Cybercrime , Endpoint Security , Fraud Management & Cybercrime
Spanish Police Arrest 8 Over SIM Swapping FraudSuspects Used Phishing to Lure Victims, Spanish National Police Says
Spain's National Police Department, the Policía Nacional, says it has arrested eight members of an unnamed cybercriminal gang over SIM swapping fraud.
The suspects posed as trustworthy representatives of banks and other organizations and used traditional phishing and smishing techniques to obtain personal information and bank details of victims before siphoning off money from their bank accounts, the police say.
One of the detainees is from Seville and the rest are from Barcelona, the police say, adding that they have been operating from these cities since March, targeting bank customers across the country. The timeline of their activities is based on two complaints of fraud the police received.
8 detenidos por defraudar a personas de toda #España mediante el #SimSwapping— Policía Nacional (@policia) February 10, 2022
Obtenían información de sus víctimas mediante mensajes maliciosos y engañaban a empleados de tiendas de telefonía para duplicar las tarjetas SIM y así vaciar sus cuentas bancarias#SomosTuPolicía pic.twitter.com/tKfZfOFckI
The suspects used "traditional" phishing methods, the Spanish police say. They contacted potential victims via email, SMS and instant messages, pretended to be trustworthy executives from banks or other unspecified organizations to obtain confidential personally identifiable information, such as bank passwords, credit card numbers and copies of victims’ Spanish national identity card, Documento nacional de identidad or DNI.
With this information, the suspects created fake DNI cards, used disguises to match the physical appearance of the legitimate DNI card owner and deceived telephone store employees to obtain duplicate SIM cards of the victims' phone numbers. Activating the duplicate SIM card would deactivate the original SIM - and the alleged threat actors used this to redirect security confirmation messages required to complete banking transactions to the duplicate SIM, the police say.
The detainees then laundered money using several bank transfers and digital instant payment platforms, the police say. "They used online banks from various European countries, and even on behalf of victims, to make it difficult to trace and locate the money," the police say.
The Spanish National Police Department has blocked 12 bank accounts used by the suspects to launder money, the statement says.
Spike in SIM Swapping Fraud
In the U.S., the Federal Bureau of Investigation on Feb. 8 issued an alert on the spike in SIM swapping attacks targeted at stealing both fiat and virtual money, including cryptocurrency.
Between January 2018 and December 2020, the FBI's Internet Crime Complaint Center, or IC3, received 320 complaints related to SIM swapping incidents, the report says. The adjusted losses accounted for about $12 million in that period.
The IC3 says the 1,611 SIM swapping complaints that it received in 2021 is nearly five times the number of SIM complaints received in 2019 and 2020, with the adjusted losses accounting for more than $68 million.
The FBI recommendations for mobile carriers include:
- Educate company employees by conducting training sessions on SIM swapping.
- Monitor incoming email addresses containing official correspondence to spot slight changes that help identify fraudulent addresses from legitimate ones.
- Set up stringent security policies and protocols that enable employees to verify customer credentials before accepting their SIM change or number change request to a new device.
- Verify and authenticate calls received from third-party authorized retailers requesting customer information.
Required Change in MFA Practices
SIM swapping attacks aren't new. Roger Grimes, a data-driven defense evangelist at cybersecurity firm KnowBe4, says these types of incidents have been around for over a decade and have "clearly resulted in billions being stolen in cryptocurrency and other financial crimes."
The U.S. government has been recommending against using SMS and phone number-based multifactor authentication since 2017, Grimes says, citing NIST Special Publication 800-63, the Digital Identity Guidelines.
But service providers and vendors continue to use these MFA methods even five years later, he tells Information Security Media Group.
U.S. "President [Joe] Biden's 2021 Zero Trust executive order also told defenders not to use it, along with other easily phishable MFA, like one-time codes and push-based MFA," he says. "Unfortunately, that describes 90% of MFA used by people today. SMS-based MFA has to be the most popular MFA option used on the internet and most of the time, people do not have a choice of whether to use it or not. Their bank, vendor or service says they have to use it."