Paris IMSI-Catcher Mistaken for Bomb Was Actually Used for Health Insurance SMS Phishing Scam

On December 30 the French police executed a controlled explosion on a device found in the back of a car, believing it to be a bomb, but which they subsequently identified as an IMSI-catcher. Regular readers of Commsrisk will remember the story and they will also remember the question they asked themselves immediately afterwards: why was a lone drug-addled woman circling the streets of Paris with a device to spy on phones? Now we know the answer, thanks to the reporting of franceinfo.

Five men were indicted on Thursday February 16 in Île-de-France for fraud in an organized gang after sending large-scale fraudulent SMS, franceinfo learned on Saturday from a judicial source. They are suspected of having sent more than 400,000 bogus SMS messages linking to a health insurance website, according to a source familiar with the matter. To steal the phone numbers, the suspects relied on technology usually used by intelligence services and the fight against organized crime.

Their car carried an “IMSI-catcher”. This surveillance device, contained in a small suitcase, is capable of intercepting mobile communications by taking the place of a neighboring relay antenna. Their “IMSI-catcher” thus stole mobile phone numbers, and potentially data belonging to neighboring motorists.

This report and others in the French media go on to associate the gang’s IMSI-catcher with the device found by police when they stopped and searched the car on the evening of December 30. The gang is accused of sending a total of 424,000 smishing texts to numbers they identified with the IMSI-catcher. The texts contained a link to a fake health insurance website which encouraged visitors to submit personal information.

The discovery of the IMSI-catcher prompted an investigation by the Paris judicial police and COMCyberGEND, the cybercrime division of the Gendarmerie that was founded just two years ago. This investigation led to the identification, arrest and indictment of five men aged between 22 and 31.

Commsrisk’s popularity is soaring, and there is a simple explanation: modern society is going to hell. Whilst it is pleasing that France is protected by a specialist police division with the skills of the COMCyberGEND, none of those skills would have been deployed had the driver of this car not behaved erratically. It was good fortune that the police stopped the driver, noticed some mysterious antennae on the back seat, and followed the wires to the contents of the trunk. This was a victory for law enforcement, but what hope is there of maintaining privacy if crooks now find it profitable to drive IMSI-catchers around the streets? More advanced networks are less susceptible to this kind of snooping, but the location of this crime indicates it will be a long time before everyone is protected. France is not a poor country, and Paris is not some remote location that will be the last to have its networks upgraded.

Meanwhile, this weekend a large number of American cybersecurity experts have made fools of themselves by babbling on about the supposed advantages of sending passwords by SMS. Or to be precise, they did not make fools of themselves because groupthink means fools never point out the foolishness of likeminded fools. Do I need to explain why a world where everyone secures their online accounts by receiving passwords via SMS is incompatible with a world where crooks own and use IMSI-catchers? No genuine expert would struggle to see the difficulty. Even if they do not intercept the SMS they can steal the personal data required to execute a SIM swap.

Too many industry experts lack imagination. Criminals do not. Bad actors apply plenty of imagination when devising new ways of spying and stealing, whilst the experts flatter themselves by recounting stories about crimes prevented five or ten years ago. We console ourselves that defenders of privacy will always be two steps behind. This is no comfort, except to experts who want to maintain the status without the pressure of delivering results. We will always remain behind if we are content merely to react, and never seek to anticipate what rogues and spies will do next.

French playwright Jean-Paul Sartre observed “l’enfer c’est les autres”, which can be roughly translated as “hell is other people”. The line comes from Huis clos, a play where the characters find themselves in an afterlife that consists of a single room. The room is their hell because their incompatible desires cause each to be a source of pain for another. It is natural for human beings to want their privacy. It is also natural for human beings to be curious about others, though not always for good reasons. Reconciling these desires is an eternal struggle. In Sartre’s play, it was necessary to put incompatible people in the same room. Now we live in a world where many others can cause us pain and suffering at a distance. Unless we become more ambitious about defending privacy, we will realize a new conception of hell.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.