The law enforcement authorities in the Netherlands have stopped two individuals suspected of belonging to a collective of Dutch cybercriminals involved in the development, sale and rental of sophisticated phishing frameworks to other threat actors in what is called a ‘fraud as a service ”.
The apprehended suspects, a 24-year-old software engineer and a 15-year-old boy, are believed to have been the main developer and seller of the phishing frameworks used to collect bank customer login details. The attacks mainly targeted users in the Netherlands and Belgium.
Considered active since at least 2020, the syndicate of cybercriminals bears the code name “Family fraudby cybersecurity company Group-IB. The frameworks come with phishing kits, tools designed to steal information and web panels, which allow fraudsters to interact with the phishing site in real time and recover stolen user data.
“Phishing infrastructures allow attackers with minimal skills to optimize the creation and design of phishing campaigns to perform massive fraudulent operations while bypassing 2FA,” Roberto Martinez, senior threat intelligence analyst at Group- IB Europe, and Anton Ushakov, Deputy Director of Group-IB Europe. the high-tech criminal investigation department, in a report, adding that the gang “advertises its services and interacts with other cybercriminals on Telegram Messenger.”
Infections involving Family fraud starts with an email, text or WhatsApp message masquerading as well-known local brands containing malicious links which, when clicked, redirect the unsuspecting recipient to phishing websites aimed at stealing information payment and controlled by the opponent. In an alternate attack scenario, scammers were seen posing as a buyer on a Dutch classifieds platform to contact a seller and then move the conversation to WhatsApp to trick the latter into visiting a phishing site.
Group-IB researchers noted the “high level of personalization” offered by phishing websites, which not only masquerade as a legitimate Dutch market, but also claim to use a well-known e-commerce payment system in the world. country, only to direct the victim to a fake banking webpage from which credentials are siphoned off based on the selected bank.
“When victims submit their bank credentials, the phishing site sends them to the scammer-controlled web panel,” Group-IB said. “This actually informs the perpetrators that a new victim is online. The crooks can then request additional information that will help them gain access to bank accounts, including two-factor authentication tokens and personally identifiable information. . “
According to messages posted by the group on Telegram, the web panels – one of which is a fork of another panel called “U-Admin“- can be rented for 200 € per month (Express Panel), or for 250 € if other cybercriminals opt for the Reliable Panel (or Reliable Admin). No less than eight Telegram channels operated by Fraud Family have been identified at this day, with the channels alone having 2,000 subscribers.
“Attacks that rely on Fraud Family’s infrastructure increased in the latter months of 2020,” Group-IB researchers said. “This trend continues in 2021 with the appearance of Express Panel and Reliable Panel.