06
Feb 19

More Alleged SIM Swappers Face Justice

Prosecutors in Northern California have charged two men with using unauthorized SIM swaps to steal and extort money from victims. One of the individuals charged allegedly used a hacker nickname belonging to a key figure in the underground who’s built a solid reputation hijacking mobile phone numbers for profit.

According to indictments unsealed this week, Tucson, Ariz. resident Ahmad Wagaafe Hared and Matthew Gene Ditman of Las Vegas were part of a group that specialized in tricking or bribing representatives at the major wireless providers into giving them control over phone numbers belonging to people they later targeted for extortion and theft.

Investigators allege that between October 2016 and May 2018, Hared and Ditman grew proficient at SIM swapping, a complex form of mobile phone fraud that is often used to steal large amounts of cryptocurrencies and other items of value from victims.

The Justice Department says Hared was better known to his co-conspirators as “winblo.” That nickname corresponds to an extremely active and at one time revered member of the forum ogusers[.]com, a marketplace for people who wish to sell highly prized social media account names — including short usernames at Twitter, Instagram and other sites that can fetch thousands of dollars apiece.

Winblo’s account on ogusers[.]com

Winblo was an associate and business partner of another top Oguser member, a serial SIM swapper known to Oguser members as “Xzavyer.” In August 2018, authorities in California arrested a hacker by the same name — whose real name is Xzavyer Clemente Narvaez — charging him with identity theft, grand theft, and computer intrusion.

Prosecutors allege Narvaez used the proceeds of his crimes (estimated at > $1 million in virtual currencies) to purchase luxury items, including a McLaren — a $200,000 high-performance sports car.

According to the indictments against Hared and Ditman, one of the men (the indictment doesn’t specify which) allegedly used his ill-gotten gains to purchase a BMW i8, an automobile that sells for about $150,000.

Investigators also say the two men stole approximately 40 bitcoins from their SIM swapping victims. That’s roughly $136,000 in today’s conversion, but it would have been substantially more in 2017 when the price of a single bitcoin reached nearly $20,000.

Interestingly, KrebsOnSecurity was contacted in 2018 by a California man who said he was SIM swapped by Winblo and several associates. That victim, who asked not to be identified for fear of reprisals, said his Verizon mobile number was SIM hijacked by Winblo and others who used that access to take over his Twitter and PayPal accounts and then demand payment for the return of the accounts.

A computer specialist by trade, the victim said he was targeted because he’d invested in a cryptocurrency startup, and that the hackers found his contact information from a list of investors they’d somehow obtained. As luck would have it, he didn’t have much of value to steal in his accounts.

The victim said he learned more about his tormentors and exactly how they’d taken over his mobile number after they invited him to an online chat to negotiate a price for the return of his accounts.

“They told me they had called a Verizon employee line [posing as a Verizon employee] and managed to get my Verizon account ID number,” said my victim source. “Once they had that, they called Verizon customer service and had them reset the password. They literally just called and pretended to be me, and were able to get my account tied to another SIM card.”

The victim said his attackers even called his mom because the mobile account was in her name. Soon after that, his phone went dead.

“The funny thing was, after I got my account back the next day, there was a voicemail from a Verizon customer service agent who said something like, ‘Hey [omitted], heard you were having trouble with your line, hope the new SIM card is working okay, give us a call if not, have a nice day.'”

RECKONING

The indictments against Hared and Ditman come amid a series of arrests, charges and sentences targeting admitted and suspected SIM swappers. Last week, Joel Ortiz — a 20-year-old college student valedictorian accused of stealing more than $5 million in cryptocurrency in a slew of SIM hijacking attacks — became the first to be convicted for the crime, accepting a plea deal for a 10-year prison term.

Many of the people being arrested and charged with SIM swapping were part of a tight circle of individuals who spent money almost as quickly as they stole it. The video below was posted to the Instagram account “0,” a username that was hijacked by Ortiz. The video shows a birthday party celebration for Xzavyer Narvarez at the Hyde Sunset club in Los Angeles. Notice the Twitter bird symbols at the bottom of each card brought out by the club’s female attendants.

 

 

Another video posted by Ortiz — to a hijacked, highly sought Instagram account “T” — shows members of this group dumping out $200 bottles of glow-in-the-dark Dom Perignon champagne onto designer watches that cost thousands of dollars each.

 

 

Also last week, 20-year-old Dawson Bakies pleaded not guilty in Manhattan Supreme Court to 52 counts of identity theft, grand larceny, and computer trespass tied to alleged SIM swapping activity. According to the New York Post, Bakies, who lives with his mom in Columbus, Ohio, allegedly called customer-service representatives posing as his victims and was able to port their phone numbers to a device he controlled.

In November 2018, authorities in New York arrested 21-year-old Manhattan resident Nicholas Truglia on suspicion of using SIM swaps to steal approximately $1 million worth of cryptocurrencies from a Silicon Valley executive. Truglia also is being sued by cryptocurrency angel investor Michael Terpin, who alleges that Truglia used a SIM swap against AT&T to steal $24 million in cryptocurrencies from him.

WHAT CAN YOU DO?

SIM swappers tend to target people with plenty of funds in the bank or in cryptocurrency exchanges, but as my victim source’s story shows, they often also SIM swap individuals who only appear to be high rollers. In the process, they may also rifle through your personal email and try to extort victims in exchange for turning over access to hijacked accounts.

There are several steps that readers can take to insulate themselves from SIM swapping attacks. First and foremost, do not re-use passwords to important accounts anywhere else. Also, take full advantage of the most robust form of multi-factor authentication available for the accounts you care about.

The web site twofactorauth.org breaks down online service providers by the types of secondary authentication offered (SMS, call, app-based one-time codes, security keys). Take a moment soon to review this important resource and harden your security posture wherever possible.

If the only two-factor authentication offered by a company you use is based on sending a one-time code via SMS or automated phone call, this is still better than relying on simply a password alone. But one-time codes generated by a mobile phone app such as Authy or Google Authenticator are more secure than SMS-based options because they are not directly vulnerable to SIM-swapping attacks. If available, physical security keys are an even better option.

Further reading:

Hanging Up on Mobile in the Name of Security

Busting SIM Swappers and SIM Swap Myths

Tags: , , , , , , , ,

43 comments

  1. T-mobile, Verizon, and AT&T have each told me that they offer no option for 2fA for customers on *prepaid* accounts.

    They also didn’t offer an option to set a PIN to prevent a SIM swap, when I inquired a few months ago.

    One customer service person told me that prepaid accounts don’t need security, because they’re not tied to a SIM card, just a phone number.

    *face palm*

    • That’s interesting. I have a pin on my AT&T wireless account. I’ve had it for several years.

      • midnight rambler

        Mine from Verizon does as well, for a flip phone with a built-in (non-swappable) SIM.

      • I’m certain you either don’t have a prepaid account or you’re wrong about what that PIN protects.

        Prepaid account PINs only protect a casual attempt to view balance and address information. Whoever holds the phone can reset the PIN, making it incredibly easy to defeat with a little slight-of-hand or social engineering.

        Prepaid accounts don’t get passwords, passcodes, or SIMs secured with a secondary PIN. They also don’t get multifactor authentication.

        I asked the major carriers for these security options a few months ago. They politely said “We only offer that on postpaid accounts.”

        • “I asked the major carriers for these security options a few months ago. They politely said “We only offer that on postpaid accounts.”

          Great ask, and what a lazy ass answer from the providers. Really? That is the best they can say?

    • If you’re one of the 4 people who still use prepaid they wont target you to begin with

  2. The most serious thing being to give quality champagne to illiterate and uncultured Americans…a nation of profound morons with no history or culture.

    • Sadly, long history and rich culture offer no protection against profound morons in a nation.

      • In the story of Job, it was the youngest character who ended up being the wisest. Old age does not mean wisdom, youth does not mean ignorance, and culture does not mean quality.

        • And vice versa !
          Wisdom does not mean old age, ignorance does not mean youth, and quality does not mean culture.

          But remember, war is peace!

  3. hea did Wrong that he did Not lounder Money.
    Now days real criminals loundry their earnings.
    its silly just to show off your money.
    big drug dealers for example all do Construction business. mostly
    even Russian mob Now days lounder Money.
    You can steal yes but You have to pay taxes to goverment.

    first Rule pay tax and declare your earnings.

    IF You are so silly You should Not commit crime, crime is for educated People Only!

    • “It’s silly to show off your money.”

      Exactly this. If I were to put a number on it, I’d say ~75% or higher of people that do dumb crap like this show off their money and that’s how they get caught. Just this past week I was reading an article about a hacker that was bragging to his friend about how he made millions of dollars stealing Bitcoin. He went from having a normal car to a Lambo/Ferrari overnight and so many other obvious signs. The good news is, no matter how technically smart they are, their street smarts are incredibly stupid; just a matter of time before they get caught.

      • This is silly, nobody gets caught or even investigated because they suddenly became wealthy. People get rich all the time, buying a ferrari doesn’t raise any flags.

        This guy got caught because the people investigating the specific crimes he had committed managed to track those crimes back to him, flashy spending has absolutely nothing to do with it.

        • Suddenly rich, get jealous acquaintances. They rat you out.

          In France, they search the Internet for tax cheats.

          https://www.reuters.com/article/us-france-taxes-socialmedia/france-to-hunt-for-tax-cheats-on-social-media-idUSKCN1NF0JH

          • Yeah, if you’re shopping for luxury vehicles you should definitely be paying your taxes. Big purchases like that will lead to you getting audited if you aren’t filing your taxes properly, but even if you end up getting audited the taxman isn’t really going to care about where your money comes from.

            >Suddenly rich, get jealous acquaintances. They rat you out.

            Rat you out for what? The police isn’t going to investigate “Hey my friend got rich all out of sudden I think he’s doing crime”. If someone knows enough to rat you out, the spending isn’t your problem.

        • I think you missed the point. Nowhere was it mentioned that wealthy people automatically commit crimes. That’s absurd. When someone goes from zero to hero overnight — or close to it — yes, this absolutely is a red flag and you’d be foolish to think otherwise.

          “Hey, wasn’t that guy driving a Ford Pinto with Barbie’s First Jeep wheels on it just last week? Hmm… looks like today he has a Ferrari. He must’ve budgeted heavily, sold unnecessary belongings, took out a second mortgage, and sold his ex-wife’s wedding ring on eBay to buy it, because, well, ya know… there’s no way he didn’t get that legitimately!”

    • It takes a very stupid person commit theft. Therefore they are going to do other stupid things. Criminals always have to watch their back. Because those looking to catch them, and the criminals they are with that will take from them too. And if you are a girl, you might as well be dead already. Only really stupid people put themselves in those situations intentionally.

    • Real, “…crime is for educated people only”, like people that can spell “launder”.

    • “Real”

      You win the internet today! How did you manage to type a paragraph, where every single sentence is WRONG?

      Surely even the paid Russian and Chinese trolls are capable of using Google Translate or spell check, is it really that difficult?

  4. Yeah, good article, it will be interesting to see if they actually go to jail, or be bailed out by some company. Or government.
    I guess it depends, on moral character, these were a best and brightest. But like in a mob, they chose to use their abilities to cheat rather then assist others. How sad. What a waste of talent.

    • These guys are posers, in the literal sense. They have no computer hacking skills that any government or company would be interested in. They are simply criminals.

  5. “They literally just called and pretended to be me..”

    How hard would it be for the provider to *require* verification that the person requesting password/sim change is actually a legit customer? After the request (and before making any account changes!) the rep would have to end the call and call the customer to confirm. No exceptions.

  6. 2-part question:
    1) even if you have 2FA turned on for your mobile ISP account, can’t it still be SIM swapped if someone goes directly to a service center and poses as you with all the right answers to the right questions? I mean, it’s hard to use Authy, GA, or even SMS when you lost your phone.
    2) if you use 2FA for other things such as PayPal, Amazon, etc… , if you have been SIM swapped, can’t the attacker simply install Authy or Google Authenticator on their imposter phone and still get past the 2FA for those? All they would need is to get around the initial password, which hopefully, after having hijacked you phone, won’t be in your email accounts associated with the phone.

    • It can happen, but in the overwhelming majority of cases involving SIM swaps and number port-out scams, the fraudsters are doing it over the phone or remotely. However, in many instances the attackers have an insider who can be bribed, threatened or tricked into helping the process along. That is why it is so important to remove the mobile companies and their phone numbers from any sort of authentication to accounts you care about. If that exposure is not there, the risk is way less. Unfortunately, many companies still let users reset their passwords using nothing more than a link sent via SMS. This seriously needs to change, and fast.

      If you haven’t already done so, please see the story linked at the bottom of the article. I had a chance to interview the REACT task force in San Clara, who are probably more versed in this crime than anyone in law enforcement at this point. Their comments speak to the above points:

      https://krebsonsecurity.com/2018/11/busting-sim-swappers-and-sim-swap-myths/

    • I made the mistake of thinking the TOTP code was computed on the server and sent to the client (phone), which is why I asked the question. A little research taught me that the secret-key used to create the TOTP is a shared-secret that exists on the client (phone) and the server, created when the 2FA was set up, either manually or by scanning a QR Code. Thus, without the victim’s actual physical device (phone), the attacker can’t get the 2FA code from an authentication app. Even installing Google Authenticator or such on his own device, it won’t have the shared secret key.

      I really should’ve known that; I just wasn’t thinking.

  7. I’ve made a# of temps to get a hold of manyee too have been and r victims of someone’s BS put me and my husband s account s I fear r illegal my phone seem to have a mind of their own at times Krazy as it is all TRUE I’ve done a lot of investigating especially when I was receiving threats via text message email all distorted but mess clear I’m not savy with the internet but have indeed figured out a million and1 ways this possibilities I only dug into it due to what someone s EAS doing to me pissed me off
    Check into it please

  8. Someone help me understand. I have an authy account with a serious password. The app does not know my phone number, and it has no forgot password functionality that i have turned on. The keys are generated using s seriously strong algorithm, probably the same as a yubikey. How is that less secure than a yubikey?
    BTW, you will never get into my protonmail email for a password reset, even if you hack the server and download my emails.

    • If someone can get malware on your phone then it’s less secure than a Yubikey.

      (At this point, I think there’s an article about evil android software at least weekly.)

      I’m not saying you shouldn’t use Authy, just answering your question (I use a mix of systems.)

  9. Brian stated, “they may also rifle through your personal email.” Since I don’t leave email on the server nor in the cloud but download everything POP3, can they still resurrect the deleted email somehow?

    The ability to find corrupt employees is something we can’t control but severe penalties for those employees might deter a large number of them from taking a chance. Slap on the wrist versus 10 years in prison without any chance of parole works for me.

    Each employee signs off on watching a video of what happens to corrupt employees before starting employment. Yes, some will ignore this but a few examples of what will happen to you made very public will do the job of reducing the ranks of potential bride takers.

    “…co-conspirators as “winBLO.” That nickname corresponds to…” Not a good nickname to enter a prison with 😉

  10. Excellent article and really solid advice for people at the end. Thank you Brian!

    Brian,
    Quick question…

    Do you have an update on what mobile carriers/providers are planning to do, or have done, to prevent these attacks in the future? I’ve read several articles, but you’re always a source I trust.

    I’m interested to see what the outcome of the T-Mobile and AT&T lawsuits will be.

    Thanks again!
    -Evan

  11. This is why I stick to precious metals, no one can hack into my home and steal my 1000 lbs safe! Just bought my most recent kilo of silver at bullion exchanges and I love stacking these bad boys!

    • If your “safe” weighs only 1,000 pounds but is large enough to hold a substantial amount of silver, it’s just a Residential Security Container (RSC) with a TL-5 rating.

      It’ll take 5-10 minutes for the local whack-job to get in, and a lot less time for someone who brings decent tools.

  12. I love you jimmy.

  13. You know what else you can do to protect yourself, as a user?

    Do not store your cryptocurrency wealth on an exchange! Withdraw the funds to a wallet that you control.

    Not your keys, not your coins.

    • Probably also avoid web based wallet systems, since those are periodically attacked.

      Personally, I wouldn’t invest in tulips. But sure…

  14. I stick to precious metals, no one can hack into my home and steal my 1000 lbs safe! Just bought my most recent kilo of silver at bullion exchanges and I love stacking these bad boys!

Leave a comment