Attackers Go After SIM Cards in Bank Fraud Scams

Attackers are using a some new schemes that combine old phishing tactics with some newer techniques in order to steal or disable the SIM cards in victims’ mobile phones and then take them over for use in bank fraud transactions.

Attackers are using a some new schemes that combine old phishing tactics with some newer techniques in order to steal or disable the SIM cards in victims’ mobile phones and then take them over for use in bank fraud transactions.

Mobile phones have become high-value targets for attackers in many different kinds of schemes, including fake online banking apps, Trojaned legitimate apps and phishing scams. The most recent entries into this cavalcade of crud is a pair of schemes that rely on some classic phishing tactics adapted for the mobile platform as well as some real-world physical techniques in order to separate victims from their money. SIM card theft is a serious problem in some countries where it’s common for user to buy unlocked phones rather than committing to a contract with a carrier. 

The first scam, which was analyzed by researchers at Trusteer, involves attackers using the venerable Gozi Trojan as part of a phishing attack aimed at stealing the user’s mobile phone IMEI number. That number is a unique identifier for the phone itself. The attackers are using code injection to show users a prompt from their online banking site asking them to enter their IMEI numbers in order to access their accounts. Once the attackers have the IMEI number, they then call the victim’s carrier and report the phone lost or stolen and ask for a new SIM card.

With that in hand, the attackers then receive the one-time passwords meant for the victim for her bank account and the victim is then relieved of her money. 

“In the Gozi configuration file we obtained, the malware uses a web page injection that prompts the victim to enter their IMEI number before they can access their online bank account. The fraudulent injection explains how to retrieve the IMEI number, which can be found on the phone’s battery or accessed by dialing *#06# on the device keypad,” Amit Klein of Trusteer wrote in an analysis of the attack.

The second scheme that Trusteer has seen recently is somewhat related to the first in that it’s aimed at getting hold of the victim’s SIM card. In this case, the attacker uses a phishing attack to get a victim’s personal information, including bank details and name and address. He then goes to the police and reports the phone stolen and follows up by going to the victim’s wireless carrier and making the same report, saying the SIM card was stolen. With that done, the carrier may issue the attacker a new SIM card and the attacker will again get access to the victim’s one-time passwords. 

“The one common thread in both schemes is that they are made possible by compromising the web browser with a MitB attack to steal the victim’s credentials. By combining stolen personally identifiable information with clever social engineering techniques, criminals using these attacks don’t need to trick users into verifying fraudulent transactions. They are able to bypass out of band authentication mechanisms like SMS-delivered OTPs by authorizing these transactions themselves,” Klein wrote.

Suggested articles

Black Hat USA 2019 Preview

Threatpost editors discuss the top trends, keynotes and sessions that they look forward to at Black Hat USA and DEF CON 2019.


  • Hakima on

    Very interesting. But, what are the best mesures to prevent this kind of attacks ?
  • Anonymous on

    don't give up your IMEI

  • Anonymous on

    a good thing to learn is that ur bank will never ask you to disclose full passwords or pins only selected digits of both and they never ask for an imei number to verify who you are therefore if you are asked for any of this information do not give it close the application imediately and report it to your carrier and the bank to make sure nothing is taken.  Another thing is never open any emails that appear to be from your bank unless you know they are genuine ie for me i get an email monthly to tell me my statement is ready but often get other emails telling me my security is at risk or my account has been frozen these ones are scams trying to gain access to my details therefore always be cautious before clicking on a link in an email check your bank directly before believing what the email is telling you as so many people are caught out by these scams

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.