SEC Confirms SIM Swap Attack Behind X Account Takeover

Written by

A US regulator has confirmed that its official X (formerly Twitter) account was hijacked earlier this month after hackers were able to take over the phone number associated with the account.

The Securities and Exchange Commission (SEC) revealed in an update yesterday that the January 9 incident was caused by a classic SIM swap attack.

“SIM swapping is a technique used to transfer a person’s phone number to another device without authorization, allowing the unauthorized party to begin receiving voice and SMS communications associated with the number,” it explained.

“Access to the phone number occurred via the telecom carrier, not via SEC systems. SEC staff have not identified any evidence that the unauthorized party gained access to SEC systems, data, devices, or other social media accounts.”

Once in control of the number, the hackers reset the password, enabling them to fully control the account.

“While multi-factor authentication (MFA) had previously been enabled on the @SECGov X account, it was disabled by X Support, at the staff’s request, in July 2023 due to issues accessing the account,” the regulator continued.

“Once access was re-established, MFA remained disabled until staff reenabled it after the account was compromised on January 9. MFA currently is enabled for all SEC social media accounts that offer it.”

Read more on X account takeovers: NCSC: Twitter Users Should Find MFA Alternatives

While having MFA disabled is poor practice for a government body, SIM swappers would still have been able to intercept a one-time passcode sent by X to authenticate. That’s why senators have urged the SEC to use “phishing-resistant MFA” such as authenticator apps.

The account itself was hijacked in early January to publish a fake announcement that the regulator had approved the listing and trading of Bitcoin exchange-traded funds (ETFs ) on security exchanges. In the end, the SEC made the announcement for real the following day.

SIM swapping typically happens when a scammer manages to socially engineer a telco employee into porting a customer’s phone number to a device under their control. On some occasions, they use malicious insiders working at telco carriers.

“Among other things, law enforcement is currently investigating how the unauthorized party got the carrier to change the SIM for the account and how the party knew which phone number was associated with the account,” the SEC said.

What’s hot on Infosecurity Magazine?