Three men in the United Kingdom were arrested this month after police responding to an attempted break-in at a residence stopped their car as they fled the scene. The authorities found weapons and a police uniform in the trunk, and say the trio intended to assault a local man and force him to hand over virtual currencies.

Shortly after 11 p.m. on September 6, a resident in the Spalding Common area in the district of Lincolnshire, U.K. phoned police to say three men were acting suspiciously, and had jumped a nearby fence.

“The three men made off in a VW Golf and were shortly stopped nearby,” reads a statement by the Lincolnshire Police. “The car was searched by officers who found an imitation firearm, taser, a baseball bat and police uniform in the boot.”

Thomas Green, 23, Rayhan Miah, 23, and Leonardo Sapiano, 24 were all charged with possession of the weapons, and “with intent to cause loss to another to make an unwarranted demand of Crypto Currency from a person.”

KrebsOnSecurity has learned that the defendants were in Spalding Common to pay a surprise visit to a 19-year-old hacker known by the handles “Discoli,” “Disco Dog,” and “Chinese.” In December 2020, Discoli took credit for hacking and leaking the user database for OGUsers, a forum overrun with people looking to buy, sell and trade access to compromised social media accounts.

Reached via Telegram, Discoli confirmed that police believe the trio was trying to force their way into his home in Spalding Common, and that one of them was wearing a police uniform when they approached his residence.

“They were obvious about being fake police, so much so that one of our neighbours called,” Discoli said in an instant message chat. “That call led to the arrests. Their intent was for robbery/blackmail of crypto, I just happened to not be home at the time.”

The Lincolnshire Police declined to comment for this story, citing an ongoing investigation.

Discoli said he didn’t know any of the men charged, but believes they were hired by one of his enemies. And he said his would-be assailants didn’t just target him specifically.

“They had a list of people they wanted to hit consecutively as far as I know,” he said.

The foiled robbery is the latest example of how members of certain hacking communities are targeting one another with physical violence, by making a standing offer to pay thousands of dollars to anyone in the target’s region who agrees to carry out the assaults.

Last month, a 21-year-old New Jersey man was arrested and charged with stalking in connection with a federal investigation into groups of cybercriminals who are settling scores by hiring people to carry out physical attacks on their rivals.

Prosecutors say Patrick McGovern-Allen recently participated in several of these schemes — including firing a handgun into a Pennsylvania home and torching a residence in another part of the state with a Molotov Cocktail.

McGovern-Allen and the three U.K. defendants are part of an online community that is at the forefront of a dangerous escalation in coercion and intimidation tactics increasingly used by competing cybercriminal groups to steal cryptocurrency from one another and to keep their rivals in check.

The Telegram chat channels where these young men transact have hundreds to thousands of members each, and some of the more interesting solicitations on these communities are job offers for in-person assignments and tasks that can be found if one searches for posts titled, “If you live near,” or “IRL job” — short for “in real life” job.

A number of these classified ads are in service of performing “brickings,” where someone is hired to visit a specific address and toss a brick through the target’s window. Indeed, prior to McGovern-Allen’s arrest, his alleged Telegram persona bragged that he’d carried out several brickings for hire.

Many of the individuals involved in paying others to commit these physical attacks are also frequent participants in Telegram chat channels focused singularly on SIM swapping, a crime in which identity thieves hijack a target’s mobile phone number and use that to wrest control over the victim’s various online accounts and identities.

Unsurprisingly, the vast majority of people currently being targeted for brickings and other real-life physical assaults via Telegram tend to be other cybercriminals involved in SIM swapping crimes (or individuals on the periphery of that scene).

The United Kingdom is home to a number of young men accused of stealing millions of dollars worth of cryptocurrencies via SIM swapping. Joseph James O’Connor, a.k.a. “Plugwalk Joe”, was arrested in Spain in July 2021 under an FBI warrant on 10 counts of offenses related to unauthorized computer access and cyber bullying. U.S. investigators say O’Connor also played a central role in the 2020 intrusion at Twitter, wherein Twitter accounts for top celebrities and public figures were forced to tweet out links to cryptocurrency scams. O’Connor is currently fighting extradition to the United States.

Robert Lewis Barr, a 25-year-old Scottish man who allegedly stole more than $8 million worth of crypto, was arrested on an FBI warrant last year and is also fighting his extradition. U.S. investigators say Barr SIM swapped a U.S. bitcoin broker in 2017 while living with his mom, and that he spent much of the stolen funds throwing lavish parties at rented luxury apartments in central Glasgow.

In many ways, these violence-as-a-service incidents are a natural extension of “swatting,” wherein fake bomb threats, hostage situations and other violent scenarios were phoned in to police as part of a scheme to trick them into visiting potentially deadly force on a target’s address. According to prosecutors, both Barr and O’Connor have a history of swatting their enemies and their SIM swapping victims.

A number of financial institutions in and around New York City are dealing with a rash of super-thin “deep insert” skimming devices designed to fit inside the mouth of an ATM’s card acceptance slot. The card skimmers are paired with tiny pinhole cameras that are cleverly disguised as part of the cash machine. Here’s a look at some of the more sophisticated deep insert skimmer technology that fraud investigators have recently found in the wild.

The insert skimmer pictured above is approximately .68 millimeters tall. This leaves more than enough space to accommodate most payment cards (~.54 mm) without interrupting the machine’s ability to grab and return the customer’s card. For comparison, this flexible skimmer is about half the height of a U.S. dime (1.35 mm).

These skimmers do not attempt to siphon chip-card data or transactions, but rather are after the cardholder data still stored in plain text on the magnetic stripe on the back of most payment cards issued to Americans.

Here’s what the other side of that insert skimmer looks like:

The thieves who designed this skimmer were after the magnetic stripe data and the customer’s 4-digit personal identification number (PIN). With those two pieces of data, the crooks can then clone payment cards and use them to siphon money from victim accounts at other ATMs.

To steal PINs, the fraudsters in this case embedded pinhole cameras in a false panel made to fit snugly over the cash machine enclosure on one side of the PIN pad.

The skimming devices pictured above were pulled from a brand of ATMs made by NCR called the NCR SelfServ 84 Walk-Up. In January 2022, NCR produced a report on motorized deep insert skimmers, which offers a closer look at other insert skimmers found targeting this same line of ATMs.

Here are some variations on deep insert skimmers NCR found in recent investigations:

The image on the left below shows another deep insert skimmer and its constituent components. The picture on the right shows a battery-operated pinhole camera hidden in a false fascia directly to the right of the ATM’s PIN pad.

The NCR report included additional photos that show how fake ATM side panels with the hidden cameras are carefully crafted to slip over top of the real ATM side panels.

Sometimes the skimmer thieves embed their pinhole spy cameras in fake panels directly above the PIN pad, as in these recent attacks targeting a similar NCR model:

In the image below, the thieves hid their pinhole camera in a “consumer awareness mirror” placed directly above an ATM retrofitted with an insert skimmer:

The financial institution that shared the images above said it has seen success in stopping most of these insert skimmer attacks by incorporating a solution that NCR sells called an “insert kit,” which stops current skimmer designs from locating and locking into the card reader. NCR also is conducting field trials on a “smart detect kit” that adds a standard USB camera to view the internal card reader area, and uses image recognition software to identify any fraudulent device inside the reader.

Skimming devices will continue to mature in miniaturization and stealth as long as payment cards continue to hold cardholder data in plain text on a magnetic stripe. It may seem silly that we’ve spent years rolling out more tamper- and clone-proof chip-based payment cards, only to undermine this advance in the name of backwards compatibility. However, there are a great many smaller businesses in the United States that still rely on being able to swipe the customer’s card.

Many newer ATM models, including the NCR SelfServ referenced throughout this post, now include contactless capability, meaning customers no longer need to insert their ATM card anywhere: They can instead just tap their smart card against the wireless indicator to the left of the card acceptance slot (and right below the “Use Mobile Device Here” sign on the ATM).

For simple ease-of-use reasons, this contactless feature is now increasingly prevalent at drive-thru ATMs. If your payment card supports contactless technology, you will notice a wireless signal icon printed somewhere on the card — most likely on the back. ATMs with contactless capabilities also feature this same wireless icon.

Once you become aware of ATM skimmers, it’s difficult to use a cash machine without also tugging on parts of it to make sure nothing comes off. But the truth is you probably have a better chance of getting physically mugged after withdrawing cash than you do encountering a skimmer in real life.

So keep your wits about you when you’re at the ATM, and avoid dodgy-looking and standalone cash machines in low-lit areas, if possible. When possible, stick to ATMs that are physically installed at a bank. And be especially vigilant when withdrawing cash on the weekends; thieves tend to install skimming devices on Saturdays after business hours — when they know the bank won’t be open again for more than 24 hours.

Lastly but most importantly, covering the PIN pad with your hand defeats one key component of most skimmer scams: The spy camera that thieves typically hide somewhere on or near the compromised ATM to capture customers entering their PINs.

Shockingly, few people bother to take this simple, effective step. Or at least, that’s what KrebsOnSecurity found in this skimmer tale from 2012, wherein we obtained hours worth of video seized from two ATM skimming operations and saw customer after customer walk up, insert their cards and punch in their digits — all in the clear.

If you enjoyed this story, check out these related posts:

Crooks Go Deep With Deep Insert Skimmers

Dumping Data from Deep Insert Skimmers

How Cyber Sleuths Cracked an ATM Shimmer Gang

This month’s Patch Tuesday offers a little something for everyone, including security updates for a zero-day flaw in Microsoft Windows that is under active attack, and another Windows weakness experts say could be used to power a fast-spreading computer worm. Also, Apple has also quashed a pair of zero-day bugs affecting certain macOS and iOS users, and released iOS 16, which offers a new privacy and security feature called “Lockdown Mode.” And Adobe axed 63 vulnerabilities in a range of products.

Microsoft today released software patches to plug at least 64 security holes in Windows and related products. Worst in terms of outright scariness is CVE-2022-37969, which is a “privilege escalation” weakness in the Windows Common Log File System Driver that allows attackers to gain SYSTEM-level privileges on a vulnerable host. Microsoft says this flaw is already being exploited in the wild.

Kevin Breen, director of cyber threat research at Immersive Labs, said any vulnerability that is actively targeted by attackers in the wild must be put to the top of any patching list.

“Not to be fooled by its relatively low CVSS score of 7.8, privilege escalation vulnerabilities are often highly sought after by cyber attackers,” Breen said. “Once an attacker has managed to gain a foothold on a victim’s system, one of their first actions will be to gain a higher level of permissions, allowing the attacker to disable security applications and any device monitoring. There is no known workaround to date, so patching is the only effective mitigation.”

Satnam Narang at Tenable said CVE-2022-24521 — a similar vulnerability in the same Windows log file component — was patched earlier this year as part of Microsoft’s April Patch Tuesday release and was also exploited in the wild.

“CVE-2022-37969 was disclosed by several groups, though it’s unclear if CVE-2022-37969 is a patch-bypass for CVE-2022-24521 at this point,” Narang said.

Another vulnerability Microsoft patched this month — CVE-2022-35803 — also seems to be related to the same Windows log file component. While there are no indications CVE-2022-35803 is being actively exploited, Microsoft suggests that exploitation of this flaw is more likely than not.

Trend Micro’s Dustin Childs called attention to CVE-2022-34718, a remote code execution flaw in the Windows TCP/IP service that could allow an unauthenticated attacker to execute code with elevated privileges on affected systems without user interaction.

“That officially puts it into the ‘wormable’ category and earns it a CVSS rating of 9.8,” Childs said. “However, only systems with IPv6 enabled and IPSec configured are vulnerable. While good news for some, if you’re using IPv6 (as many are), you’re probably running IPSec as well. Definitely test and deploy this update quickly.”

Cisco Talos warns about four critical vulnerabilities fixed this month — CVE-2022-34721 and CVE-2022-34722 — which have severity scores of 9.8, though they are “less likely” to be exploited, according to Microsoft.

“These are remote code execution vulnerabilities in the Windows Internet Key Exchange protocol that could be triggered if an attacker sends a specially crafted IP packet,” wrote Jon Munshaw and Asheer Malhotra. “Two other critical vulnerabilities, CVE-2022-35805 and CVE-2022-34700 exist in on-premises instances of Microsoft Dynamics 365. An authenticated attacker could exploit these vulnerabilities to run a specially crafted trusted solution package and execute arbitrary SQL commands. The attacker could escalate their privileges further and execute commands as the database owner.”

Not to be outdone, Apple fixed at least two zero-day vulnerabilities when it released updates for iOS, iPadOS, macOS and Safari. CVE-2022-32984 is a problem in the deepest recesses of the operating system (the kernel). Apple pushed an emergency update for a related zero-day last month in CVE-2022-32983, which could be used to foist malware on iPhones, iPads and Macs that visited a booby-trapped website.

Also listed under active attack is CVE-2022-32817, which has been fixed on macOS 12.6 (Monterey), macOS 11.7 (Big Sur), iOS 15.7 and iPadOS 15.7, and iOS 16. The same vulnerability was fixed in Apple Watch in July 2022, and credits Xinru Chi of Japanese cybersecurity firm Pangu Lab.

“Interestingly, this CVE is also listed in the advisory for iOS 16, but it is not called out as being under active exploit for that flavor of the OS,” Trend Micro’s Childs noted. “Apple does state in its iOS 16 advisory that ‘Additional CVE entries to be added soon.’ It’s possible other bugs could also impact this version of the OS. Either way, it’s time to update your Apple devices.”

Apple’s iOS 16 includes two new security and privacy features — Lockdown Mode and Safety Check. Wired.com describes Safety Check as a feature for users who are at risk for, or currently experiencing, domestic abuse.

“The tool centralizes a number of controls in one place to make it easier for users to manage and revoke access to their location data and reset privacy-related permissions,” wrote Lily Hay Newman.

“Lockdown Mode, on the other hand, is meant for users who potentially face targeted spyware attacks and aggressive state-backed hacking. The feature comprehensively restricts any nonessential iOS features so there are as few potential points of entry to a device as possible. As more governments and repressive entities around the world have begun purchasing powerful commodity spyware to target individuals of particular importance or interest, iOS’s general security defenses haven’t been able to keep pace with these specialized threats.”

To turn on Lockdown Mode in iOS 16, go to Settings, then Privacy and Security, then Lockdown Mode. Safety Check is located in the same area.

Finally, Adobe released seven patches addressing 63 security holes in Adobe Experience Manager, Bridge, InDesign, Photoshop, InCopy, Animate, and Illustrator. More on those updates is here.

Don’t forget to back up your data and/or system before applying any security updates. If you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a decent chance other readers have experienced the same and may chime in here with useful tips.

Communities like Craigslist, OfferUp, Facebook Marketplace and others are great for finding low- or no-cost stuff that one can pick up directly from a nearby seller, and for getting rid of useful things that don’t deserve to end up in a landfill. But when dealing with strangers from the Internet, there is always a risk that the person you’ve agreed to meet has other intentions.

Nearly all U.S. states now have designated safe trading stations — mostly at local police departments — which ensure that all transactions are handled in plain view of both the authorities and security cameras.

These safe trading places exist is because sometimes in-person transactions from the Internet don’t end well for one or more parties involved. The website Craigslistkillers has catalogued news links for at least 132 murders linked to Craigslist transactions since 2015. Many of these killings involved high-priced items like automobiles and consumer electronics, where the prospective buyer apparently intended all along to kill the owner and steal the item offered for sale. Others were motivated simply by a desire to hurt people.

This is not to say that using Craigslist is uniquely risky or dangerous; I’m sure the vast majority of transactions generated by the site end amicably and without physical violence. And that probably holds true for all of Craigslist’s competitors.

Still, the risk of a deal going badly when one meets total strangers from the Internet is not zero, and so it’s only sensible to take a few simple precautions. For example, choosing to transact at a designated safe place such as a police station dramatically reduces the likelihood that anyone wishing you harm would even show up.

I recently stumbled upon one of these designated exchange places by accident, hence my interest in learning more about them. The one I encountered was at a Virginia county sheriff’s office, and it has two parking spots reserved with a sign that reads, “Internet Purchase & Exchange Location: This Area is Under 24 Hour Video Surveillance” [image above].

According to the list maintained at Safetradestations.com, there are four other such designated locations in Northern Virginia. And it appears most states now have them in at least some major cities. Safeexchangepoint.com also has a searchable index of safe trading locations in the United States and Canada.

Granted, not everyone is going to live close to one of these designated trading stations. Or maybe what you want to buy, sell or trade you’d rather not have recorded in front of police cameras. Either way, here are a few tips on staying safe while transacting in real life with strangers from the Internet (compliments of the aforementioned safe trading websites).

The safest exchange points are easily accessible and in a well-lit, public place where transactions are visible to others nearby. Try to arrange a meeting time that is during daylight hours, and consider bringing a friend along — especially when dealing with high-value items like laptops and smart phones.

Safeexchangepoint.com also advises that police or merchants that host their own exchange locations generally won’t get involved in the details of your transaction unless specified otherwise, and that many police departments (but not all) are willing to check the serial number of an item for sale to make sure it’s not known to be stolen property.

Of course, it’s not always practical or possible to haul that old sofa to the local police department, or a used car that isn’t working. In those situations, safetradestations.com has some decent suggestions:

• Meet at a police station where you can exchange and photocopy each others’ identification papers, such as a driver’s license. Do NOT carry cash to this location.
• Photocopy the license or identification paper, or use your phone to photograph it.
• Email the ID information to a friend, or to someone trusted (not to yourself).
• If you’re selling at home, or going to someone’s home, never be outnumbered. If you’re at home, make sure you have two or three people there — and tell the person who is coming that you will have others with you.
• At home or an apartment, NEVER let someone go anywhere unaccompanied. Always make sure they are escorted.
• Never let more than one group come to your home at one time to buy or sell.
• Beware of common scams, like checks for an amount higher than the amount of the deal; “cashier’s checks” that are forged and presented when the bank is closed.
• If you are given a cashier’s check, money order or other equivalent, call the bank — at the number listed online, not a number the buyer gives you — to verify the validity of the check.

A 21-year-old New Jersey man has been arrested and charged with stalking in connection with a federal investigation into groups of cybercriminals who are settling scores by hiring people to carry out physical attacks on their rivals. Prosecutors say the defendant recently participated in several of these schemes — including firing a handgun into a Pennsylvania home and torching a residence in another part of the state with a Molotov Cocktail.

Patrick McGovern-Allen of Egg Harbor Township, N.J. was arrested on Aug. 12 on a warrant from the U.S. Federal Bureau of Investigation. An FBI complaint alleges McGovern-Allen was part of a group of co-conspirators who are at the forefront of a dangerous escalation in coercion and intimidation tactics increasingly used by competing cybercriminal groups.

Prosecutors say that around 2 a.m. on Jan 2, 2022, McGovern-Allen and an unidentified co-conspirator fired multiple handgun rounds into a residence in West Chester, Pa. Fortunately, none of the residents inside the home at the time were injured. But prosecutors say the assailants actually recorded video of the attack as “proof” that the shooting had been carried out.

A copy of that video was obtained by KrebsOnSecurity. According to investigators, McGovern-Allen was one of the shooters, who yelled “Justin Active was here” as they haphazardly fired at least eight rounds into the lower story of the West Chester residence.

On Dec. 18, 2021, police in Abington Township, Pa., responded to reports of a house fire from homeowners who said it sounded like something was thrown at their residence just prior to the fire.

Weeks later, on the day of the shooting in West Chester, a detective with the Westtown East Goshen Police Department contacted the Abington police and shared another video that was circulating on several online message boards that appeared to show two individuals setting fire to the Abington Township residence. The criminal complaint said the two police officers agreed the same suspect was present in both videos.

A copy of that video was obtained by KrebsOnSecurity, and it shows at least two individuals smashing a window, then lighting a rag-soaked Mad Dog 20/20 grape wine bottle and hurling it at the side of the home.

“The Molotov cocktail caused the immediate surrounding area to ignite, including the siding of the house, grass, and the wooded chair,” the government’s complaint against McGovern-Allen states. “The two suspects then fled on foot toward the street and begin yelling something when the video stops.”

The government mentions the victims only by their initials — “K.M.” in the shooting and “M.K” in the firebombing — but said both had been the target of previous harassment by rival cybercriminal groups that included swatting attacks, wherein the perpetrators spoof a distress call to the police about a hostage situation, suicide or bomb threat with the goal of sending a heavily-armed police response to a targeted address.

A number of previous swatting incidents have turned deadly. But these more “hands-on” and first person attacks are becoming increasingly common within certain cybercriminal communities, particularly those engaged in SIM swapping, a crime in which identity thieves hijack a target’s mobile phone number and use that to wrest control over the victim’s various online accounts and identities.

The complaint mentions a handle and user ID allegedly used by McGovern-Allen’s online persona “Tongue” on the Discord chat service, (user: “Tongue#001”).

“In the chats, [Tongue] tells other Discord users that he was the person who shot K.M.’s house and that he was willing to commit firebombings using Molotov Cocktails,” the complaint alleges. “For example, in one Discord chat from March 2022, [the defendant] states ‘if you need anything done for $ lmk [“let me know”]/I did a shooting/Molotov/but I can also do things for ur entertainment.”

KrebsOnsecurity reviewed hundreds of chat records tied to this Tongue alias, and it appears both attacks were motivated by a desire to get back at a rival cybercriminal by attacking the female friends of that rival.

Recall that the shooters in the West Chester, Pa. incident shouted “Justin Active was here.” Justin Active is the nickname of an individual who is just as active in the same cybercriminal channels, but who has vehemently denied knowledge of or participation in the shooting. Justin Active said on Telegram that the person targeted in the shooting was his ex-girlfriend, and that the firebombing targeted another friend of his.

Justin Active has claimed for months that McGovern-Allen was responsible for both attacks, saying they were intended as an intimidation tactic against him. “DO THE PATRICK MCGOVERN ALLEN RAID DANCE!,” Justin Active’s alias “Nutcase68” shouted on Telegram on Aug. 12, the same day McGovern-Allen was arrested by authorities.

Justin Active’s version of events seems to be supported by a reference in the criminal complaint to an April 2, 2022 chat in which Tongue explained the reason for the shooting.

“The video/is [K]’s house/getting shit/shot/justin active/ was her current bf/ the reason it happened,” Tongue explained. “So that’s why Justin active was there.”

The Telegram chat channels that Justin Active and Tongue both frequented have hundreds to thousands of members each, and some of the more interesting solicitations on these communities are job offers for in-person assignments and tasks that can be found if one searches for posts titled, “If you live near,” or “IRL job” — short for “in real life” job.

A number of these classified ads are in service of performing “brickings,” where someone is hired to visit a specific address and toss a brick through the target’s window.

“If you live near Edmonton Canada dm me need someone bricked,” reads on Telegram message on May 31, 2022.

“If you live near [address redacted] Lakewood, CA, dm [redacted] Paying 3k to slash the tires,” reads another help wanted ad in the same channel on Feb. 24, 2022. “If you live near here and can brick them, dm [address omitted] Richland, WA,” reads another from that same day.

McGovern-Allen was in the news not long ago. According to a Sept. 2020 story from The Press of Atlantic City, a then 19-year-old Patrick McGovern Allen was injured after driving into a building and forcing residents from their home.

“Police found a 2007 Lexus, driven by Patrick McGovern-Allen, 19, that had lost control and left the road, crashing into the eastern end of the 1600 building,” the story recounted. “The car was driven through the steps that provide access to the second-floor apartments, destroying them, and also caused damage to the outer wall.”

A search on the Inmate Locator of the U.S. Bureau of Prisons website shows that McGovern-Allen remains in federal custody at a detention facility in Philadelphia. He’s currently represented by a public defender who has not responded to requests for comment.

A copy of the criminal complaint against McGovern-Allen is available here (PDF).

ANALYSIS

Many of the individuals involved in paying others to commit these physical attacks are also frequent participants in several Telegram channels focused singularly on SIM swapping activity. As a result, the vast majority of the people being targeted for brickings and other real-life physical assaults tend to be other cybercriminals involved in SIM swapping crimes (or individuals on the periphery of that scene).

There are dozens of SIM swappers who are now teenage or 20-something millionaires, by virtue of having stolen vast sums of cryptocurrencies from SIM swapping victims. And now many of these same individuals are finding that communities like Telegram can be leveraged to hire physical harassment and intimidation of their rivals and competitors.

The primary barrier to hiring someone to brick a home or slash some tires seems to be the costs involved: A number of solicitations for these services advertised payment of $3,000 or more upon proof of successful completion, which usually involves recording the attack and hiring a getaway driver in the town where the crime is to take place (calling a cab or hailing an Uber from the scene of a bricking isn’t the brightest idea).

My fear is these violence-as-a-service offerings will at some point migrate outside of the SIM swapping communities. This is precisely what happened with swatting, which for years was a crime perpetrated almost exclusively against online gamers and people streaming their games online. These days, swatting attacks are commonly used by SIM swapping groups as a way to harass and extort regular Internet users into giving up prized social media account names that can be resold for thousands of dollars.