Multi-factor authentication works best but some attacks can circumvent it, warns FBI Watch Now

Europol, with help from local law enforcement, has made a series of arrests across Europe in a crackdown on SIM-swapping attacks.

Under the name "Operation Quinientos Dusim," Europol's European Cybercrime Centre (EC3), the Spanish National Police, and Spanish Civil Guard arrested 12 suspects across Benidorm, Granada, and Valladolid.

Law enforcement in Romania and Austria arrested a further 14 alleged members of a separate gang under "Operation Smart Cash."

See also: UK hacker-for-hire jailed for role in SIM-swapping attacks, data theft

The first hacking ring is believed to be responsible for the theft of over €3 million in a series of SIM-swapping attacks.

SIM-swapping attacks are becoming increasingly common as our mobile devices are now central hubs for accessing everything from social media to bank accounts. In order to conduct a SIM-swap, a cyberattacker will attempt to fool a mobile operator into transferring a victim's phone number to a SIM in their possession.

It might not take long for a victim to realize something is wrong with their phone as their service is cut off and their signal dies. However, this small window can be enough for threat actors to intercept calls and messages -- including one-time codes sent as part of multi-factor authentication -- leading to account compromise.

CNET: Facebook, Twitter take down Russia-linked accounts posting from African countries

The Spanish hacking ring under investigation by Europol used these techniques in tandem with malware to steal online banking credentials from mobile devices.

Once these credentials were in hand, the group applied for duplicate SIMs by "providing fake documents to the mobile service providers," Europol says, before performing the swap and intercepting security codes.

Fraudulent transfers were then made between "money mule" accounts.

In the cases of Austria and Romania, the SIM-swap setup was similar. Banking credentials would be stolen and one-time codes intercepted to log in to mobile banking apps, and this software was then used to make withdrawals at cardless ATMs -- relatively new forms of ATM that allow you to withdraw cash through mobile apps rather than traditional payment cards.

The cybercriminals claimed over 100 victims, stealing between €6,000 and €137,000 from bank accounts in each case, with an overall total theft of roughly half a million euros.

Investigations are ongoing.

TechRepublic: Nearly 300 cybersecurity incidents impacted supply chain entities in 2019

"SIM swapping robs victims of more than just their phones: SIM hijackers can empty your bank account in a matter of hours," said Fernando Ruiz, acting Head of Europol's European Cybercrime Centre. "Law enforcement is gearing up against this threat, with coordinated actions happening across Europe."

Last year, a British teenager was jailed for advertising himself as a hacker-for-hire with a particular proclivity towards SIM-swapping attacks. The 19-year-old was sentenced to 20 months behind bars for conducting SIM-swapping, stealing victim data, and supplying this information to those that hired him.

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0