Data Breach

Threat actor is selling a dump allegedly including 2,5M customers of service provider Ho Mobile

Threat intelligence analyst discovered a threat actor that is selling a database of the Italian mobile service provider Ho mobile.

Threat intelligence analyst @Bank_Security first spotted on a popular hacking forum a threat actor that is selling a database allegedly containing the database of the Italian mobile service provider Ho mobile.

Ho mobile is an Italian mobile telephone service offered by Vodafone Enabler Italia, an Italian virtual mobile telephone operator.

Threat intelligence analyst Bank_Security is specialized in cybercrime and fraud. He discovered the ad during the ordinary monitoring activity then he decided to warn users because SIM Swapping is a scorching topic in Italy in the underground communities.

The dump allegedly includes 2,500,000 customers’ records and other data that can be exploited by hackers for SIM swapping attacks,

He told me that he wants to avoid possible bank fraud via SIM swap, phishing, or vishing attempts.

At the time of writing, the threat actor has shared a sample of 10 Ho Mobile customers. The entire database is available for sale, but the threat actor has not set a price and expects an offer from a potential buyer.

Below the list of fields for the records in the exposed sample:

birthDate: xxxx-xx-xx
email: xxxx@xxxx.xxx
emailVerified:
address: xxx xxxxxxx
addressId: xxxxx
addressType: x
city: xxxxxx
country: Italia
deleteFlag:
province: xx
streetNum: x
zipCode: xxxxx
address:
addressId: xxxxx
addressType: x
city: Genova
country: Italia
deleteFlag:
province: GE
streetNum:
zipCode:
address: xxx xxxxxx
addressId: xxxxx
addressType: x
city: xxxxxx
country: Italia
deleteFlag:
province: xx
streetNum: x
zipCode: xxxxx
endUserCommercialAssent:
endUserContractNumber:
endUserGpsAssent:
endUserHabitsAssent:
fiscalCode: xxxxxxxxxxxxxxxx
gender: M
hasPaid:
name: xxxxxxx
nationality: Italia
surname: xxxxxx
age: xx
customerId: xxxxx
customerIdHash: xxxxxxxxxxxxxxxxxxxxxxxxxx
customerStatus: ACTIVE
hasAccount: x
isMissingData:
piva:
phoneNumber: xxxxxxxxxx
phoneNumberContractNumber:
masterDealerId:
masterDealerName:
pdvAddress:
pdvCity:
pdvId:
pdvName:
pdvPiva:
pdvProvince:
pdvStreetNumber:
pdvZipCode:
phoneNumberCommercialAssent: x
phoneNumberGpsAssent: x
phoneNumberHabitsAssent: x
phoneNumberHash: xxxxxxxxxxxxxxxxxxxxxxxxxx
phoneNumberReasonId: x
phoneNumberStatus: ACTIVE
phoneNumberThirdPartiesAssent:
roleEndUser: B
simActivationDate: xxxx-xx-xx
simCapacity: 128K
simExpirationDate: xxxx-xx-xxT00: 00: 00.000 + 02: 00
simHlr: xxxxxxx
simIccid: xxxxxxxxxxxxxxxxxxx
simImsi: xxxxxxxxxxxxxxx
simPuk: xxxxxxxx
simReasonId:
simStatus: Attivo

In the forum thread, the actor said he already dumped the customers’ data and claims that “only the phone number and ICCID are needed to sim swap, so it will work unless operator send new SIM cards to all 2.5 million customers.”

At the time of this writing it was not possible to verify the authenticity of the data, we have to wait for an official statement from Ho Mobile.

“Privacy is a very hot topic nowadays. Unfortunately there are data breaches every day but when this data can be used to commit banking fraud via sim swapping, phishing or vishing to steal money from victims, this becomes an even bigger problem.” Bank Security told me. “Companies must invest more in cyber security because unfortunately it is only a matter of time before their data is sold, as in this case, on the various forums by cyber criminals.”

Stay Tuned ….

Update 29 December 2020

Ho Mobile issued a public statement that states that the company has no evidence of unauthorized, massive access to its IT infrastructure. Below the statement issued by Ho Mobile (Italian)

“Con riferimento ad alcune indiscrezioni pubblicate da organi di stampa, Ho Mobile non ha evidenze di accessi massivi ai propri sistemi informatici che abbiano messo a repentaglio i dati della customer base»

“With reference to some indiscretions published by the press, Ho Mobile has no evidence of massive access to its IT systems that have jeopardized the customer base data.” reads the statement published by the company.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Ho Mobile)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

8 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

12 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

18 hours ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

21 hours ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

TheMoon bot infected 40,000 devices in January and February

A new variant of TheMoon malware infected thousands of outdated small office and home office…

1 day ago

This website uses cookies.