Snippet: SIM Hijacking to Steal Instagram ☇

Motherboard’s Lorenzo Franceschi-Bicchierai (via Adam Tinworth):

Want to make some extra money? Start a business hacking Instagram accounts:

In the buzzing underground market for stolen social media and gaming handles, a short, unique username can go for between $500 and $5,000, according to people involved in the trade and a review of listings on a popular marketplace. Several hackers involved in the market claimed that the Instagram account @t, for example, recently sold for around $40,000 worth of Bitcoin.

Besides gaining access for top-notch Instagram handles to re-sell, the same methods also allow access to all sorts of things:

First, criminals call a cell phone carrier’s tech support number pretending to be their target. They explain to the company’s employee that they “lost” their SIM card, requesting their phone number be transferred, or ported, to a new SIM card that the hackers themselves already own. With a bit of social engineering—perhaps by providing the victim’s Social Security Number or home address (which is often available from one of the many data breaches that have happened in the last few years)—the criminals convince the employee that they really are who they claim to be, at which point the employee ports the phone number to the new SIM card.

This allows access to many things that allows password resets and two-factor authentication via SMS. I’d recommend removing your phone number from things it doesn’t need to be associated with and keeping your fingers-crossed that your carrier has your back. The read is lengthy, but excellent.