A member of an international hacking group known as The Community has been sentenced to 10 months in prison in connection with a multi-million dollar SIM hijacking attack.
Garrett Endicott, 22, of Warrensburg, Missouri, was first indicted in 2019, and is the sixth and final member of The Community to be sentenced, according to the Department of Justice on Tuesday. The group launched SIM hijacking (also known as SIM swapping) attacks in order to steal cryptocurrency from victims across the country, including ones in California, Texas and New York.
“The actions of these defendants resulted in the loss of millions of dollars to the victims, some of whom lost their entire retirement savings,” said Acting U.S. Attorney Saima Mohsin in a statement. “This case should serve as a reminder to all of us to protect our personal and financial information from those who seek to steal it.”
SIM hijacking attacks occur when bad actors steal victims' mobile phone numbers and route their phone calls and SMS messages to attacker-controlled devices. They are typically able to carry out this attack by convincing a mobile phone provider employee (either by bribery or by posing as the victim) to swap a victim's phone number to an attacker-controlled SIM card. After stealing these phone numbers, attackers can use them to reset passwords on various online accounts - including email, cloud storage and cryptocurrency exchange accounts. Since attackers also have control of the phone numbers, this allows them to bypass two-factor authentication (2FA) security measures as well.
In total, The Community stole millions of dollars worth of cryptocurrency, stealing anything from $2,000 to over $5 million from individual victims.
Endicott, who pleaded guilty, must pay $121,549.37 in restitution in addition to his sentencing. Other members of the group that have been sentenced include Ricky Handschumacher, 28, of Pasco Country, Florida; Colton Jurisic, 22, of Dubuque, Iowa; Reyad Gafar Abbas, 22, of Charleston, South Carolina; Conor Freeman, 22, of Dublin, Ireland and Ryan Stevenson, 29, of West Haven, Connecticut.
SIM hijacking is a major security challenge both for wireless carriers and their mobile customers, with criminals estimated to have stolen millions of dollars in this way. In February, Europol announced it had arrested 10 criminals affiliated with a gang that made over $100 million in cryptocurrencies after targeting thousands of victims with SIM hijacking attacks throughout 2020 - including famous internet influencers, athletes and musicians.
However, beyond these law enforcement crackdowns, government officials have sought to put the issue on the Federal Communications Commission’s (FCC) radar over the years. In 2020, a group of senators and representatives asked the FCC to require wireless carriers to better safeguard consumers from this type of attack. In the letter, government officials stressed that the fraudulent attack could endanger national security, if a cybercriminal uses the attack to hack into the email account of a public safety official, for instance.
Currently, the FCC relies on Customer Proprietary Network Information rules, as well as Section 222 of the Communications Act of 1934, to protect consumer data. These rules require carriers to implement several protections against attackers gaining unauthorized access to customers’ private data. The FCC also has pointed to regulations (Local Number Portability rules) that govern the porting of phone numbers from one carrier to another.
In September, the FCC proposed to amend these rules with the intent of cracking down on SIM hijacking. In its proposal, the commission looked at various ways to bolster security, including additional fields of customer-provided information needed to validate wireless-to-wireless ports, or a customer initiated passcode field for wireless number port requests.
“It’s important we do this now… four out of five SIM swap attempts in the United States are successful,” said Jessica Rosenworcel, acting chairwoman of the FCC, in a statement. “We can help fix this. I look forward to the record that develops and putting an end to this cyber fraud.”