Researchers have uncovered a new version of the Trickbot trojan that steals PIN codes from mobile carrier websites. The webinjects were found to target Verizon Wireless, T-Mobile and Sprint users and were added between August 5^th and August 19^th, 2019. When users visit the affected websites, the legitimate server response is intercepted by the trojan and ran through a Command and Control (C&C) server. The C&C server injects additional HTML and JavaScript into the page which is then sent to the victim’s web browser. The malicious code activates TrickBot’s record functionality that creates an additional form field. The additional field requests the victim’s username, password and PIN code which is then stored in the C&C server. The research noted that stealing the mobile user’s PIN code suggests that a SIM swap fraud attack is the goal. A successful SIM swap attack would allow an attacker to take over the victim’s phone number which includes all inbound and outbound text and voice communications.