack is here. But here’s the TL:DR:

SIM stands for Subscriber Identity Module. That’s telco speak for the chip that goes inside your phone to allow you to get cell phone service. Your cell phone number is associated with that SIM and what the threat actor is going to try and do is to either trick a telco employee into moving your number to a SIM that they control, or have an accomplice inside the telco who will help them move your number to a SIM that they control.

And:

So in short, a SIM swap attack is a means for a threat actor to take control of your number to get access to two factor authentication codes that allow the threat actor to take control of anything from social media accounts, to bank accounts, to crypto wallets. That’s because two factor authentication codes are often sent by text message. And since the threat actor is unlikely to get direct access to your phone, taking over your SIM is the next best option.

I told the client to phone the telco and confirm that they didn’t make the phone call, and then have them take action to regain his phone number and account. Which he did. I also told him to start phoning his banks and credit card companies to try and get ahead of whatever this threat actor was up to, as well as change all his passwords. Which mirrors this advice from the article that I linked to. Now I didn’t have my MacBook Pro with me, so I wasn’t able to investigate this until the next day via a remote session with the client. But my belief was the email issue and the SIM Swap were connected. And it didn’t take long for me to prove that.

What the threat actor had done is used some sort of automated process to sign my client up to hundreds of email based distribution lists. That in turn sent hundreds of emails to my client flood his inbox. Now you’re likely wondering why they would do that. The answer is that they were trying to cover up what they were really up to. Once I cleared out all that “noise”, I found that they were trying to attack his Zoom accounts. Why I do not know. But I also noticed that someone had also applied for a credit card with a $20,000 credit limit with Canadian Tire which is a big retailer in Canada. Finally, the threat actors changed the password on his telco’s online account. I knew that because the notification about the password change showed up via email. I changed his password to a new one and looked through his account because I was thinking that the threat actors might have tried to order a phone to ship it to an address that they could get the phone and ship it elsewhere for resale. Thus I advised him to phone his telco to confirm that this had not happened.

My advice to him at the time was to call Canadian Tire’s financial services and stop that credit card from being issued, and to continue to change password for any and all online accounts. Finally, I advised him to sign up for credit monitoring and report this to the Canadian Anti-Fraud Centre. I then made an appointment with him to see him the next day.

I followed up with him and he had taken the following action:

• Signed up for credit monitoring
• Reported this to the Canadian Anti-Fraud Centre
• Reported this to his bank and credit card company. Of interest, the credit card company cancelled his credit cards and issued new ones. The bank took no action as they didn’t see anything suspicious.
• He had phoned his telco and confirmed that no account changes had been made and nothing had been ordered via his account.
• Interestingly, Canadian Tire Financial Services phoned him to say that someone had tried to sign up to a credit card in one of their stores, and then tried to buy thousands of dollars worth of product. He shut that down immediately. But it implies that the goal of this SIM Swap Attack was identity theft followed by retail theft.

Now while I was there, I helped my client to not only change his banking password as he was having difficulty doing that, but enable push notification based two factor authentication. I did that because a SIM Swap Attack relies on the target having two factor authentication codes coming over text message. If they come via push notification, then a SIM Swap Attack would be totally ineffective as those notifications are not connected to the SIM. In fact, I encourage anyone who reads this to see if you can move any two factor authentication codes to push notifications as a means to mitigate an attack like this should it happen to you.

Now you might be noticing that I am not naming the Canadian telco in question. That’s because after he reported this to the Canadian Anti-Fraud Center, I got a number of calls from them, and then a police agency that I will also not name. In short, this situation is now part of a larger investigation into a SIM Swap gang that seems to be operating inside a couple of provinces in Canada. And the police agency also told me that there might be insiders that work for the telco that he deals with. If that’s true, I’ve seen this before here. And that caught my attention because my first thought was that they might have asked him to provide them with access to his online telco account via the PIN number that gets emailed every time you try to log in or reset the password. But when I looked for that in his email, I did not see any evidence that he received such an email. The only thing that I saw was the email that said that his password was reset. The other odd thing that caught my attention was that he reported that when he got the call from the threat actor pretending to the an employee of the telco in question, the woman at the other end of the line knew him by name and phoned his cell phone directly. Now I have experienced this personally here with a threat actor pretending to be Rogers who knew my wife’s name and who was trying to get me to sign on to a great deal with a free phone. Which I knew to be a scam immediately. So it doesn’t surprise me that this might be the case with the telco in this incident. I do have a follow up with him in the next day or two, so I will see if I can try again to confirm that he played no part in the SIM Swap Attack by providing any information that helped the threat actors.

This is likely not going to be the last that I am writing about this incident. Thus I would suggest that you stay tuned for updates if and when they come. And just to make it clear, there are things that I can’t talk about regarding this, so please understand if I cannot answer all your questions. But if you do have questions, I will answer them as best as I can.

This entry was posted on April 4, 2025 at 1:44 pm and is filed under Commentary with tags Scam. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.