Even more Friend.Tech users are claiming that they have fallen victim to SIM swap attacks with an estimated $385,000 worth of ether lost to such exploits since the start of this week.
The Friend.Tech code itself was not exploited. No users are at immediate risk. The application lets holders buy “shares” of people who hold an account on X which grants buyers certain privileges.
CoinDesk reported earlier this week that Friend.Tech users were starting to seemingly get targeted in SIM swap exploits.
The attacks have since continued and worsened: In the past 24 hours, three influential accounts from social app X, formerly Twitter, claimed they had been exploited, with the attacker making away with ether held by those accounts.
SIM Swap attacks are a common occurrence and happen when criminals take over control of a mobile phone by tricking service providers to connect that phone number to a SIM card in the hacker’s possession. Swapped phones can then be used for fraudulent activity.
“Been trying to debug and tried every possible email I could’ve used, can not recover the account anyhow,” X user @SalsaTekila said. “Lost all the ETH there, then on top people trading my worthless keys. Support doesn’t help, regurgitates the same automated response.”
Friend.Tech developers today seemed to take steps to mitigate attack vectors by introducing a feature that lets users change their login methods – which could help prevent attackers from gaining access to accounts merely by SIM swapping.
Security experts speak
Social application Friend.Tech has become one of the most popular crypto platforms this year, despite the bear market, generating steady revenues and profits for its creators. The application amassed over 100,000 users in under two weeks after going live.
However, security risks remain a large cause of concern for any crypto platform. Hackers may employ techniques from smart contract manipulation or flash loan attacks, to using a traditional method to exploit wealthy users.
Players of the mobile industry-focused crypto project told CoinDesk in a message that while such SIM swap-based risks remain, there is a small window wherein a potential exploit can be mitigated.
“When a hacker attempts a SIM swap, defending against it can be straightforward: initiate full re-authentication, encompassing both email and ID, as though it were a new account setup,” shared Micky Watkins, founder of World Mobile Group, in a message to CoinDesk. “A challenge arises when a number port is involved. An attacker could visit a mobile store, impersonate the account holder using a business card, and then request to port in their mobile number.”
“The porting process has a tight window, and during this period, the genuine user might miss crucial warning signs. Once the attacker successfully ports the number, they can intercept two-factor mobile-based authentications. Hence, a robust defence mechanism involves using dual –BOTH– authentication methods: email and phone number for any new device, or better yet, implementing two-factor APP-based authentication,” Watkins added.