2021-06-19 at 2:36 AM UTC
The attacker had access to my phone number for about an hour before I had the number shut down. No cryptos were taken.
This is how it went down...
I first started receiving these messages from my phone carrier that were just sending me my four digit PIN as if I had forgot. This happened twice, each on the weekend, and two/three weeks before the similar swap occurred.
Then on the day it happened, I got a message that said my PIN was changed and my email was updated. So I went online and sure enough my PIN was changed but my email was fine. I then called my carrier and found out that it was changed using the activation date. The rep also said something about someone calling and saying they were an employee from the store. We changed my PIN and he said he would put a note on the account that would make it so that the PIN could not be changed using the activation date.
An hour later I got a message thanking me for joining metroPCS by T-Mobile. I had no phone service. I immediately used my secondary phone to call Boost who told me to fuck off since I'm no longer a customer. I then called MetroPCS who conferenced the call with Boost who then verified me using the PIN the perp placed of my account, and then MetroPCS disabled the phone.
I then disabled my Coinbase account. At this point I noticed that the message I received from MetroPCS had a link to an Activation agreement and the file was a password protected PDF. The message said the password was the eight digit PIN set up on the MetroPCS account. I first wrote a little program to crack it but it was taking to long so I Used PDFcrack and the password was '13371337' LOL.
I then called MetroPCS and used that password to access the account, changed the PIN, put a high security password on the account, put my name and address on it. The next day I went to a store, bought a phone and had my phone number placed on the phone.
2021-06-19 at 5:30 AM UTC
1337 is a number used by hackers , you have been hacked sir
The following users say it would be alright if the author of this
post didn't die in a fire!
2021-06-24 at 11:32 PM UTC
You cracked the PDF, and the password was double l33t... Did you check to see if it was a MalDoc? It's going to have JS embedded into it if it does most likely. There are other ways to do it but i am betting it's going to be a JS dropper of some sort. Get REMNux in VM and run `pdf-parser`. If you manage to extract the malicious components be a doll and either post it here or send it in PM. I'd prefer PM because if this is used to target modern phones and it's being used in the wild then that will be of great interest to me.
I'll even write you a shell script to auto-deploy REMNux if you're too lazy to do it yourself.
2021-06-24 at 11:38 PM UTC
Oh i read that wrong. The cum swapper set double l33t as password to activate the number on his end.
Lol he got BTFO'd.
That said, i am still open to receiving any cool MalDoc TTPs should you have some.
The following users say it would be alright if the author of this
post didn't die in a fire!
2021-06-26 at 2:38 AM UTC
Yeah I essentially hacked the phone number back. The day after this happened, I got a couple of SMS messages from my new carrier that had OTP. That was the perp trying to access the account and probably trying to figure out why there was a password on the account.
The sim-swappers are likely making a killing.
I'm still wanting to know what they did to change my PIN. I'm guessing they called and said "I'm an employee at the Boost Mobile store and I need to locate a receipt. Can you give me the activation date so I can look up the receipt?" I bet the phone Rep gave it out.
Makes me wonder how they came across my phone number and email as well.
Others on Reddit also had this happen and the PIN on the accounts were all "13371337"...
