Many alleged SIM-swapping cyber-criminals have been arrested across Europe by police after the thieves stole more than $100m from US celebrities & their families.
The attackers ported victims’ cell phone lines, & then defeated 2FA to access accounts & apps.
8 people in the UK were arrested in connection with the crime ring, in addition to individuals in Belgium & Malta, according to Europol. A few suspects are still at large.
“The attacks orchestrated by this criminal gang targeted thousands of victims throughout 2020, including famous internet influencers, sport stars, musicians & their families,” says an alert from the organisation.
In a usual SIM-swapping attack, attackers use stolen, or phished personal information – including, critically, a person’s mobile tel. number – to impersonate a target.
They contact the victim’s mobile carrier – easily discovered with an online search & ask to port the line to a different SIM card/device, one controlled by the attackers. Thus, all incoming calls & texts are re-routed to the fraudsters.
This approach is straightforward to execute & offers numerous follow-on attack options. It allows crooks to bypass SMS-based 2-factor authentication (2FA). Then, it is easy to use the previously phished information to gain access to & take over online/mobile banking or other high-value accounts.
T-Mobile USA last summer was the victim of a major SIM-swapping fraud attack, which let hackers bypass 2-factor authentication & steal cryptocurrency from various victims.
Attackers can also access contact lists & mount impersonation attacks bent on spreading spyware or other malware, or to hook more people in phishing schemes.
A report last Jan. found that many carriers don’t ask in-depth security questions that fully verify that a caller is in fact the legitimate cell phone user, making this type of attack easier than it ought to be.
In this new case, a network of criminals worked together to access the victims’ phone numbers & take control of apps or accounts by changing the passwords.
“This enabled them to steal money, cryptocurrencies & personal information, including contacts synced with online accounts,” explained Europol. “They also hijacked social-media accounts to post content & send messages masquerading as the victim.”
All of the targets were in the US, & the suspects face extradition.
“SIM-swapping requires significant organisation by a network of cyber-criminals, who each commit various types of criminality to achieve the desired outcome,” Paul Creffield, Head of Operations in the NCA’s National Cyber Crime Unit, commented in a notice this week.
“This network targeted a large number of victims in the US & regularly attacked those they believed would be lucrative targets, such as famous sports stars & musicians.’
Computer Misuse Act
‘In this case, those arrested face prosecution for offences under the Computer Misuse Act, as well as fraud & money laundering as well as extradition to the US for prosecution.”
He added, “As well as causing a lot of distress & disruption, we know they stole large sums from their victims, from either their bank accounts or Bitcoin wallets.”
The names of the victims have not been made public.
Protecting Against SIM Swapping
Everyone with a mobile phone can become a victim to illegal phone-number porting. However, best practices can be put into place to help defeat attacks:
- To stop criminals from accessing the personal information they need to carry out SIM-swapping, users should keep device software up to date to avoid exploits & malware infections.
- It is never a good idea to reply to emails or engage over the phone with callers that request personal information
- Be aware of the amount of personal data shared online
- Use multi-factor authentication that relies on something other than 1-time codes sent via text
- Where possible, do not associate your phone number with sensitive online