Spanish National Police has arrested eight alleged members of a crime organization who were able to steal money from the bank accounts of the victims through SIM swapping attacks.
Crooks conduct SIM swapping attacks to take control of victims’ phone numbers tricking the mobile operator employees into porting them to SIMs under the control of the fraudsters. Once hijacked a SIM, the attackers can steal money, cryptocurrencies and personal information, including contacts synced with online accounts. The criminals could hijack social media accounts and bypass 2FA services based on SMS used by online services, including financial ones.
In the case investigated by the Spanish authorities, the cybercriminal obtained personal information and bank details of the victims through malicious messages in which they posed as their bank.
The crooks were able to falsify official documents of the victims and use them to trick telephone store employees into providing them a duplicate of SIM cards. Once obtained the SIM cards, they were able to bypass SMS-based 2FA used to access bank accounts and steal the money.
“Agents of the National Police have dismantled a criminal organization dedicated, presumably, to bank fraud through the duplication of SIM cards.” reads the press release published by the Spanish National Police. “There are eight detainees based in Catalonia and acting throughout Spain who, through malicious messages and posing as a bank, obtained personal information and bank details to access the accounts of the victims whose identity they usurped through the falsification of official documents. With this, they deceived the employees of phone stores to obtain duplicate SIM cards and, in this way, have access to the bank’s security confirmation messages. In this way they could operate in online banking and access bank accounts to empty them after receiving security confirmation messages from the banks.”
The first SIM swapping attack attributed to this gang took place on March 2021, at the time Spanish police received two complaints about fraudulent transactions in different geographical locations in Spain.
Crooks laundered the defrauded money operating through bank transfers and digital instant payment platforms operating from the province of Barcelona.
The operation resulted in the arrest of seven people in Barcelona and one in Seville. The police also blocked the bank accounts of the suspects.
The FBI reported that US citizens have lost more than $68 million to SIM swapping attacks in 2021, the number of complaints since 2018 and associated losses have increased almost fivefold.
In 2018, the FBI Internet Crime Complaint Center (IC3) received complaints for 1,611 SIM swapping attacks, while the number of complaints in the period between 2018 e 2002 was 320 causing a total of losses of $12 million.
The FBI recommends individuals take the following precautions:
The FBI recommends mobile carriers take the following precautions:
(SecurityAffairs – hacking, SIM swapping)