Scammers mixed together a malicious cocktail of social engineering, SIM-swapping, and remote desktop software to empty the bank accounts of at least three victims.
In total, victims lost more than $350,000. They were likely swindled by the same individuals since the modus operandi and some details were the same in all three cases.
The scams happened over the summer in Budapest and started with the ruse of a well-located apartment offered for sale below the market value.
Enticed by the offer, the victims showed their interest and responded to the ad, learning that the lower price was because the owner, who was living abroad, needed money urgently.
A “relative” of the owner acted as an intermediary for the transaction and promised potential victims more pictures of the property than shown in the original online ad, along with a video.
In two cases, the scammer convinced the victims to install AnyDesk remote desktop application to transfer the pictures and videos, Hungarian publication 24 reports.
Since AnyDesk is legitimate software, and the victims downloaded it directly from the developer’s website, there was no reason to suspect foul play.
The fraudster maintained access to the victim computer even after transferring the files and could search for sensitive info (documents, passwords, personal details) that would help them further in their scheme.
The goal was to log into the victim’s bank account and steal available funds; but with two-factor authentication (2FA) turned on, they also needed access to incoming messages on the mobile phone.
So they ran a SIM-swap scam, essentially tricking mobile service provider employees into activating a new SIM card with the victim’s phone number. At this point, the original SIM card becomes inactive and loses connection to the network.
At the same time, the fraudster’s new SIM gets all the victim’s calls and messages, including the 2FA code for logging into the bank account.
In at least one instance, the scammers converted the money to cryptocurrency, to make it more difficult to track.
With access to the victim’s SMS and with online banking credentials in hand, the scammer could access the victim’s bank account and drain it as if they were the legitimate owner.
Another way would be to log into the banking account using the remote connection to the victim’s computer, provided it’s turned on.
The SIM-swap scam has been rampant over the past years, causing victims across the world and millions of US dollars in losses. If fraudsters can’t bypass the security implemented by the mobile service provider, they often pay employees to replace the cards.
With so many services, banks included, still checking the authenticity of a login through SMS verification, it is easy to see why SIM-swapping wreaked havoc lately.
To read the original article: