The unscrupulous operators of the TrickBot trojan -- one of today's most active and widespread malware strains -- are now capable of carrying out SIM swapping attacks, security researchers from Secureworks have told ZDNet today.
This is possible because over the past month, TrickBot operators have developed a new version of the malware that can intercept login credentials and PIN codes for Sprint, T-Mobile, and Verizon Wireless web accounts.
The data TrickBot collects can allow its operators to carry out a so-called SIM swapping attack[1], porting a victim's phone number to a SIM card under their control.
This would allow the TrickBot gang (or someone else) to bypass SMS-based multi-factor authentication solutions and reset passwords for a victim's bank accounts, email accounts, or cryptocurrency exchange portals.
During the last two years, SIM swapping attacks have been one of hackers' favorite techniques[2] in stealing money from unwitting and sometimes powerless victims, who often can't react fast enough to stop ongoing attacks[3] from happening, and are almost always left to deal with the aftermath for weeks and months.
Making matters worse, TrickBot has evolved from the tiny banking trojan operation it was when it started back in 2016 to an Access-as-a-Service model, where the TrickBot gang allows other crews to deploy malware on computers it previously infected.
This has allowed TrickBot authors to develop close ties to many other gangs in the cybercrime underground, and Secureworks fears they might use these connections to quickly share or sell the data they've been collecting over the past month.
"It is entirely possible that GOLD BLACKBURN [Secureworks' name for TrickBot] would sell on data obtained on mobile users to other criminal contacts who are