Darn it. I know there are fraud managers who will think what I am about to do is wrong. But I think they are wrong. They want to address fraud by only talking privately amongst themselves in discreet little circles of professionals. Their process of educating each other is so exclusive that barely anyone learns anything from them. Meanwhile, the criminals they are competing with are loudly and proudly boasting about their capabilities in public. So now you already understand my following observation: we cannot win an information war by spreading information less efficiently than our enemies. Thank you for visiting Commsrisk. Your reward is to now be pointed towards a website that openly advertises the following products and services.
- Software to clone SIMs, so criminals can spy upon and steal from phone users
- Targeted interception of calls and SMS messages
- SS7 connections for anyone wanting to snoop around the weaknesses of networks
These services are advertised at a website using simswap.su as its URL; a screenshot of the competently-designed home page is shown below. The .su suffix is the country code top-level domain for the Soviet Union, which remains in use despite the Soviet Union’s dissolution in 1991. The contact page for this business gives an address in Russia.
It could be argued that by raising awareness of this website I will facilitate people who will break the law. My counterargument is that the knowledge of the criminals already outstrips that of the professionals paid to resist them. Plenty of bad actors already know about this website; it is the employees of telcos who remain unaware of the scale of the threats to their companies and their customers.
Whether these particular services work or not, the methods used to break the law are much more successfully advertised than methods to prevent fraud. To illustrate the point, let me compare the size of two audiences for content supplied via the same platform. The Communications Fraud Control Association (CFCA) produces YouTube videos using the tagline that they are where the global telecoms industry ‘goes to know’ what is happening with fraud. Their most popular video has received 118 views, although some have a view count which have not yet reached double figures, despite being several years old. In contrast, the least popular video on the YouTube channel belonging to this sim-swapping service has been seen 427 times. Their channel was only created in April 2022, but the most popular video has already acquired over 2,000 views. So if we objectively measure where people go to know about the frauds that plague the communications industry, they are far more likely to be learning from those who enable crime than from those who seek to stop it.
Such is the effectiveness with which criminal activities are being marketed that simswap.su has received 26 reviews on consumer website Trustpilot with an average score of 4.5 out of 5. Some or most of the 5-star reviews may be bogus, although Trustpilot has a quality control process that is supposed to weed out bogus reviews, as I learned first-hand after leaving a genuinely bad review for a genuinely awful business. The tally for simswap.su includes two 1-star reviews, and a single 4-star review, so at least some of the reviews appear to be genuine. It is an even greater worry that all the reviews are recent, indicating the current levels of interest and awareness in products designed to hijack customer accounts and spy on people’s private messages.
If the 5-star reviews are fake they are still better written than some content I have seen produced for professional fraud managers. Here are a few examples of reviews that were added in the last few weeks.
There was a problem with the download link, I couldn’t see it in my account but it was fixed by the support. The support on telegram is also good even though the software itself is pretty simple to use. Congrats team for this needed software.
These guys are very professional when it comes to SS7 mobile pentesting. We took access to the SS7 Server as it has more complex capabilities than the regular software being sold, and the results were exactly what we would expected. Remote monitoring capability using our Network Surveillance System was the best feature.
Excellent software for SS7 interception. Tested on UK, DE and PL without any issues at all. Very happy with this purchase and I recommend it.
I got the software (SS7 Normal License) after 2 hours, probably the delay was from the bitcoin network or something, but overall the software works like on their demos. Easy to use and simple interface. Will come back with a review if something goes wrong.
The rental spy services provided by this particular underworld operation closely resemble an offering called ‘Interconnector’ that I wrote about in 2017. It feels like the criminals have continued to exploit the exact same vulnerabilities because there are telcos for whom five years is still not enough time to address known security issues. Is it any surprise that year after year of profiting from crime might lead to improvements in how the criminals market themselves? Just last week I wrote about the slick website for a phone app that buys P2P SMS allowances from consumers and uses them to convey A2P-style messages. Cathal Mc Daid, CTO of Enea AdaptiveMobile Security, kindly pointed out that this app was similar to an app he encountered a decade ago.
I never like it when fraud managers insist that fraudsters will always be one step ahead. Even if that is true, repeatedly making this same observation encourages defeatism. This attitude would be less acceptable if it was also relayed to the ordinary members of the public who also suffer the consequences of fraud. Instead of insisting that businesses must lag behind criminals there is a contrary observation that can be applied to fraud, and is illustrated by the two examples given above. It is so old that it is taken from the Bible, Ecclesiastes 1:9.
What has been will be again, what has been done will be done again; there is nothing new under the sun.