Cybercrime , Fraud Management & Cybercrime , Fraud Risk Management
Alleged SIM Swappers Charged Over Cryptocurrency Thefts
Attackers Bribed Employees of Verizon, AT&T, Authorities SayNine men have been charged in connection with an alleged SIM card swapping scheme that led to the theft of $2.4 million in cryptocurrency, the U.S. Justice Department says.
See Also: The Healthcare CISO’s Guide to Medical IoT Security
Eight U.S. men and one Irishman were charged in two criminal cases with wire fraud and aggravated identity theft. Three of the men are former employees of mobile operators Verizon and AT&T.
The group, which called itself "The Community," sought out victims who held cryptocurrency accounts. The group socialized on forums, including HackForums and OGUsers, and planned their attacks using messaging apps such as Wickr, Telegram, Signal, Skype and Discord, according to the indictment, filed in federal court in Detroit.
Then, they sought to gain control of the victims phone numbers, the indictment says. The cryptocurrency thefts allegedly occurred between December 2017 and May 2018.
Stealing someone's phone number is sometimes referred to as a SIM swap or hijack. The attack can be accomplished by persuading a mobile operator's customer service to move a number to different SIM card - a swap - or port it to another carrier (see: Gone in 15 Minutes: Australia's Phone Number Theft Problem).
In other cases, attackers link up with an employee of a mobile operator, who may be able to bypass security mechanisms and transfer a subscriber's number.
Controlling someone's phone number is powerful because many online services use it as an authentication or verification channel. According to the indictment, The Community would sometimes request a password reset link for a victim's online account, which would then shift to a device they controlled. In other attacks, The Community had already obtained the password for a victim but needed the two-step verification code. If the victim had their account configured to have that code sent over SMS, it would end up with The Community, the indictment says.
Insider Help
Those accused of being members of The Community are Conor Freeman, 20, of Dublin, Ireland; Ricky Handschumacher, 25, of Pasco County, Florida; Colton Jurisic, 20, of Dubuque, Iowa; Reyad Gafar Abbas, 19, of Rochester, New York; Garrett Endicott, 21, of Warrensburg, Missouri; and Ryan Stevenson, 26, of West Haven, Connecticut.
The former mobile phone employees are Jarratt White, 22 of Tucson, Arizona; Robert Jack, 22, of Tucson, Arizona; and Fendley Joseph, 28, of Murrietta, California.
"These employees - while not necessarily knowing the entirety of The Community's plans - were aware that they were assisting in the theft of identities of subscribers to their employer's services."
—Mark Koch, FBI Special Agent
"These employees - while not necessarily knowing the entirety of The Community's plans - were aware that they were assisting in the theft of identities of subscribers to their employer's services," according to the criminal complaint against the three men, which contains an affidavit from FBI Special Agent Mark Koch.
White was a contract employee of AT&T, and authorities allege that his actions supported $2.1 million of the total $2.4 million haul.
"He [White] was repeatedly bribed by JD, a member of The Community, to assist The Community with their attacks," the complaint says.
Robert Jack was also a contract employee with AT&T, the complaint says. He's accused of assisting with 12 unauthorized SIM swaps in May 2018. The third man, Fendley Joseph, was employed by Verizon. Joseph is accused of supplying personally identifiable information to The Community for use in impersonation attacks.
Soft Targets
Mobile operators have sometimes proven to be soft targets. Because these companies have so many customer service employees, attackers can keep trying to swap numbers if one representative says no.
Most operators allow customers to assign a PIN or security word that has to be presented before changes are made to an account. But mobile phone employees may not ask for the PIN, and such a measure may be undermined if attackers are working with an insider.
AT&T was sued in August 2018 by cryptocurrency investor Michael Terpin for allegedly failing to protect his phone number, which led to the theft of some $24 million in virtual currency (see: AT&T Sued Over $24 Million Cryptocurrency SIM Hijack Attacks).
Terpin's phone number was hit by two SIM swapping attacks, one of which he claims took place after AT&T put a six-digit security code to his account before changes could be made. He alleges that store employees either failed to follow security procedures or may have been complicit in the attack. AT&T has refuted the allegation.
Reuters reports that Terpin won a $75.8 million civil judgment in California Superior Court against a 21-year-old man who was arrested in connection with cryptocurrency thefts. That man, Nicholas Truglia of Manhattan, was arrested in November 2018, according to the New York Post. It doesn't appear federal criminal charges have been publicly filed yet against Truglia.