Celeb SIM-Swap Crime Ring Stole $100M from U.S. Victims

celebrity sim swap crime ring

The attackers ported victims’ cell phone lines and then defeated 2FA to access accounts and apps.

A posse of alleged SIM-swapping cybercriminals has been rounded up across Europe by law-enforcement after the crooks finagled more than $100 million from U.S. celebrities and their families.

Eight people in the U.K. were arrested in connection with the crime ring, in addition to individuals in Belgium and Malta, according to Europol. A handful of suspects remain at large.

Threatpost Webinar February Promo

Click to Register

“The attacks orchestrated by this criminal gang targeted thousands of victims throughout 2020, including famous internet influencers, sport stars, musicians and their families,” according to an alert from the organization.

What is SIM-Swapping?

In a typical SIM-swapping attack, attackers use stolen, sleuthed or phished personal information – including, crucially, a person’s mobile phone number – to impersonate a target. They contact the victim’s mobile carrier – easily discovered with an online search – and ask to port the line to a different SIM card/device, one controlled by the attackers. In this way, all incoming calls and texts are re-routed to the fraudsters.

This approach is trivial to execute and offers a bevy of follow-on attack options. Most importantly, it allows crooks to bypass SMS-based two-factor authentication (2FA). From there, it’s easy to use the previously phished information to gain access to and take over online/mobile banking or other high-value accounts.

T-Mobile USA last summer was the victim of a major SIM-swapping fraud attack, which enabled hackers to bypass two-factor authentication and steal cryptocurrency from various victims.

Attackers can also access contact lists and mount impersonation attacks bent on spreading spyware or other malware, or to hook more people in phishing schemes.

A report last January found that many carriers don’t ask in-depth security questions that fully verify that a caller is in fact the legitimate cell phone user, making this type of attack easier than it should be.

Celebrity Swaps for Fun and Profit

In this latest case, a network of criminals worked together to access the victims’ phone numbers and take control of apps or accounts by changing the passwords.

“This enabled them to steal money, cryptocurrencies and personal information, including contacts synced with online accounts,” according to Europol. “They also hijacked social-media accounts to post content and send messages masquerading as the victim.”

All of the targets were in the U.S. – and the suspects face extradition.

“SIM-swapping requires significant organization by a network of cybercriminals, who each commit various types of criminality to achieve the desired outcome,” Paul Creffield, head of operations in the NCA’s National Cyber Crime Unit, said in a notice this week. “This network targeted a large number of victims in the US and regularly attacked those they believed would be lucrative targets, such as famous sports stars and musicians. In this case, those arrested face prosecution for offences under the Computer Misuse Act, as well as fraud and money laundering as well as extradition to the U.S. for prosecution.”

He added, “As well as causing a lot of distress and disruption, we know they stole large sums from their victims, from either their bank accounts or Bitcoin wallets.”

The names of the victims have not been made public.

How to Protect Against SIM Swapping

Anyone with a mobile phone can fall victim to illegal phone-number porting. Fortunately, it’s possible to put best practices into place to help thwart attacks:

  • To keep criminals from accessing the personal information they need to carry out SIM-swapping, users should keep device software up-to-date to avoid exploits and malware infections.
  • As always, it’s never a good idea to reply to emails or engage over the phone with callers that request personal information
  • Be aware of the amount of personal data shared online
  • Use multi-factor authentication that relies on something other than one-time codes sent via text
  • When possible, do not associate your phone number with sensitive online accounts

Threatpost WEBINAR: Is your small- to medium-sized business an easy mark for attackers? Save your spot for 15 Cybersecurity Gaffes SMBs Make,” a  FREE Threatpost webinar on Feb. 24 at 2 p.m. ET. Cybercriminals count on you making these mistakes, but our experts will help you lock down your small- to mid-sized business like it was a Fortune 100. Register NOW for this LIVE webinar on Wed., Feb. 24.

 

Suggested articles

WordPress Plugin Bug Lets Subscribers Wipe Sites

The flaw, found in the Hashthemes Demo Importer plugin, allows any authenticated user to exsanguinate a vulnerable WordPress site, deleting nearly all database content and uploaded media.

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.