Six people have been indicted for allegedly being SIM card swappers who stole victims’ identities and their cryptocurrency, and three mobile phone company employees have been indicted for allegedly accepting bribes to help them steal subscribers’ identities.
On Thursday, federal prosecutors in the US Attorney’s Office for the Eastern District of Michigan said that the six alleged hackers are part of a hacking gang called “The Community.” The gang allegedly carried out seven attacks that netted a cryptocurrency haul valued at more than US $2.4 million.
The unsealed indictment charges Conor Freeman, 20, of Dublin, Ireland; Ricky Handschumacher, 25, of Pasco County, Florida; Colton Jurisic, 20, of Dubuque, Iowa; Reyad Gafar Abbas, 19, of Rochester, New York; Garrett Endicott, 21, of Warrensburg, Missouri; and Ryan Stevenson, 26, of West Haven, Connecticut, with conspiracy to commit wire fraud, wire fraud and aggravated identity theft.
How the crooks swing a SIM swap
As we’ve explained, SIM swaps work because phone numbers are actually tied to the phone’s SIM card – in fact, SIM is short for subscriber identity module, a special system-on-a-chip card that securely stores the cryptographic secret that identifies your phone number to the network.
Most mobile phone shops out there can issue and activate replacement SIM cards quickly, causing your old SIM to go dead and the new SIM card to take over your phone number …and your telephonic identity.
That comes in handy when you get a new phone or lose your phone: your phone carrier will be happy to sell you a new phone, with a new SIM, that has your old number.
But if a SIM-swap scammer can get enough information about you, they can just pretend they’re you and then social-engineer that swap of your phone number to a new SIM card that’s under their control.
By stealing your phone number, the crooks start receiving your text messages along with your phone calls, and if you’ve set up SMS-based two-factor authentication (2FA), the crooks now have access to your 2FA codes – at least, until you notice that your phone has gone dead, and manage to convince your account providers that somebody else has hijacked your account.
Prosecutors allege that The Community got control of victims’ mobile phone numbers and intercepted phone calls and text messages. They often purchased help by bribing an employee of a mobile phone provider. Other times, they used social engineering: contacting a mobile phone provider’s customer service; posing as the victim; and sweet-talking their way into having the victim’s phone number swapped to a SIM card in one of their own mobile devices.
Prosecutors also allege that The Community bribed the other three people charged in the indictment, who are all employees at mobile phone service companies – Jarratt White, 22, of Tucson, Arizona; Robert Jack, 22, of Tucson, Arizona; and Fendley Joseph, 28, of Murrietta, California. The three allegedly helped the hackers steal subscribers’ identities.
The indictment claims that once the gang had control of a victim’s phone number, they’d use it as a gateway to gain control of online services such as email, cloud storage, and cryptocurrency exchange accounts.
The Community gang members allegedly tried to hijack victims’ cryptocurrency wallets or online cryptocurrency exchange accounts so as to clean them out of funds. The indictment alleges that the defendants executed seven attacks that resulted in the theft of cryptocurrency valued at $2,416,352.
If convicted of conspiracy to commit wire fraud, each defendant faces a statutory maximum penalty of 20 years in prison. The charges of wire fraud each carry a statutory maximum penalty of 20 years, while the aggravated identity theft in support of wire fraud charge carries a statutory maximum penalty of 2 years in prison to be served consecutively to any sentence imposed on the underlying count of wire fraud. Maximum sentences are rarely handed out, however.
A rising trend
The past few years have seen many examples of fraudsters using SIM swaps to drain accounts.
A steady drip of them have been arrested for going after cryptocurrency in particular: in March, Joel Ortiz, a 20-year-old SIM-swap scammer accused of stealing $5 million in Bitcoin, copped a plea and was sentenced to 10 years in prison.
Over the last 18 months or so, we’ve also seen SIM swappers arrested for hijacking phone numbers and using them to access emails, social media accounts, and online Bitcoin wallets. In August 2018, 19-year-old Xzavyer Narvaez, known as being one of the “best” SIM swappers out there, was accused of stealing around $1 million in Bitcoin. He used the loot to buy fancy sports cars.
Nicholas Truglia, 21, was also accused of stealing millions in Bitcoin last year. Part of that was $1 million that a Silicon Valley dad had put aside for his daughter’s college fund.
Yet another 21-year-old, Joseph Harris, was arrested in September for allegedly stealing more than $14 million in cryptocurrency.
What to do?
Whether they’re breaking into regular old bank accounts or Bitcoin accounts, the crime is obviously extremely costly for the victims who watch helplessly as their accounts drain. The growing tide of incidents has given rise to a regrettable number of times that Naked Security has found itself handing out advice on how to protect yourself from these SIM hijacks.
The indictment announced on Thursday presents yet another one of those times.
So, once again, here are those tips:
- Watch out for phishing emails or fake websites that crooks use to acquire your usernames and passwords in the first place. Generally speaking, SIM swap crooks need access to your text messages as a last step, meaning that they’ve already figured out your account number, username, password and so on.
- Avoid obvious answers to account security questions. Consider using a password manager to generate absurd and unguessable answers to the sort of questions that crooks might otherwise work out from your social media accounts. The crooks might guess that your first car was a Toyota, but they’re much less likely to figure out that it was a
87X4TNETENNBA. - Use an on-access (real-time) anti-virus and keep it up-to-date. One common way for crooks to figure out usernames and passwords is by means of keylogger malware, which lies low until you visit specific web pages such as your bank’s login page, then springs into action to record what you type while you’re logging on. A good real-time anti-virus will help you to block dangerous web links, infected email attachments and malicious downloads.
- Be suspicious if your phone drops back to “emergency calls only” unexpectedly. Check with friends or colleagues on the same network to see if they’re also having problems. If you need to, borrow a friend’s phone to contact your mobile provider to ask for help. Be prepared to attend a shop or service center in person if you can, and take ID and other evidence with you to back yourself up.
- Consider switching from SMS-based 2FA codes to codes generated by an authenticator app. This means the crooks have to steal your phone and figure out your lock code in order to access the app that generates your unique sequence of login codes.
Having said that, Naked Security’s Paul Ducklin advises that we shouldn’t think of switching from SMS to app-based authentication as a panacea:
Malware on your phone may be able to coerce the authenticator app into generating the next token without you realizing it – and canny scammers may even phone you up and try to trick you into reading out your next logon code, often pretending they’re doing some sort of “fraud check”.
anonymous coward
None of the tips at the end of the article will prevent a SIM swap “hijack,” when helped by a “bribed” phone company employee. They have 24-7 access to mobile accounts, so their gang can empty your accounts (that use SMS) while you sleep, and there’s zero that customers can do about the SIM swap preventatively.
What should have been included is for customers to never use their mobile phone number for 2 factor authorization or as a password reset option, for any online accounts of financial or personal consequence.
Hijacking an email account (or Twitter or Instagram or bank) with a great passphrase is harder than hijacking one that allows the password to be reset by SMS.
For 2 factor authorization, customers should instead use a physical key, a program like Google Authenticator, or a dedicated, second email account that isn’t on your phone (which can be stolen from your hands).
Mobile phones weren’t intended as identity authorizing devices, so the SMS system and SIM cards weren’t designed to prevent fraud. They are simple ways to communicate. Using them to be security tools is silly.
Paul Ducklin
Most services I have seen require your password plus the 2FA code to access the account in the first place, and won’t let you reset a forgotten password with a 2FA code alone (that would make it a 1FA code). So you have to know the password and do a SIM swap to initiate an account takeover, instead of just knowing the password.
Given that your passphrase has to be compromised up front in both cases, it’s hard to see how SMS 2FA makes an attack *easier*.
Zed
Actually, you can’t know the password in case you’ve forgotten the password, in the case of Facebook for example, all you need to reset a *forgotten* password is the 2FA code along with either the victim’s email address (easy to find) or his/her phone number (even easier since SIM swap was performed).
I think the only solution to prevent account takeover via SMS is to not trust any telecom company and to opt solely for authenticator apps as secondary authentication factor.