British police have arrested eight men in connection with a series of SIM-swapping attacks which saw criminals hijack the social media accounts of well-known figures and their families.

The UK’s National Crime Agency (NCA) says it made arrests in England and Scotland as part of an international investigation working alongside the FBI, US Secret Service, Homeland Security Investigations, and the Santa Clara California District Attorney’s Office.

According to the NCA, the probe uncovered a network of UK-based criminals who seized control of victims’ phone numbers, and then broke into online accounts – with the intention of stealing money, cryptocurrency, and the contents of their address books.

The social media accounts of well-known influencers, musicians, sports stars, and their families were also hijacked by the attackers, who would change account passwords to lock out the legitimate owners.

Central to the attack was a SIM-swapping attack. These commonly occur when fraudsters manage to dupe customer support staff at a cellphone operator into giving them control of someone else’s phone number, or actually having a rogue insider working for them inside a cellphone company.

The consequence is that a criminal fraudster will now not only be receiving phone calls intended for their victim. They will also be receiving SMS messages – which may include the tokens used by some online services to authenticate a user logging into a system is who they say they are.

The NCA explained what that meant for account security:

“After gaining control of the phone number, they use the ‘change password’ function on apps, which leads to them receiving reset codes sent via SMS (or to subsequently compromised email accounts) to reset passwords.” “After changing the passwords, the victim is denied access and the criminals have free reign over their contacts, banking apps, emails and social media (Read more...)