by Michael Krieger, Liberty Blitzkrieg:
On March 3rd, at approximately 9pm, hackers stole my phone number. I didn’t become aware of this until a little more than 24 hours later, but hacking attempts on my other accounts began right away. Prior to this nightmarish experience, I had never heard of this happening to anyone else; however, in the days that followed I quickly became aware of its rapidly growing popularity and frightening ease of execution. Pulling off this attack requires virtually no technical skills, rather it relies entirely on social engineering, persistence, and an incompetent telecom employee. If this can happen to me, it can happen to virtually anybody.
The 48 hour period beginning at around 5am on March 4th was one of the most trying, confusing and frightening of my life. At that point, my wife and I had been up pretty much all night due to our son being in the midst of a horrible sleep regression. In fact, his crying was so hysterical I ended up calling our pediatrician’s office to ensure he wasn’t suffering from something more serious. I was going on two hours of sleep, the sun was about to rise and I was dealing with an inconsolable child. I thought things couldn’t get much worse. Boy was I wrong.
I had time to kill while waiting for the on-call nurse to ring me back, so I checked my email. I quickly realized something had gone horribly wrong. At least one of my accounts had been entirely compromised, and I received multiple alerts from two other accounts notifying me of unauthorized actions and password change attempts. At this point I realized there would be no hope of any additional sleep, and I immediately got to work contacting the three accounts that had been attacked. There was considerable damage to one of my accounts, but support immediately took care of the issue. The other accounts were only partly compromised, and appeared safe. I proceeded to log into my other accounts in order to change passwords and investigate whether or not anything else had been compromised, with my email the most pressing concern. Everything else seemed fine. I passed out that evening shaken, but somewhat relieved despite the fact I still had no idea what was going on or how the hackers compromised the things they did.
My attempt at rejuvenation via a good night’s sleep was quickly dashed at about 2am with a phone call to a rarely used alternate number from my father. He was in panic mode telling me that someone had been texting him from my phone number asking for a “code.” Fortunately, my dad had no idea what this person was talking about and refused to continue the conversation without a phone call. When my dad called my phone number a strange person answered pretending to be me. My dad cursed him off and immediately called me. This was the scariest moment of the entire episode. It was 2am, someone had compromised my phone number, and who knew what else. I didn’t know what was happening other than I was in a serious pile of shit, and this was the only time I wondered if my physical safety might be at risk.
Once again, it was in the middle of the night, and I felt even more violated, isolated and helpless than the day before. When you’re that sleep deprived and being attacked virtually non-stop, it’s very hard to think clearly. I had no idea if my entire phone had been taken over somehow, and I had no idea what they would be targeting next given their enhanced capabilities. All I knew was this was not good. On the positive front, I hadn’t gotten a stream of emails alerting me to additional account penetrations as I had the day before. I suddenly felt very fortunate to have taken the steps to change my passwords the previous day.
Not knowing the extent of the problem, I called the police. I was transferred to an extraordinarily nice deputy who talked me through everything. While he couldn’t really do much, he did put my mind at ease and also called my phone number to see who answered. The attackers did not answer the phone, but the deputy told me the voicemail said it was related to a Google Voice account. This presented me with my first clue. I had never even heard of Google Voice before, let alone had an account. So how the heck did hackers snatch my number and move it over to a Google Voice account controlled by someone else?
Over the next couple of hours, I started to put together additional pieces of the puzzle. I realized that I could still send text messages and make phone calls from my device, but I wasn’t receiving any incoming phone calls or texts. Thus it became clear the hackers hadn’t taken over my phone, but had somehow forwarded my calls and texts to an outside device under their control. They were also able to send text messages from my phone number, which is how they launched the attempted phishing, social engineering attack against my dad. Unnervingly, I still didn’t know how this happened, and I had to wait hours until someone at my carrier would become available over the phone.
Once I got someone on the phone, I knew enough to at least tell them Google Voice had somehow been connected to my phone and that I needed that severed. This person told me that she would do what she could from her end. To my great relief, I was once again able to receive text messages, but incoming phone calls were still not arriving at my device. I figured this might take some time, so I decided to devote my resources to alerting Google to what had happened, and to see what they could do. As you might expect, you can’t exactly get someone on the phone at Google, so I had to fill out various forms online and pray for a response. I went to bed that night not hearing from Google, and with my phone calls still being redirected.
I finally got some decent sleep Sunday evening. Refreshed and excited it was Monday since I figured it would provide me with greater opportunities for help, I decided to try my telecom carrier’s online chat to see if that would provide a better support experience. I was quickly able to get to a technical professional who seemed genuinely horrified about what had happened to me, and he suggested I call the company’s fraud department. I then asked him about the pesky issue of my phone calls not coming to me, and he solved the problem within minutes. I thanked him and immediately called the fraud department, as suggested. This is where things started to get really weird, and completely infuriating.
The woman who picked up the phone at the fraud department seemed to be the most competent person I ever talked to at the company. She expressed concern and decided to look into the history of what happened, focusing on March 2nd, when someone began pestering customer support non-stop claiming they were me and saying their phone broke and needed my number forwarded. She then notified me that after several attempts, the hacker successfully convinced a representative to forward my number without verifying my identity.
Once my SMS messages were being forwarded to the hackers, they were able to initiate and complete a connection of my number to a Google Voice account under their control. While relieved to have discovered how this whole scam worked, I was simultaneously horrified. Was it really this easy to steal someone’s phone number? Seemingly all you had to do is pester call-center telecom employees incessantly until one of them gets sloppy. Then presto, your phone number is stolen.
At this point, I asked the fraud representative if she could email me the chat transcripts of the hacker pretending to be me in order to investigate further. This is when things got extremely troubling. I knew from my earlier chat that the transcripts are saved and then emailed out to the person who initiated the chat. The woman on the phone then started to act weird and suddenly transferred me away to another department. The person who answered next could barely speak english and had no idea what was going on in my case.
Extremely frustrated, I called the fraud department back and was connected to a different person. I explained the situation and he said he’d look into it. The demeanor of this person was completely different from the prior representative. He was extremely cautious and took forever to answer the simplest of questions. He told me an entirely different story from the person I had just spoken to. He said that someone incessantly called pretending to be me asking for call forwarding, but that none of the customer service representatives agreed to it since they couldn’t verify their identity. He confirmed that the hackers contacted customer service on at least 15 distinct occasions on March 2nd alone, a day before my number was switched over to the attacker’s Google Voice account. It seemed like the company was frantically covering its tracks. I then asked this person to send me the chat transcripts. He said he would submit a request and send it to the email on my account. I have yet to receive any chat transcripts.
Unfortunately, I can’t prove that a telecom representative agreed to call forwarding without verifying my identity, but it seems almost certain that this is what happened. As I learned in the following days as I conducted more research, this sort of attack is rapidly increasing in popularity and effectiveness since there’s a huge weak link: telecom call-center employees.
Please follow SGT Report on Twitter & help share the message.