Police have arrested eight men in England and Scotland in connection with a series of subscriber identity module (Sim) swapping attacks that targeted athletes, celebrities, musicians and social media influencers, and saw cyber criminals illegally gain access to their mobile devices.
Working alongside the US Secret Service, Homeland Security Investigations, the FBI and the Santa Clara California District Attorney’s office, the National Crime Agency (NCA) was able to disrupt a network of UK-based criminals who targeted high-profile victims, stealing personal data, contacts and money, including bitcoin, and hijack social media accounts to post content and send messages posing as their victims.
Paul Creffield, head of operations in the NCA’s National Cyber Crime Unit, said: “Sim-swapping requires significant organisation by a network of cyber criminals, who each commit various types of criminality to achieve the desired outcome.
“This network targeted a large number of victims in the US and regularly attacked those they believed would be lucrative targets, such as famous sports stars and musicians.
“In this case, those arrested face prosecution for offences under the Computer Misuse Act, fraud and money laundering, as well as extradition to the US.
“As well as causing a lot of distress and disruption, we know they stole large sums from their victims, from either their bank accounts or bitcoin wallets.”
Creffield added: “Cyber criminality is not restricted by borders and our efforts to tackle it reflect that. This investigation is the result of successful collaboration with international partners in the US and Europol, as well as our law enforcement colleagues here in the UK.”
In a Sim-swapping attack, a cyber criminal will take over their target’s phone number by convincing their communications service provider (CSP) to deactivate their Sim and port the allocated number to a Sim that they control. This is typically done by taking advantage of a compromised or corrupt insider at the CSP or using social engineering techniques.
Once they have control of the phone number, they can access and change passwords on installed apps, which will typically result in them receiving reset codes via SMS message to reset passwords, denying the victim access to their accounts and giving the criminals free rein over the contents.
In this instance, the joint investigation notified targeted individuals, where possible, before the gang managed to cause any damage and provided advice and guidance on what to do next.
Assistant director Michael D’Ambrosio of the US Secret Service Office of Investigations, said: “The multi-jurisdictional arrests announced today illustrate the importance of building strong partnerships.
“The Secret Service would like to thank our domestic and international law enforcement partners for their steadfast commitment and cooperation in this case. The Secret Service and our law enforcement partners remain ready to combat transnational crimes and to hold offenders accountable.”
For their own protection, the investigators are not able to reveal the identities of those targeted.
Mijo Soldin, director of operator strategy and partnerships at Infobip, a supplier of mobile customer engagement services, said that because they exploit a perfectly legitimate process used by mobile subscribers when changing devices or networks, Sim-swapping attacks are low-hanging fruit for cyber criminals, and hard to stop.
“This type of fraud will only be stopped when a global verification standard is created to confirm a person’s mobile identity,” he said. “This standard needs to be set by telcos that have the information to verify an identity securely but, most importantly, in real time by checking the IMSI [International Mobile Subscriber Identity] number – or more simply put, ‘telecom account data’ – connected to the Sim card.
“If there is no concern, the authentication will happen silently in the background without interrupting the user experience. But if that IMSI number has changed, this will then be flagged as suspicious activity. The user will then be contacted by the service provider and asked for additional verification. It’s about ensuring security is synonymous with customer experience and trust.”
Without such measures, said Soldin, protecting yourself from Sim-swapping is a matter of being sensible about how much information you give away about yourself on social media, be cautious about what emails you open and respond to – particularly unsolicited ones from people or organisations you do not know – and pay more attention to password hygiene.
Even so, he added, this doesn’t necessarily prevent Sim-swapping. Most people will only find out they have become a victim when their phone stops working or money goes missing, by which point the damage has been done.