Hacked phones are common, but hacked SIMs seem a bit hard to believe. That is true, many people in reality still think that SIM has no function of setting and storing but still being illegally infiltrated by others. Mod whf’s post on the Whitehat forum described scenarios where your SIM will be hacked.
4 Scenario used to hack phone SIM
Scenario 1: Trick the user into texting the block message syntax
Bad guys use spam phone numbers to call victims’ mobile numbers, claiming to be employees of consumer finance companies such as FE Credit, Home Credit… to invite loans and then Hack your SIM. Calls are made with a dense frequency to create inconvenience for the victim.
When the victim refuses to borrow and is upset. The bad guy will guide you how to refuse to receive a loan call, if you do, you will not be called to bother anymore by following the syntax:
*090*7*2*xxxxx# and dial.
Scenario 2: Pretend the salesman announced the winning
The bad guy called the victim’s mobile number, claiming to be an employee of e-commerce platforms such as Shopee, Lazada… congratulated the lucky customer for winning. To receive the reward, customers need to follow the syntax sent via text message to confirm.
Scenario 3: Pretending to be a carrier employee to announce a service error fix
The bad guy calls the victim claiming to be a carrier employee to support customers to upgrade 4G sim remotely to limit contact, prevent Covid epidemic, to enjoy promotions, if not upgraded, they will not be able to call / internet access… to upgrade just follow the syntax guided through the message.
Scenario 4: Trick to divert calls
One way to hack SIM that you didn’t expect is that the Bad Guys will borrow your phone to make a call, but instead quickly execute the USSD syntax to divert the call. All calls to your phone number will be redirected to the bad guy’s phone number. From there he can get the OTP code through the confirmation call or listen to all sensitive content from the incoming caller. In which the syntax that crooks will use is as follows:
- Viettel: compose DK message to 1322.
- Vinaphone: **002*Bad phone number# press OK
- Mobifone: **21*Bad phone number# press OK.
Unlocking the phone SIM Hack trick
In all the first 3 scenarios, there is one thing in common that the bad guy will trick the victim into performing the syntax::
*090*7*2*xxxx# and press call. (with carrier Mobifone – xxxx is 16 numbers)
*091*38*xxxx# and dial. (with carrier Vinaphone – xxxx is 20 numbers)
The secret here is that the operator’s syntax to replace the 4G sim card via USSD (Unstructured Supplementary Service Data) has been taken advantage of. Where xxxx corresponds to the series of white sim embryos that the bad guy owns.
If you follow the instructions, the victim’s sim will lose signal in a moment and can’t make outgoing/incoming calls, even restarting the phone. In fact, at this time, the victim’s phone number has been changed to a blank sim embryo prepared by the bad guys and they have full rights to use the victim’s phone number to listen/call, text/receive messages.
After hijacking the victim’s phone number, the bad guy can: impersonate fraud via sms messages, get otp codes of important accounts, activate credit cards, take over email accounts, social networks of victims , even with 2-layer security…
If the two carriers above added a warning step and asked users to confirm as Viettel did, the fraud cases would be greatly reduced. At the time this article was posted, both carriers have discontinued the sim replacement feature according to the above syntax.
However, to avoid unfortunate consequences, users should still equip themselves with knowledge and raise their vigilance against fraudulent tricks. When receiving messages, strange calls, users should take precautions to avoid providing information. Do not follow instructions from strangers to avoid unfortunate consequences. To verify information, users should contact the service provider’s switchboard directly. In case of negligently following the instructions of the bad guy, the user should immediately report it to the authorities, the service provider for support.
Additional from the article of Whitehat.vn