If I'm reading this right, they are using the recovery phone number associated with the email account to reset the email password.
This would mean they need to intercept the text that is coming to that phone number to perform the reset.
Intercepting a text message sent to a phone is not easy.
This would mean the attackers are either VERY sophisticated, like on a state actor level,
or have found some vulnerability that allows they to intercept data being sent by/ to phone carriers.
they just have to manage that the number is transferred to an other sim card.
What is Sim Swap FraudIn fact, let’s first cover porting a number over without the fraud. Every number in the UK can have a Porting Authorisation Code (PAC) generated. This code, given to the mobile phone owner by their current network operator will allow you to switch providers. You simply ring up your current operator, ask for the PAC number and give this code to the new operator. A few days later your phone number has been transferred to a new network.
Now let’s add the fraud bit. This system has been abused for a decade as a way to ‘steal’ a persons mobile number. A criminal would just ring up your operator, pretend to be you and get the code. Following this task you just buy a new SIM card, port the number too it and bingo. You have stolen the number and even if the number is identified as stolen by this method, it will still take a few days to get it back. The reports from victims are distressing, people’s lives have been uprooted in a second and the impact doesn’t stop with a phone issue. The whole driving force behind this kind of fraud is your email address, your bank, your online life.
Wait a minute.. I hear you say “Your online life”. How is this then? Seems a big jump from your mobile number…
Well not really… Many email and social media accounts will reset an online account’s password if they can send a verification code to your phone. It’s a trivial task to go to an online account and type in the victims email address and then get a code sent to the phone number in your control. Once you have a Google account you could look at location history, emails, pictures etc. I don’t want to dwell on this point of escalation. For those this article is intended, I hope you know the level of access an email account can bring.
Other motivators for this attack could be:
Bypass 2-factor accounts that have a compromised password already.
Approve banking transactions with SMS notifications.
Defame – Calls to your clients. Calls to your boss, embarrassment.
Further Vishing calls using your number.
https://theantisocialengineer.com/sim-swap-fraud-porting-your-digital-life-in-minutes/
