Two men busted for hijacking victims’ phones and email accounts – Naked Security

0
192


Police busted two alleged SIM-jackers in Massachusetts on Thursday and charged them with draining fat cryptocurrency wallets and hijacking OG social media accounts.

OG is short for “original gangster” and refers to high-value social media account names: tempting to account kidnappers either because they’re short – such as @t or @ty – or because they’re considered cool, such as @Sex or @Eternity, or then again, because they belong to celebrities, such as, say, the Twitter accounts of Wikipedia co-founder Jimmy Wales, comedian Sarah Silverman, or NASA, to name just a few with a history of getting hijacked.

An 11-count indictment charges the two men – Eric Meiggs, 21, of Brockton, Massachusetts, and Declan Harrington, 20, of Rockport, Massachusetts – with wire fraud, conspiracy, computer fraud and abuse, and aggravated identity theft for their alleged crime spree, which stretched from November 2017 to May 2018 and stripped $550,000 worth of cryptocoins from at least 10 victims in the US.

The Justice Department (DOJ) said that besides SIM swaps, the two also allegedly used computer hacking to get what they were after.

Prosecutors allege that Meiggs and Harrington took over their targets’ mobile phone and email accounts via SIM-swapping: One would allegedly call a mark’s phone provider and, pretending to be that person, would sweet-talk the provider into transferring the number to a new SIM card.

How they get away with SIM swaps

As we’ve explained, SIM swap fraud, also known as phone-porting fraud, works because phone numbers are actually tied to the phone’s SIM card – in fact, SIM is short for subscriber identity module, a special system-on-a-chip card that securely stores the cryptographic secret that identifies your phone number to the network.

Most mobile phone shops out there can issue and activate replacement SIM cards quickly, causing your old SIM to go dead and the new SIM card to take over your phone number… and your telephonic identity.

That comes in handy when you get a new phone or lose your phone: your phone carrier will be happy to sell you a new phone, with a new SIM, that has your old number.

But if a SIM-swap scammer can get enough information about you, they can just pretend they’re you and then social-engineer that swap of your phone number to a new SIM card that’s under their control.

By stealing your phone number, the crooks start receiving your text messages along with your phone calls, and if you’ve set up SMS-based two-factor authentication (2FA), the crooks now have access to your 2FA codes – at least, until you notice that your phone has gone dead, and manage to convince your account providers that somebody else has hijacked your account.

Of course, it takes time to discover that you’ve been SIM-swapped, and it takes time to notify your provider and explain it all. Crooks take advantage of that lag time to rifle through your accounts. Doing so gives them the ability to do many things, none of them good. We recently saw a victim who had his sex tapes whisked out from under him – after which the crook tried to sextort him, threatening to release the material if he didn’t pay up. We’ve seen bank account balances melt, and we’ve seen Bitcoin wallets drained.

Mixed results

Prosecutors say that Meiggs and Harrington didn’t always pull it off: their first two alleged attempts at getting at a would-be victim’s cryptocurrency wallet failed. They allegedly swapped the SIM, took over the target’s email accounts, and tried to communicate with one victim’s contacts, but then they couldn’t access the victims’ cryptocoin wallets.

They allegedly had better luck in four other cases.

In one case, they allegedly took over a mark’s Facebook and Gmail accounts and changed the passwords, locking out the victim. They allegedly reached out to that victim’s contacts, requested funds, and succeeded, talking the mark into sending them about $100,000 worth of cryptocurrency. As far as “Victim 5” goes, the duo allegedly took over their LinkedIn, Facebook, and Twitter accounts, as well as their cryptocurrency exchange accounts. They allegedly got $10,000 worth of cryptocurrency from that one, went on to phone his wife, and sent a text to his daughter telling her to…

TELL YOUR DAD TO GIVE US BITCOIN.

Ring a bell? It should if you savor stories about SIM swappers getting busted. That’s the same message, sent to a cryptocurrency investor’s daughter, linked to a then 20-year-old college student from – hello again, Massachusetts! – Boston who was arrested at the LA International Airport in July 2018.

Bound for Europe, the SIM swapper, Joel Ortiz, was lugging a Gucci bag: only one piece of swag among many that prosecutors said were bought with the proceeds of cryptocurrency that he ripped off in SIM-swap scams. He was accused of stealing $5 million in Bitcoin, copped a plea and, in February 2019, was sentenced to 10 years in prison.