Six people have been charged because they were supposedly SIM card swappers who have stolen the identities of their victims and their cryptocurrency and three mobile phone employees have been charged with accepting bribes to help them steal the identity of subscribers .
On Thursday, the federal prosecutors in the US district attorney for Michigan's eastern district said the six alleged hackers were part of a hacking gang called & # 39; The Community & # 39 ;. The gang allegedly carried out seven attacks that resulted in a cryptocurrency distance of more than US $ 2.4 million.
The unsealed charge costs Conor Freeman (20) in Dublin, Ireland; Ricky Handschumacher, 25, from Pasco County, Florida; Colton Jurisic, 20, from Dubuque, Iowa; Reyad Gafar Abbas, 19, from Rochester, New York; Garrett Endicott, 21, from Warrensburg, Missouri; and Ryan Stevenson, 26, from West Haven, Connecticut, with a conspiracy to commit wire fraud, wire fraud, and aggravated identity theft.
How the crooks beat a sim swap
As we explained, SIM swaps work because phone numbers are actually linked to the phone's SIM card – SIM is actually an abbreviation for Abonee identity module, a special system-on-a-card that securely stores the cryptographic secret that identifies your phone number to the network.
Most mobile phone shops can issue and activate replacement SIM cards quickly, causing your old SIM card to die and the new SIM card to take over your telephone number … and your telephone identity.
This is useful when you get a new phone or lose your phone: your telephone company is happy to sell you a new phone with a new SIM card with your old number on it.
But if a SIM swap scammer can get enough information about you, they can pretend to be you and then social engineer it to switch from your phone number to a new SIM card that is under their control.
By stealing your phone number, the crooks receive your text messages together with your phone calls, and if you have set up SMS-based two-factor authentication (2FA), the crooks now have access to your 2FA codes – at least until you find your phone dead and convince your account providers that someone else has hacked your account.
Prosecutors claim that the Community has control over the cell phone numbers of victims and intercepts phone calls and text messages. They often bought help from a mobile provider to buy. Other times they used social engineering: contacting the customer service of a mobile provider; pose as the victim; and talk sweetly about the victim's phone number on one of their own mobile devices to a SIM card.
Prosecutors also claim that the community has bribed the other three individuals charged with indictment, all of whom are employees of mobile phone service providers – Jarratt White, 22, from Tucson, Arizona; Robert Jack, 22, from Tucson, Arizona; and Fendley Joseph, 28, from Murrietta, California. The three would have helped the hackers to steal the identity of subscribers.
The indictment claims that once the gang had control over a victim's phone number, they would use it as a gateway to gain control over online services such as email, cloud storage, and cryptocurrency exchange accounts.
The community gang members allegedly tried to hijack the cryptocurrency wallets or cryptocurrency exchange accounts of victims to remove them from funds. The indictment claims that the suspects have carried out seven attacks that resulted in the theft of cryptocurrency worth $ 2,416,352.
If he is convicted of a conspiracy to commit wire fraud, every defendant is faced with a legal maximum sentence of 20 years in prison. The costs of wire fraud each bear a legal maximum penalty of 20 years, while the aggravated identity theft to support wiring practices has a legal maximum penalty of 2 years imprisonment to be served sequentially for each penalty imposed on the underlying count of wire fraud. However, maximum penalties are rarely handed out.
A rising trend
In recent years, many examples have been seen of fraudsters who used SIM swaps to tap accounts.
A fixed infusion of them was arrested because they mainly came across cryptocurrency: in March, Joel Ortiz, a 20-year-old sim swap scammer accused of stealing $ 5 million in Bitcoin, was given a plea and sentenced to 10 years in prison .
In the past year and a half we have also seen SIM swappers who were arrested for hijacking phone numbers and using them to access e-mails, social media accounts and online Bitcoin wallets. In August 2018, 19-year-old Xzavyer Narvaez, known as one of the "best" SIM swappers out there, was accused of having stolen about $ 1 million in Bitcoin. He used the booty to buy beautiful sports cars.
Nicholas Truglia, 21, was also accused of stealing millions in Bitcoin last year. Part of that was $ 1 million that a Silicon Valley father had set aside for his daughter's study fund.
Another 21-year-old, Joseph Harris, was arrested in September for allegedly stealing more than $ 14 million in cryptocurrency.
What to do?
Whether it comes to withdrawing old bank accounts or Bitcoin accounts, the crime is of course extremely expensive for the victims who watch helplessly while their account is running out. The growing number of incidents has given rise to a regrettable number of times Naked Security has found out how to protect yourself against these SIM attacks.
The indictment announced on Thursday presents yet another one of those times.
So, again, here are those tips:
- Beware of phishing emails or fake websites that use crooks to get your usernames and passwords in the first place. In general, SIM swap crooks require access to your text messages as the last step, meaning that they have already found your account number, username, password, etc.
- Avoid obvious answers to questions about account security. Consider using a password manager to generate absurd and incomprehensible answers to the types of questions that scammers might otherwise work out of your social media accounts. The crooks may estimate that your first car was a Toyota, but that they will find out much less often that it was a car
- Use an on-access (real-time) antivirus and keep it up to date. A common way for scammers to retrieve usernames and passwords is through keylogger malware, which is low until you visit specific web pages, such as your bank's login page, and then take action to register what you type while you sign up. A good real-time anti-virus helps you block dangerous web links, infected e-mail attachments and harmful downloads.
- Be suspicious if your phone unexpectedly returns to & # 39; only emergency calls & # 39 ;. Contact friends or colleagues on the same network to see if they are also experiencing problems. If necessary, borrow a friend's phone to contact your cellular provider for help. Be prepared to attend a store or service center in person and bring proof of identity and other evidence to back it up.
- Consider switching from SMS-based 2FA codes to codes generated by an authenticator app. This means that the crooks must steal your phone and retrieve your lock code to access the app that generates your unique set of login codes.
That said, Naked Security's Paul Ducklin advises that we should not consider switching from SMS to app-based authentication as a panacea:
Malware on your phone may force the authenticator app to generate the next token without you realizing it – and tricky scammers can even call you and try to trick you into reading your next login code, often pretending to be something are doing kind of "fraud control".
. (tagsToTranslate) cryptocurrency (t) law & order (t) mobile (t) uncategorized (t) cryptocurrency (t) identity theft (t) indictment (t) sim hijacking (t) sim swaps (t) the community (t) cable fraud