Thousands Tricked Into Revealing Banking Details by Smishing IMSI-Catcher Driven around Norway

More information has been released to the public following the arrest of a fraudster who drove an IMSI-catcher around the Norwegian cities of Oslo and Bergen. As previously suspected, the IMSI-catcher was used in the same way as similar devices driven around Paris, transmitting large numbers of scam SMS messages to mobile phones within its range. These messages contained links to websites that impersonated three banks: DNB, DHL and Bank Norwegian. The SMS messages and the phishing websites, a combination often described as ‘smishing’, succeeded in fooling thousands of people into believing they needed to enter their banking details into the websites.

The SMS messages were only sent during a brief 23-day period but it is likely that hundreds of thousands of people received them in total. The scam would have likely remained undetected for much longer had the driver not circled near government buildings in Oslo that were protected by specialist counter-espionage equipment which identified the radio signals created by the IMSI-catcher. Exact numbers have not been provided, but the authorities referred to ‘several thousand’ people remaining at threat because the driver’s accomplices had obtained their bank details. This suggests a pretty typical success rate for scams like these; sending very many messages means that only a small fraction of recipients need to be fooled in order to generate a profit for the crooks behind the scheme. Anyone who was in Oslo and Bergen between August 17 and September 8, and who entered their details into a website in response to an apparent SMS from one of the three banks, is advised to immediately block any bank cards even if there have been no suspicious transactions so far.

Økokrim, the Norwegian law enforcement agency for economic and environmental crimes, has stated this is the first scam of its type to have occurred in Norway. Økokrim Chief Pål Lønseth, who was formerly a politician belonging to Norway’s Arbeiderpartiet (Labor Party), tried to minimize the responsibility borne by the authorities by claiming:

Vi vet at bedragere kan utnytte telenettet

We know that fraudsters can exploit the telecommunications network

However, this particular scam has nothing to do with telecoms networks. The IMSI-catchers might alternatively be described as false base stations, as they exploit the way that mobile phones seek to connect to the strongest available signal. The fraudsters’ devices are not connected to any genuine network, so they are not readily identifiable by network operators and they certainly cannot be blocked by them. This is one kind of scam where governments, regulators, police and prosecutors cannot shift the responsibility for fighting crime to the private sector. Only law enforcement and security agencies have the right to use equipment which could locate rogue IMSI-catchers. Only the authorities can decide when it is appropriate to use public resources to warn the population about this type of crime. These scams are especially worrying because they could potentially hit any mobile phone user anywhere but considerable effort will be required to locate vehicles containing the IMSI-catchers. We are even less likely to catch and punish criminal kingpins who orchestrate these scams but are typically based in a different country to their victims. A pattern is emerging in Europe where national authorities are choosing not to warn the public until after such scams have occurred, even though devices driven around Oslo and Paris could just as easily be driven over the border and around Berlin or Rome instead.

I suspect the authorities do not want to talk about these crimes because they do not want to admit they intend to take no preventative action in advance of these crimes. There are no excuses for complacency. Various South East Asian countries are openly tackling gangs that drive IMSI-catchers around cities. We should anticipate the same criminal methods being replicated elsewhere. The authorities in most countries have been slow to respond to the rise of all kinds of fraud, and the public sector’s limited anti-fraud competence and capability means they instinctively try to push the burden of fraud prevention and mitigation on to the private sector. That tactic will not work for mobile radio devices used to blast millions of scam SMS messages at anyone nearby. So instead of warning the public about the threat, the authorities in most countries are just ignoring it for as long as they can. This is an abdication of their responsibility to protect the public, but sadly it reflects the deeply-engrained bias of governments and police who have long treated fraud as somebody else’s problem.

You can read Økokrim’s most recent announcement about the Oslo/Bergen IMSI-catcher scam here.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.