A malicious actor using their mobile phone to execute a cryptocurrency theft attack.

Kroll Employee Falls Victim To SIM Swap, Exposes Crypto Investor Data

Kroll, a well-known British company, became a victim of a sophisticated technique known as “SIM swapping”. This approach allowed an attacker to get unauthorised access to private information.

The SIM swapping attack was reported to Kroll on Saturday, August 19, 2023. A T-Mobile US, account linked to one of Kroll’s employees was the explicit target of this attack.

Kroll Advisory reported:

Specifically, T-Mobile, without any authority from or contact with Kroll or its employee, transferred that employee’s phone number to the threat actor’s phone at their request.

The attacker was able to get in because of this strategy. The access related to certain records including the personal information of those filing for bankruptcy in the BlockFi, FTX, and Genesis cases. Cybercriminals stole the phone number of a Kroll employee. They then used it to get access to specific files holding personal information of individuals filing bankruptcy claims.

In the UK, several websites and online services use SMS text messages for multi-factor authentication and password resets. Taking possession of a person’s phone number can give fraudsters with a quick way to access the target’s full digital presence. This includes any financial, email, or social media accounts associated with that phone number.

SIM swapping, also known as SIM splitting or SIM jacking, allows attackers to fraudulently activate a SIM card they control with the victim’s phone number. This gives them the ability to listen in on phone calls, intercept SMS messages, and get Multi-Factor Authentication (MFA) messages that control access to online accounts.

Successful SIM Swapping Attack Grants Access to Sensitive Data

The malicious actor was successful in accessing data after the SIM swapping attack. Personal data relating to people who were subject to bankruptcy procedures was contained in these files. The compromise of this personal data caused widespread alarm among individuals impacted, since it might be exploited for fraudulent activity or identity theft.

Scammers usually do this through phishing or manipulating social media to collect personal information about their targets. This information may include birthdates, mothers’ maiden names, and schools attended. Using this information, they attempt to persuade the mobile network operator to move the victims’ phone numbers to one of their own SIM cards.

SIM-swapping groups will approach staff members via their mobile phones, masquerading as employees of the company’s IT department. Their purpose is to convenience the employee to visit a phishing website imitating the company’s login page.

Regarding a security issue that happened at Kroll, FTX and BlockFi released a statement on X. This incident involves illegal third-party access to Kroll’s systems, which resulted in the disclosure of “limited, non-sensitive customer data of specific claimants.

Although the specifics of the leaked data are not disclosed, both companies have stated that user passwords and customer cash are safe. This is because there was no direct breach of FTX’s or BlockFi’s systems. Furthermore, both organisations have said that Kroll would directly contact people affected, and that the situation has already been isolated and remedied.

Phishing Attack Used in Kroll Breach

Following the reported Kroll breach, many people connected to the ongoing bankruptcy cases of the crypto businesses went to social media. They shared images of phishing emails they had received.

The bulk of the recorded cases include messages directed towards individuals that resemble FTX. They claim that the recipient is eligible to withdraw digital assets from their accounts, reportedly equivalent to their most recent balance on the site. These communications are intended to trick people into exposing the security keys that protect their bitcoin wallets, with the goal of draining such wallets.

Phishing Email
Phishing Email (RiseXBT)

People who were affected by the incident were promptly notified through email, ensuring their knowledge and enabling them to take the appropriate actions. Kroll also emphasised the importance of collaborating with the FBI in conducting a thorough investigation into the incident with the aim of bringing those involved accountable under the law.

The US Department of Homeland Security’s Cyber Safety Review Board (CSRB) has suggested that UK telecoms operators strengthen their security measures to discourage SIM swapping. These security measures might include allowing users to freeze their accounts and establishing strict identity verification procedures.

Help your colleagues keep a security-first mindset and boost your human firewall by starting your Phishing Tackle security awareness training today with our two-week free trial.

Recent posts