A new strategy targeting telecom companies & mobile phone users has started to emerge which seems to have started as a result on the crack-down of SIM swapping attacks in the last 18 months or so.
The new tactics being employed by threat actors are targeting processes involved with call forwarding and parental/family tools in an attempt to achieve the takeover of a mobile phone users account, leading to further takeover of other accounts by interception of MFA codes. The same ultimate goal of SIM swapping attacks.
The attacks start by social engineering a telco operators call centre staff, or by having an insider in the telco who can facilitate the actions of the threat actor. The idea behind the attack is to get the call centre operator to enable call forwarding on a victims account. The call forwarding is sent to a VoIP number which the threat actor manages.
Once call forwarding is setup, the threat actors can trigger the MFA messages for other accounts such as Apple accounts, banking accounts, etc. The call forwarding simply sends the MFA challenges to the threat actors VoIP number for them to intercept. Having access to the MFA challenges allows the threat actors to gain access to those accounts.
The parental/family tools attack also requires the threat actors to social engineer a telco call centre operative to enable SMS monitoring or the web-based SMS veiwing on a family plan.
With SMS monitoring / viewing, the threat actors can trigger the MFA messages and intercept them before the owner of the account does to gain access to the accounts being targetted.
In the attacks seen so far, all compromised accounts have been Apple accounts allowing threat actors to compromise iCloud services to obtain a victims Apple keychain credentials to allow for the compromise of other linked accounts.
