If you’re lucky enough to be famous, wealthy, or both, you might want to be more guarded about your digital life than the average person. That’s the lesson following a series of arrests in Europe. According to the authorities, a gang of hackers swapped and/or spoofed the phone SIM cards of celebrities to rob them.
It’s a sound tactic: Because two-factor authentication and password recovery is so often tied to a phone number, if you get that SIM card, you can effectively take over the person’s email, followed by social accounts, bank accounts, and backup data. It’s a personal, targeted variation of identity theft. According to a combined task force for the United Kingdom National Crime Agency and Europol, the hackers in question were targeting celebrities and other wealthy people, with lucrative results: Their hacks resulted in more than $100 million of losses in transferred cryptocurrency alone. More conventional bank transfers and stolen personal information were also among the losses.
The hackers used a combination of techniques, including calling up phone service providers claiming to be the genuine users in order to get their phone numbers associated with a duplicate SIM card. In some cases, hackers appear to have been working with an “inside man,” an employee at the phone company who can target specific accounts and get them transferred or duplicated without alerting the standard defense mechanisms.
Authorities arrested eight suspects in the UK, plus two more in Malta and Belgium, respectively. Worldwide police forces in the UK, Canada, Belgium, and Malta were involved, including the Secret Service, FBI, Homeland Security, and a California district attorney in the U.S. The attacks were targeted on the rich and famous around the world: actors, musicians, sports stars, and social media influencers.
But even those of us unlikely to ever make headlines can be vulnerable. Because the hackers specifically targeted cryptocurrency, it would make sense to advise anyone who’s active in crypto trading to take extra precautions. Be wary of posting any personal information used for password verification online, and be aware of attempted social engineering or “phishing” attacks.
Source: Ars Technica, Europol, National Crime Agency