A malicious mixture of social engineering, SIM-swapping, and remote desktop apps was combined by scammers to clear the bank accounts of at least three victims.
Victims lost more than $350,000 in total. Because the modus operandi, they were presumably swindled by the same individuals and some specifics were the same in all three instances.
The scams occurred in Budapest over the summer and began with the ruse of a well-located apartment offered for sale below the market value.
The victims, attracted by the bid, showed their interest and responded to the ad, discovering that the lower price was because the owner, who lived abroad, desperately needed money.
A “relative” of the owner served as an intermediary for the sale and promised more photographs of the property than shown in the initial online ad, along with a video, to potential victims.
In two instances, the scammer persuaded the victims to install the remote desktop program AnyDesk to move images and videos, reports Hungarian publication.
There was no reason to presume foul play, because AnyDesk is legitimate software, and the victims downloaded it directly from the developer ‘s website.
Even after moving the files, the fraudster retained access to the victim ‘s computer and could check for confidential information (documents, passwords, personal details) that would further aid them in their scheme.
The aim was to log into the bank account of the victim and steal the funds available, but they also needed access to incoming messages on the cell phone with two-factor authentication (2FA) switched on.
So they ran a SIM-swap scheme, effectively tricking employees of the mobile service provider into enabling a new SIM card with the phone number of the victim. The initial SIM card becomes inactive at this stage and loses access to the network.
At the same time , the new SIM of the fraudster receives all the calls and messages from the victim, including the 2FA code to log into the bank account.
In at least one case, to make it harder to monitor, the scammers converted the cash to cryptocurrency.
The scammer could access the victim’s bank account with access to the victim’s SMS and with online banking credentials in hand and drain it as if they were the rightful owner.
Another option would be to use the remote desktop connection to the victim’s device to log into the banking account, given it is switched on.
Over the past few years, the SIM-swap fraud has been rampant, causing deaths around the world and millions of US dollars in losses. They also pay workers to replace the cards if fraudsters do not circumvent the protection introduced by the mobile service provider.
It is easy to see why SIM-swapping has recently wreaked havoc with so many services, banks included, even verifying the validity of a login via SMS verification.