British police have arrested eight men in connection with a series of SIM-swapping attacks which saw criminals hijack the social media accounts of well-known figures and their families.
The UK’s National Crime Agency (NCA) says it made arrests in England and Scotland as part of an international investigation working alongside the FBI, US Secret Service, Homeland Security Investigations, and the Santa Clara California District Attorney’s Office.
According to the NCA, the probe uncovered a network of UK-based criminals who seized control of victims’ phone numbers, and then broke into online accounts – with the intention of stealing money, cryptocurrency, and the contents of their address books.
The social media accounts of well-known influencers, musicians, sports stars, and their families were also hijacked by the attackers, who would change account passwords to lock out the legitimate owners.
Central to the attack was a SIM-swapping attack. These commonly occur when fraudsters manage to dupe customer support staff at a cellphone operator into giving them control of someone else’s phone number, or actually having a rogue insider working for them inside a cellphone company.
The consequence is that a criminal fraudster will now not only be receiving phone calls intended for their victim. They will also be receiving SMS messages – which may include the tokens used by some online services to authenticate a user logging into a system is who they say they are.
The NCA explained what that meant for account security:
“After gaining control of the phone number, they use the ‘change password’ function on apps, which leads to them receiving reset codes sent via SMS (or to subsequently compromised email accounts) to reset passwords.” “After changing the passwords, the victim is denied access and the criminals have free reign over their contacts, banking apps, emails and social media accounts.”
According to the NCA, the gang stole “large sums from their victims, from either their bank accounts or bitcoin wallets.”
SIM swap attacks have become more common in recent years, and as a result there has been a concerted effort by many to push for more secure methods of authentication than a token sent via SMS.
Just a few months ago, for instance, Microsoft urged users to stop using telephone voice messages and SMS text messages for multi-factor authentication and switch to authentication apps or hardware keys instead.
There’s also a need for those online services which still only offer SMS-based authentication to switch to superior and more secure methods. Back in 2019, the FBI warned about the dangers of SIM-swapping attacks to banks and others, advising the use of stronger forms of multi-factor authentication that were less easy to exploit.
The men arrested by the National Crime Agency are suspected to be members of the criminal group, and are all aged between 18-26 years old. They face prosecution for offences under the Computer Misuse Act, as well as fraud and money laundering. In addition they face the possibility of being extradited to the United States for further prosecution.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.