Two men busted for hijacking victims’ phones and email accounts

Police busted two alleged SIM-jackers in Massachusetts on Thursday and charged them with draining fat cryptocurrency wallets and hijacking OG social media accounts.

OG is short for “original gangster” and refers to high-value social media account names: tempting to account kidnappers either because they’re short – such as @t or @ty – or because they’re considered cool, such as @Sex or @Eternity, or then again, because they belong to celebrities, such as, say, the Twitter accounts of Wikipedia co-founder Jimmy Wales, comedian Sarah Silverman, or NASA, to name just a few with a history of getting hijacked.

An 11-count indictment charges the two men – Eric Meiggs, 21, of Brockton, Massachusetts, and Declan Harrington, 20, of Rockport, Massachusetts – with wire fraud, conspiracy, computer fraud and abuse, and aggravated identity theft for their alleged crime spree, which stretched from November 2017 to May 2018 and stripped $550,000 worth of cryptocoins from at least 10 victims in the US.

The Justice Department (DOJ) said that besides SIM swaps, the two also allegedly used computer hacking to get what they were after.

Prosecutors allege that Meiggs and Harrington took over their targets’ mobile phone and email accounts via SIM-swapping: One would allegedly call a mark’s phone provider and, pretending to be that person, would sweet-talk the provider into transferring the number to a new SIM card.

How they get away with SIM swaps

As we’ve explained, SIM swap fraud, also known as phone-porting fraud, works because phone numbers are actually tied to the phone’s SIM card – in fact, SIM is short for subscriber identity module, a special system-on-a-chip card that securely stores the cryptographic secret that identifies your phone number to the network.

Most mobile phone shops out there can issue and activate replacement SIM cards quickly, causing your old SIM to go dead and the new SIM card to take over your phone number… and your telephonic identity.

That comes in handy when you get a new phone or lose your phone: your phone carrier will be happy to sell you a new phone, with a new SIM, that has your old number.

But if a SIM-swap scammer can get enough information about you, they can just pretend they’re you and then social-engineer that swap of your phone number to a new SIM card that’s under their control.

By stealing your phone number, the crooks start receiving your text messages along with your phone calls, and if you’ve set up SMS-based two-factor authentication (2FA), the crooks now have access to your 2FA codes – at least, until you notice that your phone has gone dead, and manage to convince your account providers that somebody else has hijacked your account.

Of course, it takes time to discover that you’ve been SIM-swapped, and it takes time to notify your provider and explain it all. Crooks take advantage of that lag time to rifle through your accounts. Doing so gives them the ability to do many things, none of them good. We recently saw a victim who had his sex tapes whisked out from under him – after which the crook tried to sextort him, threatening to release the material if he didn’t pay up. We’ve seen bank account balances melt, and we’ve seen Bitcoin wallets drained.

Mixed results

Prosecutors say that Meiggs and Harrington didn’t always pull it off: their first two alleged attempts at getting at a would-be victim’s cryptocurrency wallet failed. They allegedly swapped the SIM, took over the target’s email accounts, and tried to communicate with one victim’s contacts, but then they couldn’t access the victims’ cryptocoin wallets.

They allegedly had better luck in four other cases.

In one case, they allegedly took over a mark’s Facebook and Gmail accounts and changed the passwords, locking out the victim. They allegedly reached out to that victim’s contacts, requested funds, and succeeded, talking the mark into sending them about $100,000 worth of cryptocurrency. As far as “Victim 5” goes, the duo allegedly took over their LinkedIn, Facebook, and Twitter accounts, as well as their cryptocurrency exchange accounts. They allegedly got $10,000 worth of cryptocurrency from that one, went on to phone his wife, and sent a text to his daughter telling her to…

TELL YOUR DAD TO GIVE US BITCOIN.

Ring a bell? It should if you savor stories about SIM swappers getting busted. That’s the same message, sent to a cryptocurrency investor’s daughter, linked to a then 20-year-old college student from – hello again, Massachusetts! – Boston who was arrested at the LA International Airport in July 2018.

Bound for Europe, the SIM swapper, Joel Ortiz, was lugging a Gucci bag: only one piece of swag among many that prosecutors said were bought with the proceeds of cryptocurrency that he ripped off in SIM-swap scams. He was accused of stealing $5 million in Bitcoin, copped a plea and, in February 2019, was sentenced to 10 years in prison.

The DOJ didn’t say that Ortiz was working with Meiggs and Harrington, but it wouldn’t be surprising if he were, given that all three are from Massachusetts and that they’ve all been linked to that “TELL YOUR DAD” text.

Besides the 2017-2018 cryptocurrency thefts, prosecutors allege that from 2015 to 2017 Meiggs also tinkered with taking over OG accounts via SIM swapping. He’s charged with taking over a victim’s phone number and then holding it for ransom in exchange for access to the targeted account.

In another case, Meiggs allegedly couldn’t be bothered with a SIM swap. Instead, he allegedly chose to threaten to kill the victim’s wife if they didn’t hand over the account.

What to do?

Here’s our advice on how to avoid becoming a victim:

• Set up a PIN or password on your cellular account. This could help protect your account from crooks trying to make unauthorized changes. Check your provider’s website for instructions on how to do it, or just call so they can walk you through it.
• Real companies don’t ask for passwords or verification codes. If somebody calls, says they’re one of your financial companies or your phone service provider, and asks for your password or verification code, get off that call: they’re a scammer. If you need to talk to your cellular provider or financial institution, look up the phone number, on the back of your card or on a legitimate website, and call them yourself.
• Watch out for phishing emails or fake websites that crooks use to acquire your usernames and passwords in the first place. Generally speaking, SIM swap crooks need access to your text messages as a last step, meaning that they’ve already figured out your account number, username, password and so on.
• Avoid obvious answers to account security questions. Consider using a password manager to generate absurd and unguessable answers to the sort of questions that crooks might otherwise work out from your social media accounts. The crooks might guess that your first car was a Toyota, but they’re much less likely to figure out that it was a 87X4TNETENNBA.
• Use an on-access (real-time) anti-virus and keep it up-to-date. One common way for crooks to figure out usernames and passwords is by means of keylogger malware, which lies low until you visit specific webpages such as your bank’s login page, then springs into action to record what you type while you’re logging on. A good real-time anti-virus will help you to block dangerous web links, infected email attachments and malicious downloads.
• Be suspicious if your phone drops back to “emergency calls only” unexpectedly. Check with friends or colleagues on the same network to see if they’re also having problems. If you need to, borrow a friend’s phone to contact your mobile provider to ask for help. Be prepared to attend a shop or service center in person if you can, and take ID and other evidence with you to back yourself up.
• Consider switching from SMS-based 2FA codes to codes generated by an authenticator app. This means the crooks have to steal your phone and figure out your lock code in order to access the app that generates your unique sequence of login codes.

Having said that, Naked Security’s Paul Ducklin advises that we shouldn’t think of switching from SMS to app-based authentication as a panacea:

Malware on your phone may be able to coerce the authenticator app into generating the next token without you realizing it – and canny scammers may even phone you up and try to trick you into reading out your next logon code, often pretending they’re doing some sort of “fraud check”.

If you’ve already been SIM-jacked …

• Contact your cellular service provider immediately to take back control of your phone number. Then, change your account passwords.
• Check your credit card, bank, and other financial statements for unauthorized charges or changes. If you see any, report them.
• If you think somebody’s already got your information, such as your taxpayer ID or the number of your payment card number or bank account, the Federal Trade Commission (FTC) has advice on steps to take. If you’re in the UK, check out tips and resources from the Information Commissioner’s Office (ICO) and/or Action Fraud.