My Story Of How I Was Hacked

About 1 week ago, I became a scam victim. I had thought that I was doing everything to keep myself safe from such a thing happening to me but, I was wrong.

Let’s consider why I believed that. I had my privacy respecting fairphone 5, I use a vpn, most of the time. I use cash wherever possible. I do any financial on line transactions on a linux laptop where I have multiple users set up, and each online account has it’s own user with standard permissions. I set up as few internet based accounts that require my personal information as possible. I use a secure browser. And I have a completely separate device for general browsing - also with a secure browser / vpn. I use email aliases exclusively when giving out my email address. I use secure, encrypted email and messaging. Some people might consider that my approach verges on paranoia. But, I have learnt a hard lesson - due to the extent of internet crime in the UK currently, even those of us who take many precautions should never believe they are invulnerable.

What initially put me in harms way, was I decided to change my mobile data provider for my phone. I was already using Giffgaff because I had purchased one of their sims for my 4G router when I cancelled my broadband contract. I had had no problems with them, and this is where I made my first mistake - I should have done some research before putting one of their sims in my phone but, I didn’t. If I had, I would have discovered that many of their customers are victims of sim swap scams. On their community board, there are numerous posts about this. If I had read these posts before migrating my phone over to them, it would have been a red flag and I almost certainly would not have gone ahead. But, I did.

However, one thing I didn’t do, which I am really glad about now, was move my existing phone number over to them. However, nothing untoward happened in the 2 or 3 days, and I had moved many of my contacts, and internet accounts over to the new GiffGaff number by the time I received an email from my bank that I was suspicious of. Due to me always turning off in my bank online settings, marketing, I never get annoying emails from them - so this was unusual. But, apart from that it looked completely authentic but, it did contain links. My bank admitted to me later that they do send out emails to customers containing links. They are one of the big 5 banks in the UK so, I think this is extremely bad practice.

At this point, I had recieved no incoming calls at all on my new number. I was worried about the email. I had recently started telephone banking with them so, I called the number that I usually use for that - the same as is on the back of my debit card. I immediately got a bad feeling about the ensuing conversation with the “bank employee” but, I knew I had called the correct number. At first, I believed I was talking to a member of the bank staff. And he assured me that he also had an account with this bank, had received the same email and clicked on the ‘Opt Out’ link. The problem was, I thought I was safe - with my secure browser, VPN etc. - so I did. But, A message popped up that I had never seen. I hoped that whatever I had clicked on had been blocked. But, after a few more minutes I was so concerned that I challenged the person I was speaking to. He was still encouraging me to click on the links in the email that I had received and I said that this would be exactly what a scammer would do. If he had been a genuine member of staff, he would not have done this. But, very strangely, he said nothing to try to reassure me that he was. Just ignored what I had said. The penny finally dropped and I terminated the call.

Of course, I felt really dumb. I had only ever heard of scam calls as being made by scammers. I didn’t realise that they could intercept a call in the way that had happened with me.

I called me bank again, this time using the 159 number which guarantees to divert your call to your bank. This time, I talked to a real member of staff who confirmed that the email that I had received was a scam. I also used a different phone from that moment onwards, different sim card, different network provider.

First, I had a undo everything I had done - change my phone numbers on all my accounts / contacts, cancel my bank payment card that I had used with GiffGaff and do my best to make everything safe again. Including cancelling my new giffgaff contract. I removed the sim card from my fairphone and put is in a dumb phone I had, while I was doing all of this, as I could not completely avoid getting a few security codes sent through to it, while I was changing everything back to my old number.

Once this was all done, I put my original sim card with my old number back in my fairphone - it could no longer detect the sim. I tried a sim card from a different phone - that wasn’t detected either. I thought that I had perhaps damaged the sim card slot with all the changing of sim cards so, I ordered a replacement part from Fairphone. But, when it fitted, the sim card was still not being detected. I checked the part in my husbands identical fairphone and it worked fine. I didn’t know how it had happened but, I realised that the scam had bricked my phone. It would only work on wifi. The phone no longer had an imei number - it had had it’s identity stolen or erased, somehow.

I did some further investigation and pieced together what I think must have happened. During the call with the scammer, It looks like the phone’s baseband Processor’s NVRAM had been corrupted by a signaling packet sent to my phone and bricked it when I ended the call. The scammer had employed an MITM attack on my phone to disable it. Perhaps to try to prevent me reporting to GiffGaff what had happened. My phone was purchased from Murena pre-installed and the OS was up to date - 3.7. I now know that this has happened to other fairphone users. But, truthfully, I was also very unlucky. I don’t know if clicking on the link downloaded the malware or if it was sent by the scammer, and there was nothing that I could have done to stop it. But, it is a security vulnerability and means that older fairphone users should be much more careful than I was, and probably not choose GiffGaff as their network provider.

I am not blaming Murena - they quite possibly knew nothing about this. I suspect that Fairphone did (and if they didn’t, they should have done). It also seems that the newer Fairphone 6 users may be safe from this as they have newer firmware. I blame myself for not listening to my gut instinct earlier in the call. But, most of all, I blame the perpetrator of this hack who deliberated destroyed my phone because he realised he would achieve nothing from the time he had wasted talking to me.

I reported my phone previously to Murena as initially I thought the phone mainboard had failed and as it is only 18 months old, I hoped that it might be replaced under warranty. But, now I will update them on what I have since discovered. I would be happy to send the phone mainboard to them, if they would like check it out further. If they don’t want that, I will just put it in a drawer for now. I am not really sure if I feel confident about using it, and am using my dumb phone for now.

I hope, that by telling you all my story, you might warn your friends and relatives about what happened to me. If that just saves one person from the experience that I have had, then it will have been worth it.

For sim swapping you need to have the physical SIM-card.

As far as I understood, the data which is stored inside the NVRAM cannot be accessible from a single scam call.

Can I ask you how did you knew you have had bricked that?

Did you tried to restore back to FairphoneOS ?

I did reset it and also did a new update. It made no difference. I also updated the other fairphone that one was fine afterwards

I suspect that hackers are accessing customer account details. If the customer has not set a pin code, and the hacker knows the default code for Giffgaff sim cards which is well known, then initiating a sim swap through Giffgaff is easy. The UK telecoms ombudsman has criticised Giffgaff for their poor security over how sim swaps are handled. Physical access to the sim is not necessary in their case.

I don’t know for certain. The phone no longer has an imei number - it has been wiped. This was no ordinary hack. But, it probably needs to be forensically examined. I am not sure if Murena can do this.

Thanks for analyzing, reporting, and sharing your bad experience. Fortunately you are an advanced user who understand and digs into these things, but it’s so easy for the average user to fall into this trap.
I’m going to investigate about sim swap, MITM attack, and warn my wife who is using FP6

In my opinion, even if your experience can help others, there is no way it could be worth it.

This flaw certainly deserves more investigation from both hw/sw sides, and to be taken very seriously, because it can happen in any country, with any mobile operator who has a poor security level.

Edit : not relevant
Also because murena are subject to frequent criticism about /e/'s poor security, it can be a positive signal to the community to show that they really care, and they take this kind of flaw seriously.

Thanks for the report and I understand how horrible it is when some creep has a script which can catch out, for example, individuals who have just “made a change”. This page Mobile networks must step up to prevent Sim-swap fraud - Which? , for other readers, asks for a subscription just when you get interested but provides some idea of the structure of this scam.

I can’t agree more, after what happened. Recently, I have been trying to move over to using a password manager that uses tokens rather than relying on sms codes. This has been successful to a point but, unfortunately there are still a lot of websites including some that I have no choice but, to use, that don’t offer this form of authentication - anything apart from sms codes in fact. SMS was never designed to be used for security. And the fact that so many people have no choice but, to use these codes (or in some cases, don’t understand how to set up an alternative) is definitely part of the problem. However, Mobile Networks know this and need to do more to protect their customers. However, even if you could tell me today about a more secure Mobile Network that I could migrate to, that does a better job of this, I would probably still be nervous about doing it, after what happened.

I don’t disagree but, as I am not a developer, I don’t know if Murena could fix a problem like this which is a vulnerability in the firmware on the phones?

Sure ! I missed this detail, but yes if it’s due to the firmware then it’s more fairphone’s side than murena, I agree

Hello,

Thank you for sharing your experience.

In recent months, France has experienced numerous data breaches (CAF, ANTS, the Ministry of Education, etc.)

Similar cases have also occurred without any SIM card checks or swaps, carried out by individuals who now have access to bank account numbers, email addresses, phone numbers, and more…

The scenario is always pretty much the same: it involves an issue with overpayments or underpayments. To verify that everything is in order, a link is sent—and just like that, you’ve unfortunately fallen for it…

Even when you take precautions, these scenarios are really well crafted to make us doubt ourselves.

This is very true. I have kept the initial ‘scam’ email, and 2 later ones which my bank said that they had sent and were legitimate. Apart from when they were sent, the emails, apart from the content, were identical. I studied them very carefully and could not see anything whatsoever, that might raise the slightest suspicion that it was not legitimate. When I spoke about this with my bank, they admitted that they do send emails all the time to customers containing links. Yet, here in the UK, the popular advice given to the general public is that the banks NEVER send out email containing links. I am not surprised people are confused and still being taken in by email scams.

I think that this could warrant a formal complaint in the case of this scam. In the UK Santander succeeded in protecting us from a less complex scam. Santander emails do contain links to insensitive material but I would be very sensitive to “the wrong sort of links”. Sensitive material is behind “secure messages” requiring account login.

Sounds to me that saying “we send links all the time” is unhelpful and a distraction.

If necessary the bank must review links that are sent so that the bank is not cooperating with the scam.

Hi @linux_fangirl . Sorry about your misfortune. Do you check the headers of your emails? Thankfully with the more recent /e/OS releases this is now possible.

Murena uses a fork of K-9 Mail, and I get scammers on my separate K-9 Mail which I use for my business. It is always well worth checking your headers before doing anything else. I have been with giffgaff for a very long time and not had an issue.

What are the PIN numbers to utilise, is this to set a PIN on the SIM? As you can tell, I am not as knowledgeable as yourself on SIM scams.

Just to add MMS can be used to brick a phone. Many years ago F-Secure was the first AV to discover this. This is a snarfing attack. If you get an unknown MMS arrive don’t accept or reject it. Wait until you are out of range and it should disappear.

I did look at the headers and they looked exactly the same in the scam email that the bank told me they had not sent and the ones that they said that they had - which is very strange and I cannot explain. Re the pin code, I set it but, not straightaway - there are so many things to do when you are changing your number but, that should have been my first one. However, I don’t think I was affected by a sim swap because the phone number I was allocated carried on working and still is. Although it is just circumstantial, I wondered if a hacker was targeting new Giffgaff customers rather than existing ones like yourself. It all happened in a matter of days after I joined Giffgaff. I wasn’t actually a brand new customer - I have another sim card from them which I use for my 4g router and I still am, as I am only part way through the contract. That is partly why I decided to get a sim from them for my phone. Prior to this happening, I have been very satisfied with the service. And I hope that you continue to be too.

Just an aside here. My wife had an issue transferring funds recently. We use telephone banking and they are about to phase this out completely. This is quite appalling for elderly people who don’t use any internet connection.
I don’t think it is worth changing banks as I suspect they are all going to do this.

I set up telephone banking recently. I had intended to use it from now on. But, after this happened, I backtracked and designated my e/os google pixel tablet just for banking. I set up the banking app and proton pass. I did not want to rely on sms authentication codes after what happened. This way, I can log in without using sms codes. After the hack, I wanted to check my statement daily to make sure that there were no dodgy transactions. But, I am less confident about phone banking than I was, as this was how I was hacked on the giffgaff network. Obviously, I am no longer using that network now because I have reverted to my previous sim / network. So, I should be OK to use phone banking again but, I fear that I will always be wondering if I am speaking to my bank or a hacker.

Two of the top five apps with trackers in my Advanced Privacy report are banking apps.

That says a lot about their level of privacy…