Following the five arrests that occurred in February, Agence France-Presse reports that a sixth suspect has been indicted for participating in a scam where smishing messages were sent to mobile phones using IMSI-catchers driven around Paris.
Un sixième suspect a été mis en examen dans une enquête sur une vaste escroquerie aux SMS frauduleux de l'Assurance maladie, réalisée grâce notamment à l'utilisation d'IMSI-catcher, système de surveillance utilisé par les services de renseignement #AFP pic.twitter.com/7ivUk4pp7I
— Agence France-Presse (@afpfr) March 17, 2023
The sixth member of the gang was born in 1997 and arrested in Montpellier on charges of fraud and attempted fraud in an organized gang, and unauthorized possession of a device to intercept computer data. He was remanded in custody on Friday.
The first IMSI-catcher was found by chance in late December when gendarmes stopped a woman driver who was intoxicated with drugs before noticing radio antennae on her back seat. A wire led to equipment in the trunk of the car that was initially mistaken for a bomb, but later identified as an IMSI-catcher. A second IMSI-catcher belonging to the gang was discovered in February; it was carried in an old ambulance that had been used to circulate the northern and western suburbs of Paris. Investigators have determined that 400,000 Parisians received SMS messages that encouraged them to submit their personal data to a bogus health insurance website.
SMS has never been a secure channel for communication, but you would not know that from the way many so-called security experts demand ever-increasing use of SMS messages for the sending of passwords. Meanwhile, the cost of IMSI-catchers has fallen, making their use for scams more viable than ever before. These revelations about widespread systematic abuse of IMSI-catchers in Paris should serve as a wake-up call for those elements of the infosec community who underestimate the myriad ways that criminals can exploit SMS.