Europol, along with the Spanish and the Romanian national police, has arrested 26 individuals in connection with the theft of over €3.5 million ($3.9 million) by hijacking people’s phone numbers via SIM swapping attacks.
The law enforcement agencies arrested 12 and 14 people in Spain and Romania, respectively, as part of a joint operation against two different groups of SIM swappers, Europol said.
The development comes as SIM swapping attacks are emerging as one of the biggest threats to telecom operators and mobile users alike. The increasingly popular and damaging hack is a clever social engineering trick used by cybercriminals to persuade phone carriers into transferring their victims’ cell services to a SIM card under their control.
The SIM swap then grants attackers access to incoming phone calls, text messages, and one-time verification codes (or one-time passwords) that various websites send via SMS messages as part of the two-factor authentication (2FA) process.
As a result, a fraudster can impersonate a victim with an online account provider and request that the service sends account password-reset links or authentication code to the SIM-swapped device controlled by the cybercriminals, using which the bad actor can reset the victim account’s log-in credentials and access the account without authorization.
Attacks of this kind are successful even if the accounts are secured by SMS-based 2FA, thereby allowing the hackers to carry out data and financial theft by merely stealing the OTP codes sent by the website to the individual’s phone number.
The criminal gang in Spain, believed to be part of a hacking ring, is said to have orchestrated more than 100 such attacks, stealing between €6,000 ($6,700) and €137,000 ($153,518) from bank accounts of unsuspecting victims per attack.
In addition to leveraging malicious Trojans to steal victims’ banking credentials, the SIM swappers went on to apply for a duplicate SIM card by contacting their mobile service providers and providing fake documents. Upon activation of the duplicate SIMs, the criminals allegedly made fraudulent transfers from the victims’ accounts using the authentication codes the banks sent to the phones for confirmation.
The apprehended crime gang in Romania, which managed to steal over €500,000 ($560,285) from unsuspecting victims in Austria, employed similar tactics to take over their phones and withdraw money at cardless ATMs.
This is not the first time law enforcement has tackled the threat. Last November, two Massachusetts men were arrested for employing SIM swapping attacks to hijack victims’ social media accounts and steal more than $550,000 in cryptocurrency.
Although these kinds of attacks are unlikely to go away any time soon, there are plenty of things consumers can do to keep themselves safe: set up a PIN to limit access to the SIM card, delink phone numbers from online accounts, and use an authenticator app or a security key to secure accounts.
And, if you suspect you’re a victim of SIM swapping, it’s recommended that you contact your service provider, monitor your bank accounts for any suspicious transaction, and immediately change your passwords.