Finance & Banking, Fraud Management & Cyber Crime, Industry Specific
Threat actor offered to scam other hackers as a service in 9 countries | Mihir Bagwe (mihirbagwe) • July 5, 2023
According to Sentinelvan, a hacker suspected to be based in Mexico is targeting financial institutions using “relatively unsophisticated” tools, but is achieving a high degree of success among banking customers.
See also: Live Webinar | Retake Control of Your Secrets – The Secret Sauce for Protecting Secrets
According to new research by Sentinelvan, the hacker named “neo_net” has been active since June 2021 and has targeted customers of major banks, mainly in Spain and Chile, including Santander, BBVA, CaixaBank, Deutsche Bank, Credit Agricole and ING Are included. Victims in the scams lost more than 350,000 euros.
The hacker’s technique involved a multistage SMS-phishing – or smishing – campaign to target victims. To create a sense of urgency for victims, the messages used in the campaign typically included a fake text alert warning them that the bank had detected unauthenticated access to their account. Victims clicked on a link to a fake login page and were asked to provide credentials. The text message contained a hyperlink that directed the user to a phishing page, which the researchers said was “carefully” constructed using Neo_Net’s phishing panel.
The hacker sent the stolen data to a Telegram chat via the Telegram bot API. In addition to login credentials, victims’ IP addresses and user agents were transmitted to the threat actor via designated Telegram chats.
Neo_Net used this data to log into victims’ accounts, bypassing multifactor authentication using differently modified Android SMS spyware. The Android Trojan used in the campaign had obfuscation capabilities and surreptitiously siphoned out incoming SMS traffic from victims’ mobile phones to hacker-controlled Telegram chats.
Sentinel One said that in addition to defrauding victims, the hacker extracted their personally identifiable information and sold it to interested third parties.
Sentinelvan credits his findings to security researcher Paul Thill, who submitted his research to the Malware Research Challenge, run by the security company in collaboration with the malware repository VX-Underground.
The hacker also created a Smishing-as-a-Service platform called Ankarex. Active since May 2022, Ankarex’s services are advertised on its Telegram channel, which has 1,700 subscribers and regularly posts updates about the software and its special offers. Most communication in the Ankerex channel is in Spanish.
Registered users can simply pay a fee in cryptocurrency and launch their own smishing campaigns, specifying SMS content and target phone numbers. At the moment, users can target nine countries using the Ankarex platform, Sentinelvan said.
Source : Crypto Saurus