Florida police made an arrest last month in an alleged “SIM-jacking” ring, with court documents claiming the scammers involved stole SIM cards belonging to other individuals and used them to amass a small fortune.
Fraudulently obtaining a victim-specific SIM card, a small smart card that associates a mobile device with a specific subscriber’s account, allows an attacker to remotely seize control of the victim’s phone number. That’s a big problem, seeing as many major services from cryptocurrency exchanges to Amazon allow users to recover or change account credentials by using an associated number.
Per the Verge, court records first dug up by security researcher Brian Krebs show that investigators in Canton, Michigan first learned of the alleged scheme when a mother overheard her son pretending to be an AT&T employee on the phone.
Searches of his computer revealed databases of names and phone numbers from both AT&T and T-Mobile customers, eventually discovering he had a obtained large number of SIM cards tied to victims in at least seven states, some of whom said that they had been pilfered of tens of thousands or even hundreds of thousands in cryptocurrency.
That suspect, referred to as CS1 in court documents, eventually led investigators to an alleged SIM-jacking ring based on chat services Discord and Telegram. According to the court documents, the group operated by obtaining personal information on victims and then either bribing or impersonating cellular service company employees to obtain a “new SIM card activated with the victim’s information”. From there, it was simple to compromise the victim’s email accounts and cryptocurrency wallets.
“Once the funds were in wallets controlled by the group, the victims’ funds were split and distributed into the fraudsters’ individual wallets”, the complaint reads. “The group would launder the funds by using online cryptocurrency exchanges to exchange one cryptocurrency (ie: Bitcoin) to another (ie: Monero)”.
The scammers would then allegedly transfer the cryptocurrency into another wallet before re-laundering it into another cryptocurrency and sending it to a clean wallet that appeared legitimate.
According to the court documents, investigators with the Pasco Sheriff’s Office in Florida arrested a man named Ricky Handschumacher, who they said bragged about using proceeds from the scam to purchase vehicles in the Discord server and whose identity was confirmed from Coinbase records.
“Handschumacher confessed to his involvement in the crime post Miranda and admitted to using his cell phone to launder cryptocurrency in amounts greater than $US100,000 ($136,930)”, the complain concludes.
Krebs wrote that the court documents imply that the scammers even discussed stealing from one of the two Winklevoss twins, though it’s not clear how serious they were:
The Pasco County Sheriff’s office says their surveillance of the Discord server revealed that the group routinely paid employees at cellular phone companies to assist in their attacks and that they even discussed a plan to hack accounts belonging to the CEO of cryptocurrency exchange Gemini Trust Company. The complaint doesn’t mention the CEO by name, but the current CEO is bitcoin billionaire Tyler Winklevoss, who co-founded the exchange along with his twin brother Cameron.
According to Motherboard, SIM-jacking is an increasingly common scam, with one popular target being rare or interesting handles on Instagram or other social media sites:
In the buzzing underground market for stolen social media and gaming handles, a short, unique username can go for between $US500 ($685) and $US5 ($7),000 ($6847), according to people involved in the trade and a review of listings on a popular marketplace. Several hackers involved in the market claimed that the Instagram account @t, for example, recently sold for around $US40,000 ($54,772) worth of Bitcoin.
Controlling a phone number allows for an attacker to bypass most forms of security, including two-factor authentication.
“Most systems aren’t designed to deal with attackers taking over phone numbers. This is very, very bad”, Celsus Advisory Group intelligence and research director Roel Schouwenberg wrote in a blog post last year.
“Our phone number has become an almost irrevocable credential. It was never intended as such, just like Social Security Numbers were never meant as credentials. A phone number provides the key to the kingdom for most services and accounts today”.
In July, California police arrested a college student they accused of being part of a SIM-jacking ring that stole over $US5 ($7) million from more than 40 victims. According to Motherboard, authorities slapped 28 charges on the suspect, 20-year-old Joel Ortiz, with sources saying he was “arrested at the Los Angeles International Airport on his way to Europe”.
[Krebs on Security via The Verge]