Spain’s National Police Agency, the Policia Nacional, said last week it dismantled an unnamed cybercriminal organization and arrested eight individuals in connection with a series of SIM swapping attacks that were carried out with the goal of financial fraud.
The suspects of the crime ring masqueraded as trustworthy representatives of banks and other organizations and used traditional phishing and smishing techniques to obtain personal information and bank data of victims before draining money from their accounts.
“They usurped the identity of their victims through the falsification of official documents and tricked employees of telephone stores into getting the duplicate of SIM cards, cards where they received security confirmation messages from banks that allowed them to empty their victims’ accounts,” the authorities said.
Seven of the arrests were made in Barcelona and one in Seville. As many as 12 bank accounts were frozen as part of the illicit operation. The first known instance of fraud attributed to the gang is said to have occurred in March 2021.
SIM swapping, also known as SIM hijacking, is a malicious technique wherein criminal actors target mobile carriers to gain access to victims’ bank accounts, virtual currency accounts, and other sensitive information. The SIM swap is often facilitated through social engineering, insider threat, or phishing techniques.
The scheme involves an attacker pretending to be a victim, and getting the mobile carrier to switch the victim’s number to a SIM under their control. Alternatively, this can also be achieved by bribing an employee of the mobile carrier or tricking the employees into downloading malware used to break into systems and conduct the SIM swaps.
Once the phone numbers are ported, threat actors leverage the “identity” to perform account resets, bypass SMS-based two-factor authentication protections, and seize control of the target’s online accounts.
An increase in SIM Swapping Fraud
SIM swapping is a growing form of cybercrime. It has robbed victims of their cryptocurrency wallets and bank accounts of thousands of dollars. In November 2021, U.S. prosecutors indicted a U.K. national for orchestrating a SIM-swapping attack to siphon $784,000 worth of cryptocurrency.
Then in December 2021, a sixth member associated with an international hacking group known as The Community was sentenced in connection with a multimillion-dollar SIM swapping conspiracy.
The arrests come as the U.S Federal Bureau of Investigation (FBI) said that from January to December 2021, it received 1,611 SIM-swapping complaints that resulted in adjusted losses of more than $68 million. In comparison, the agency received 320 complaints related to SIM-swapping incidents from 2018 to 2020, with adjusted losses of about $12 million.