Eight cyber criminals were arrested in the UK and two more in Malta and Belgium last week for targeting famous internet influencers, sport stars, musicians, and their families in the United States with sim swapping attacks.
The criminal network targeted high-profile victims with sim swapping attacks throughout 2020, including well-known sports stars, musicians and influencers. According to the National Crime Agency, these hackers illegally gained access to victims' phones and stole more than $100 million either from their bank accounts or in cryptocurrencies.
Sim swapping attacks involve hackers targeting phones and deactivating the SIM and activating the number on a different blank SIM that’s controlled by hackers. This allows them to receive reset codes to change passwords of desired applications and blocking the victim from accessing their mobile phone or any installed applications.
Last Thursday, the National Crime Agency arrested eight suspects in England and Scotland, all aged between 18 and 26. These arrests were a result of a ‘year-long investigation jointly conducted by law enforcement authorities from the United Kingdom, United States, Belgium, Malta and Canada, with international activity coordinated by Europol.’
“Sim swapping requires significant organisation by a network of cyber criminals, who each commit various types of criminality to achieve the desired outcome. This network targeted a large number of victims in the US and regularly attacked those they believed would be lucrative targets, such as famous sports stars and musicians,” said Paul Creffield, head of operations in the NCA’s National Cyber Crime Unit.
“In this case, those arrested face prosecution for offences under the Computer Misuse Act, as well as fraud and money laundering as well as extradition to the USA for prosecution. As well as causing a lot of distress and disruption, we know they stole large sums from their victims, from either their bank accounts or bitcoin wallets.
“Cyber criminality is not restricted by borders and our efforts to tackle it reflect that. This investigation is the result of successful collaboration with international partners in the US and Europol, as well as our law enforcement colleagues here in the UK,” he added.
The sim swapping attacks were first detected in Spring 2020, following which law enforcement authorities from the United Kingdom, United States, Belgium, Malta and Canada came together to investigate the scam and catch the culprits behind the crime. According to Europol, the cyber crime ring targeted thousands of people in the US, including celebrities, but did not divulge the names of any of the victims.
Commenting on the discovery of the lucrative sim swapping scam perpetrated by cyber criminals, Mark Crichton, OneSpan’s Senior Director of Product Management, said that SIM swap attacks continue to raise serious questions about the security of SMS for use in multi-factor authentication that, in some cases, passes on the problem of securing online accounts to mobile network operators.
“Users should be wary about using SMS as their primary form of two-factor authentication. Many financial institutions have already started to make the switch to Mobile PUSH notifications, which are inherently more secure than SMS.
“Mobile PUSH notifications have the added benefit of being protected with application shielding technology, while providing banks with a stronger interface for a frictionless user experience that meets customer's demands in this increasingly digital age,” he added.
Javvad Malik, security awareness advocate at KnowBe4, told Teiss last year that it's not just SIM swap that opens the door for attackers. We've seen growing instances of where attackers will use SMS as an attack vector themselves (SMishing), or phone up a victim and ask for the SMS code as proof of identity (which they go on to use to log onto the victims account).
“Over time, we will likely see the frequency and sophistication of attacks against SMS-based authentication increase. From a user perspective, the first step they should consider is to use a more secure, or genuine 2FA mechanism to sign onto their account. Where that is not possible, they should be educated on the risks around SMS attacks, and report any suspicious SMS's or phone calls to their IT teams.
“Similarly, organisations should look to deploy more robust 2FA options to their staff and customers, provide education and awareness of threats, and consider additional monitoring controls that can quickly detect where an account may be compromised,” he added.