Spanish police dismantled SIM swapping gang who stole money from victims’ bank accounts

Spanish National Police arrested eight alleged members of a crime ring specialized in SIM swapping attacks.

Spanish National Police has arrested eight alleged members of a crime organization who were able to steal money from the bank accounts of the victims through SIM swapping attacks.

Crooks conduct SIM swapping attacks to take control of victims’ phone numbers tricking the mobile operator employees into porting them to SIMs under the control of the fraudsters. Once hijacked a SIM, the attackers can steal money, cryptocurrencies and personal information, including contacts synced with online accounts. The criminals could hijack social media accounts and bypass 2FA services based on SMS used by online services, including financial ones.  

In the case investigated by the Spanish authorities, the cybercriminal obtained personal information and bank details of the victims through malicious messages in which they posed as their bank.

The crooks were able to falsify official documents of the victims and use them to trick telephone store employees into providing them a duplicate of SIM cards. Once obtained the SIM cards, they were able to bypass SMS-based 2FA used to access bank accounts and steal the money.

“Agents of the National Police have dismantled a criminal organization dedicated, presumably, to bank fraud through the duplication of SIM cards.” reads the press release published by the Spanish National Police. “There are eight detainees based in Catalonia and acting throughout Spain who, through malicious messages and posing as a bank, obtained personal information and bank details to access the accounts of the victims whose identity they usurped through the falsification of official documents. With this, they deceived the employees of phone stores to obtain duplicate SIM cards and, in this way, have access to the bank’s security confirmation messages. In this way they could operate in online banking and access bank accounts to empty them after receiving security confirmation messages from the banks.”

The first SIM swapping attack attributed to this gang took place on March 2021, at the time Spanish police received two complaints about fraudulent transactions in different geographical locations in Spain.

Crooks laundered the defrauded money operating through bank transfers and digital instant payment platforms operating from the province of Barcelona.

The operation resulted in the arrest of seven people in Barcelona and one in Seville. The police also blocked the bank accounts of the suspects.

This week, the Federal Bureau of Investigation (FBI) reported an escalation in SIM swap attacks aimed at stealing millions from the victims by hijacking their mobile phone numbers.

The FBI reported that US citizens have lost more than $68 million to SIM swapping attacks in 2021, the number of complaints since 2018 and associated losses have increased almost fivefold.

In 2018, the FBI Internet Crime Complaint Center (IC3) received complaints for 1,611 SIM swapping attacks, while the number of complaints in the period between 2018 e 2002 was 320 causing a total of losses of $12 million.

The FBI recommends individuals take the following precautions:

• Do not advertise information about financial assets, including ownership or investment of cryptocurrency, on social media websites and forums.
• Do not provide your mobile number account information over the phone to representatives that request your account password or pin. Verify the call by dialing the customer service line of your mobile carrier.
• Avoid posting personal information online, such as mobile phone number, address, or other personal identifying information.
• Use a variation of unique passwords to access online accounts.
• Be aware of any changes in SMS-based connectivity.
• Use strong multi-factor authentication methods such as biometrics, physical security tokens, or standalone authentication applications to access online accounts.
• Do not store passwords, usernames, or other information for easy login on mobile device applications.

The FBI recommends mobile carriers take the following precautions:

• Educate employees and conduct training sessions on SIM swapping.
• Carefully inspect incoming email addresses containing official correspondence for slight changes that can make fraudulent addresses appear legitimate and resemble actual clients’ names.
• Set strict security protocols enabling employees to effectively verify customer credentials before changing their numbers to a new device.
• Authenticate calls from third party authorized retailers requesting

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, SIM swapping)

[adrotate banner=”5″]

[adrotate banner=”13″]