College student, Joel Ortiz was convicted last week of stealing more than $5 million in cryptocurrency. He used a technique called Sim swapping to hijack the phone numbers of around 40 victims. Basically taking over their phone numbers and then using them to access accounts and wallets containing the bitcoins and other cryptocurrency.
Sim swapping is a relatively new attack but one which can have devastating possibilities. It basically involves social engineering, getting phone representatives to transfer a mobile number onto a new sim card. It’s easier done that you can imagine, all you need is the phone number, some personal information and a new sim to transfer the number onto. Many telecoms companies have been slow to update their security procedures in order to stop this attack.
Initially sim swapping was primarily used for stealing accounts and direct hacks. A mobile phone number will normally play a part in two factor authentication to the administrator panel of many sites. The most common initial attack was to gain control of popular and valuable social media sites like Instagram, Many hugely valuable accounts have been taken over using these methods.
The Sim swappers use the mobile phone numbers to get into email accounts, social media accounts and more recently bitcoin wallets. The possibilities are extensive as phone numbers are often used as a default method to verify or reset ownership of these accounts. The idea was that mobile phone numbers were the safest form of identification and least likely to be compromised. However this is obviously changing as more and more similar phone based attacks are revealed.
The attack is always likely to remain popular though while so many of us are encouraged to link important accounts to mobile numbers. Another name for the attack is ‘the port out scam’ a name derived from the fact that the number is ported from one sim or carrier to another. Many suggest that the attack has been used effectively for at least 8 years. There were some reports that often the stolen mobile numbers are used to relay through mobile proxies to spam or commit other crimes. However the initial attacks didn’t target massive payoffs as the crypto currency crimes which we have seen recently.
One victim explained that she had lost her Instagram account, plus her Amazon, Ebay, Paypal accounts too. The attackers had even stolen the Hulu and Netflix access too, all within a few hours of porting her mobile number. This is a typical example of how the hackers get caught though, each account leads a potential trail back to the culprits IP address. Surprisingly many don’t even use simple proxies or VPNs in order to hide their tracks although this would make detection much more difficult.
Joel Ortiz has pleaded guilty and accepted a plea deal amounting to 10 years in jail. He was convicted in Santa Clara Country, California and is believed to be the first person to be convicted using this particular attack. There are many more Sim swappers awaiting trial though and it’s unlikely to be the last conviction. The last twelve months has seen a host of high profile arrests within the ‘community’ as investigators become more skilled at both identifying the crime and tracking the culprit.
So who else has been caught. Well there’s Xzavyer Narvaez who’s allegedly stole around 1 million dollars in bitcoin. Nicholas Truglia who is facing conviction of offenses of several million and possibly the biggest case yet is that of Joseph Harris who is supposed to have stolen more than $14 million.
The convictions will hopefully show these individuals that although the hack is relatively simple and the rewards potentially huge – it’s not that simple to get away with this. For many years hackers and cyber criminals have discovered that committing the crime is one thing, by far the hardest part is staying hidden and getting away with it. Too often these individuals imagine that they can stay anonymous while sitting in their bedroom or parents’ basement whilst conducting these attacks. It’s extremely naive and investigators will have many options to track down and pursue the criminals.
In the US most of the investigations have stemmed from a group known ad the regional Enforcement Allied Computer Team (REACT). The team receive hundreds of reports from Sim Swapping victims and they have developed extensive expertise in investigating them and tracking the culprits down.
The official sentencing of Joel Ortiz will take place on the 14th March, 2019.