Spanish National Police has arrested eight suspects allegedly part of a crime ring who drained bank accounts in a series of SIM swapping attacks.
They presumably spoofed the targets’ bank in phishing messages via email, SMS, or direct messages on social media platforms, according to a press release published today.
By means of phishing, the suspects obtained the sensitive personal information needed to impersonate the potential victims and deceive phone store employees into issuing new SIM cards with the same number.
Finally, they used the victims’ phone numbers to obtain the one-time passwords that protect e-banking accounts, accessed them, and promptly drained up all the available funds by transferring them to accounts under their control.
The first case of fraud attributed to this particular SIM swapping gang is from March 2021, when the police received two complaints about fraudulent transfers not performed by the account holders.
While the fraudsters attempted to launder the amounts through several bank transfers and digital instant payments, the investigators could still trace them.
The crackdown operation resulted in the arrest of seven people in Barcelona, one in Seville, and the blocking of an equal number of bank accounts.
Obtenían información de sus víctimas mediante mensajes maliciosos y engañaban a empleados de tiendas de telefonía para duplicar las tarjetas SIM y así vaciar sus cuentas bancarias#SomosTuPolicía pic.twitter.com/tKfZfOFckI
— Policía Nacional (@policia) February 10, 2022
The menace of SIM swapping
SIM swapping is an attack that involves the porting of someone’s phone number to a new SIM card, used by threat actors to obtain access to accounts protected with SMS-based two-factor authentication (2FA).
The worst cases of compromise concern large sums of cryptocurrency investments, but e-bank accounts can also be inviting targets, as seen in this case.
A sudden loss of network signal on your smartphone should be treated as a sign of trouble, and, in most cases, the account owner has mere minutes to react and change the 2FA method to email or an authentication app.
If the option is offered, you should always use an alternative to the SMS 2FA method. If SMS is the only way, you should use a private phone number used exclusively for that purpose and avoid sharing it with anyone.
Just yesterday, the FBI issued a warning about criminals escalating SIM swap attacks, as shown by over 1,600 SIM swapping complaints the law enforcement agency received last year.
SIM hijacking is behind financial losses of tens of millions each year (more than $68 million in adjusted losses in the US alone in 2021), so this is not something to be taken lightly.