Exclusive first look at Coalition’s new cyber claims dataGet the 2024 Cyber Claims Report
Cyber Incident? Get Help

Familiar Threat Actor Attack Tactics Find New Life

Familiar Threat Actor Attack Tactics Find New Life

Fashion. Music. Technology. So many aspects of our daily lives are constantly changing. What’s popular today might fall out of favor tomorrow… even though we know it will inevitably come back as vintage or nostalgic.

Cyclical trends exemplify how the modern world draws inspiration from the past, adapting old styles to new contexts or technologies — and threat actors are no different.

Threat actor behaviors are a significant driver of the dynamic nature of cyber risk. We can’t always say why a threat actor chooses to pursue a particular attack method, but we know they stick with what works. And in some cases, they even find ways to put a new twist on a classic tactic.

Coalition Incident Response (CIR)* has recently observed threat actors employing two tried-and-true attack methods that are leading to cyber insurance claims: SIM swapping and SEO poisoning. On the surface, these incidents might seem ordinary. The tactics have been used widely for more than a decade, albeit less headline-grabbing than ransomware or data breaches. However, changes in technology are making these familiar attack tactics easier and more lucrative than ever before.

SIM swapping attacks target self-service password reset

SIM swapping is an attack type in which a threat actor convinces a mobile carrier to transfer the victim’s phone number to a different subscriber identity module, or SIM card, that the attacker controls. This allows the attacker to intercept calls and SMS messages, including those used for multi-factor authentication (MFA).

SIM swapping dates back to the mid-2000s, primarily for identity theft and wire fraud. By 2013, threat actors were using the tactic to target high-value social media accounts and steal large amounts of personal data. In 2018, the FBI started tracking SIM-swapping incidents, and the frequency and severity of the attacks have steadily increased.

Familiar Threat Actor Attack Tactics Find New Life - 2

“SIM swapping isn’t new, but threat actors are getting creative with their approach,” said Shelley Ma, Incident Response Lead at CIR. “They’re developing insider contacts within all of the major mobile carriers and leveraging features, like self-service password reset (SSPR), to make these attacks seamless.”

CIR recently encountered a threat actor who executed a SIM swap on a healthcare executive’s mobile device and gained access to the company’s network through SSPR. The threat actor then exfiltrated sensitive data and demanded $5 million for its safe return.

“Attackers are adapting as necessary and layering in other tactics, like extortion. When a major software provider rolls out new security features, threat actors are going to look for new ways to exploit them,” said Ma. “Adding insult to injury, victims of SIM swapping often do nothing wrong. Even when businesses have strong security controls in place, it’s the technology and the insider help that enable these attacks, which can result in major financial losses.”

SEO poisoning attacks target cryptocurrency exchanges

Search engine optimization (SEO) poisoning is a technique that deceives search engines into promoting malicious web pages. By getting the malicious web pages to rank highly, unsuspecting victims are tricked into clicking malicious links that appear legitimate, which then enables threat actors to carry out different types of cyber attacks.

SEO poisoning emerged in the early 2000s, as threat actors exploited search engine algorithms, using tactics like keyword stuffing and backlinking to direct users to malicious websites. Over time, their techniques became more sophisticated, targeting trending search terms and compromising legitimate websites. In the 2010s, the rise of social media and mobile internet access created new avenues for SEO poisoning, and the evolution of attack tactics continues to this day.

“SEO poisoning is an ever-present threat that can be very difficult to defend against — and most people aren't aware of it at all.” — Alexander Ammons, Senior Incident Response Analyst, Coalition Incident Response

“SEO poisoning attacks are starting to involve more user action,” said Alexander Ammons, Senior Incident Response Analyst at CIR. “We’re seeing cryptocurrency scams in which the threat actor actually connects with the victim and uses social engineering tactics to gain access to additional accounts.”

CIR recently handled an incident in which a victim clicked a top-ranked link within a search engine, was redirected to a phony cryptocurrency exchange, and was duped into entering their credentials, ultimately resulting in the theft of more than $900,000 in Bitcoin.

“SEO poisoning is an ever-present threat that can be very difficult to defend against — and most people aren't aware of it at all,” said Ammons. “Even the lawyers and breach counselors we work with — who deal with cybersecurity incidents all the time — are amazed when malicious links appear as the first search result in a victim’s browser.”

How to advise clients on evolving cyber attack tactics

SIM swapping and SEO poisoning may be established attack tactics in the cybersecurity world, but they’re unfamiliar to the majority of people. So, while it’s important for brokers to stay informed about how these cyber risks are evolving, the main message to reiterate to clients is this:

Strong cybersecurity strategies include both security best practices and comprehensive cyber insurance coverage to help address the unknown and unexpected.

“The most straightforward way to address SIM-swapping risk is to disable SSPR entirely.” — Shelley Ma, Incident Response Lead, Coalition Incident Response

To address SIM swapping threats, Coalition recommends that businesses use a form of MFA that doesn’t depend on text messages or phone calls for verification. As with other cyber risks, we also encourage businesses to only grant employees access to the accounts and tools they need to perform their jobs.

“Unfortunately, SSPR makes it easier for threat actors to reset a SIM-swapping victim's password without them ever knowing it,” said Ma. “The most straightforward way to address this risk is to disable SSPR entirely.”

To address SEO poisoning threats, we encourage businesses to exercise the same level of caution when clicking hyperlinks in web browsers as they would with a phish-y email.

“You wouldn’t click an unknown link in a suspicious email, so why click it out in the wild?” said Ammons. “Businesses can’t afford to put such blind trust into search engines, knowing that threat actors are hiding malicious websites in plain sight.”

As always, continuous investment in tools and resources — such as security awareness training to educate employees about evolving cyber risks or endpoint security solutions to identify and block attempted malware infections — is the most effective way for businesses to keep pace with evolving cyber risks.

This article originally appeared in the June 2024 edition of the Cyber Savvy Broker Newsletter. Subscribe to the newsletter to receive future editions directly in your inbox as we explore the most up-to-date and noteworthy topics in cyber insurance.

*Coalition Incident Response is an affiliate firm made available to all policyholders via panel selection.
This communication is not a proposal of insurance. This communication is designed to provide general information on the topic presented and is not intended to construe or the rendering of legal or other professional services of any kind. If legal or other professional advice is required, the services of a professional should be sought. The views and opinions expressed as part of this communication do not necessarily state or reflect those of Coalition. Neither Coalition nor any of its employees make any warranty of any kind, express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product or process disclosed. Any action you take upon the information contained herein is strictly at your own risk. Coalition will not be liable for any losses and damages in connection with your use or reliance upon the information.