Are all means good enough to phish future victims? Five people have just been indicted last Thursday in Paris in an unprecedented case of fraud in an organized gang, unauthorized use of frequencies or radioelectric installations and computer hacking.
As revealed by Franceinfo, these five respondents are suspected of having sent more than 420,000 fraudulent SMS messages referring to a fake Medicare site. A relatively banal fraudulent maneuver, intended here to collect personal data, such as social security numbers, but also financial, such as credit card numbers.
intelligence services
But beyond the large volume of this phishing, the modus operandi brought to light by the cybergendarmes and the Parisian judicial police is distinguished by the unexpected use of an Imsi-catcher. A tool for use, however, reserved for the most complex intelligence services or judicial investigations.
This equipment is indeed particularly intrusive. Intended to intercept communications on mobile networks, it replaces base stations by imitating a relay antenna, which allows it to capture exchanges between users located in its proximity zone and the networks of operators.
As Le Journal du dimanche recalls, the investigation had started fortuitously at the end of December. Police officers had checked during a patrol in Paris a motorist carrying a funny box in the back of his car. A bomb-like device that turned out to be an Imsi-catcher, bought around 20,000 euros in March 2021 from an intermediary according to investigators.
New “advertising system”
When questioned, the driver, a 23-year-old woman, then explained that she had been given the task of circulating in the capital in order to collect telephone numbers on the fly. According to the police investigation, its sponsors would be two managers of a Neuilly-sur-Seine company specializing in digital marketing who boasted, on their site, of having a database of 20 million profiles.
To the judge and the investigators, two of the respondents explained that they had used the Imsi-catcher to “invent a system for sending advertising”, reports Le Parisien. A strange argument against the most basic rules governing the collection of personal data.