Fraud Management & Cybercrime , Social Engineering , Social Media
Hackers Used SIM Swapping to Breach US SEC X Account
Hackers Spread Fake News About SEC Approving Spot Bitcoin Exchange-Traded FundIt wasn't a sophisticated hack on Jan. 9 that allowed hackers to briefly take control of an official U.S. Securities and Exchange Commission social media account, the agency said Monday. The hackers simply scammed the account's mobile phone provider to take control of the telephone number tied to the account and used that access to reset the password.
See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk
The market regulator said Monday that an unauthorized party had obtained control over the telephone number associated with the X, formerly Twitter, account in an apparent SIM swap attack - allowing the attacker to transfer the phone number to another mobile device.
The hacker used a period of access to boost fake cryptocurrency news ahead of a decision by commissioners to approve the first U.S.-listed exchange-traded funds tracking bitcoin (see: US Securities and Exchange Commission Probes X Account Hack).
SIM swap social engineering attacks have repeatedly been used to take control of high-profile social media accounts and post messages that tie to cryptocurrency scams, as well as to gain access to and drain cryptocurrency accounts.
At the time the account was compromised, the social media platform reported that two-factor authentication had not been enabled. The SEC said Monday that agency staff had requested months earlier that the extra verification step be turned off "due to issues accessing the account." Multifactor authentication "currently is enabled for all SEC social media accounts that offer it," the agency said.
In a Jan. 10 letter to SEC Chairman Gary Gensler, House Financial Services Committee Republican members said they "expect the SEC to hold itself to the same requirements that are imposed on companies throughout the country."
The SEC said it is collaborating with various law enforcement and federal oversight bodies, including the SEC Office of Inspector General, the FBI, the Department of Justice, the Cybersecurity and Infrastructure Security Agency and the Commodity Futures Trading Commission.