This week, the US Department of Justice (DoJ) said that Stephen Defiore, a Florida resident, accepted “multiple bribes” of up to $500 per day to perform the switches required to reroute phone numbers in SIM-swapping. SIM-swapping is quickly becoming a serious issue for telecommunications firms – made worse when employees, who have access to internal systems – are involved. These attacks require either internal help or the use of social engineering to convince a carrier to reroute calls and text messages from one handset to another. SIM-swapping is often performed to circumvent security controls including two-factor authentication (2FA) and to compromise accounts for services including banking and cryptocurrency wallets. The victims may only have a small window of time to rectify the situation once they realize that phone calls and messages are not being received – but by the time they reach their service provider, attackers may have already secured the second-level security codes required to hijack other accounts. Rather than go through the effort of obtaining enough information on a target to successfully manage to pretend to be the victim on a phone call, some attackers try to recruit insider help. In this case, between 2017 and 2018, Defiore was a sales representative for an unnamed carrier. The 36-year-old accepted bribes of roughly $500 to perform SIM-swapping on behalf of someone else. For each case, he would be sent a phone number, a four-digit PIN, and a SIM card number to be swapped with the victim’s handset details. At least 19 customers were targeted and prosecutors estimate that the employee received $2,325 in bribes. Following his arrest, Defiore pleaded guilty to one count of conspiracy to commit wire fraud. US Attorney Duane Evans said that Defiore was sentenced on October 19 and will serve three months probation, a year of home confinement, and must perform 100 hours of community service. The SIM-swapper must also pay a $100 fee and $77,417.50 in restitution. Last year, Europol took down a massive SIM-swapping ring responsible for the theft of millions of euros. Operations Quinientos Dusim and Smart Cash combined law enforcement from multiple countries in the region, leading to multiple arrests.
Previous and related coverage
Europol takes down SIM-swap hacking rings responsible for theft of millions of eurosAuthorities arrest SIM swapping gang that targeted celebritiesSIM swap horror story: I’ve lost decades of data and Google won’t lift a finger
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0