Spanish law enforcement has arrested eight people suspected of running a SIM-swapping ring.
SIM-swapping attacks, also known as SIM hijacking, occur when criminals attempt to take over your phone number.
As our mobiles are now central hubs used in second-stage account verification, including through two-factor authentication (2FA) text messages or apps, being able to dupe carriers into handing over control means that victims may lose access to their online accounts and services.
SIM-swaps usually lead to the theft of funds from bank accounts and cryptocurrency wallets. Last year, a UK national was indicted by US law enforcement for allegedly performing a SIM-swap to steal $784,000 in cryptocurrency, and as one of our own writers experienced, funds can be stolen to make cryptocurrency purchases that are then sent to attacker-controlled wallets.
So-called ‘porting’ of a phone number occurs when a criminal uses stolen information and social engineering to pretend to be a carrier’s customer and makes the request for a number transfer or for a duplicate SIM to be sent out. Even if a victim quickly realizes something is wrong, a short time window is all that is needed to cause serious damage.
In the case investigated by Spain’s National Police, eight suspects allegedly used phishing texts, emails, and instant messages to masquerade as banks. Victims would then hand over their sensitive, personal data and bank details, providing the information required for social engineering attempts.
Now armed with this information, the suspects reportedly contacted carriers and requested duplicate SIM cards for their victims’ phone numbers.
SIM-swap attacks would then be performed, in which the telephone numbers linked to the bank accounts would, for a time, be under the criminal’s control. It was then possible for the cybercriminals to intercept the 2FA codes sent by the victim’s bank to access their accounts and conduct fraudulent transactions.
The police say that the suspects also “falsified official documents.” In particular, photocopies of Documento nacional de identidad (DNI) identity cards were shown to staff, in which photographs were manipulated to make the fraudster appear to be the legitimate handset owner.
The eight individuals, seven located in Barcelona and one in Seville, are being detained. According to the National Police, law enforcement first caught wind of the scheme in March 2021, when complaints were made relating to fraudulent bank transfers.
“Although the initial steps took place in remote places, the investigations led the investigators to the province of Barcelona, where those now detained laundered the defrauded money operating through bank transfers and digital instant payment platforms,” officers said.
In February, the Federal Bureau of Investigation (FBI) warned that SIM-swapping attack rates are increasing.
According to the law enforcement agency, from January 2018 to December 2020, 320 SIM-swapping attack complaints were recorded, with losses reaching roughly $12 million. In 2021 alone, 1,611 SIM-swapping complaints were made with estimated damages of at least $68 million.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0