Those of us in the information security field are all too familiar with the effectiveness of social engineering, and while there are still those who readily send money off to strangers from a simple phone call or email, people are generally getting better about not giving out their own personal information. But attackers are quick to adapt and have focused on a different target: your phone carrier.
Hackers targeting carriers, or companies in general, is nothing new, but they very recently decided to fall back on the classic social engineering. And who are they targeting? YouTubers. It may seem like a pointless target, but the more popular YouTubers make hundreds of thousands, if not millions, of dollars through ad revenue, partnerships and sponsorships.
On July 8, popular YouTuber Ethan Klein, of H3H3Productions, made a video outlining how attackers got his sim card from T-Mobile (https://www.youtube.com/watch?v=caVEiitI2vg ). The attacker called T-Mobile support pretending to be a T-Mobile employee at a branch, saying that Ethan was in the store and need to activate a new sim card. The technician on the phone would then deactivate the old sim card and activate the new. The attacker would now have everything that was saved on the old sim card: contacts, passwords, browser history, and in this case their YouTube account. As it happens, Ethan was warned by other YouTubers and was able to resolve the situation quickly, but the attacker still had all of his phone information for a point of time. His account was even pin protected and the attacker was still able to get the sim card.
While T-Mobile has been pretty quiet about this, they acknowledged the flaw in their workflow on twitter, https://twitter.com/JohnLegere/status/751490098240167937, and made a company policy change almost immediately:
The old tricks still work; whether attackers send you an email pretending to be your bank, or call your carrier pretending to be an employee, social engineering isn’t going away. People are still all too willing to give up information with little identity verification, and your personal information is becoming less personal, and less yours, all the time.