SIM

A former manager at a telecommunications company in New Jersey pleaded guilty to conspiracy charges for accepting money to perform unauthorized SIM swaps that enabled an accomplice to hack customer accounts.

SIM swapping is an unauthorized porting of a targeted person's phone number to another physical SIM card or eSIM chip controlled by the attacker. These types of attacks are usually conducted via social engineering attacks against customer support agents or through insiders at mobile companies.

This attack aims to take control of the target's phone number to receive SMS-based one-time passwords (OTPs) sent as part of two-factor authentication protection on online accounts.

Receiving these codes allows attackers to take over the target's accounts using stolen credentials, typically acquired through phishing or other data leaks.

Telecom service providers have now implemented measures to prevent such arbitrary number porting events without the involvement or authorization of the owner.

However, the former IT manager, Jonathan Katz, abused his managerial position and highly privileged account at a mobile telecommunications store to overcome security measures and perform unauthorized number ports.

An announcement and court documents published earlier this week by the U.S. Department of Justice (DoJ) explain that Katz (aka "Luna") performed the SIM swaps between May 10 and 20, 2021, while he was a manager for a telecom firm.

Court documents from December 2021, released following Katz's arrest, indicate five victims in Wyoming, New Jersey, California, and Tennessee.

Katz's actions enabled his accomplice to hijack victims' mobile phone numbers and subsequently gain access to accounts, including email, social media, and cryptocurrency wallets.

For carrying the unauthorized number porting, Katz received $1,000 in Bitcoin per SIM swap (total of $5,000), plus an (unspecified) percentage of the profits earned from the illicit access to the victims' devices.

For his actions, Katz faces a statutory maximum of five years in prison and a fine of up to $250,000 or twice the financial gain or loss from the crime. 

The sentencing is scheduled for July 16, 2024.

Related Articles:

Infostealer malware logs used to identify child abuse website members

U.S. indicts Russian GRU hacker, offers $10 million reward

Four FIN9 hackers indicted for cyberattacks causing $71M in losses

Five men convicted for operating illegal streaming site Jetflicks

Former IT employee gets 2.5 years for wiping 180 virtual servers