5 Held in Ukraine Over Phishing Scam With 70,000 VictimsSuspects Allegedly Used 40 Phishing Sites to Steal Credit Card Data
The Ukrainian cyber police have arrested five individuals charged with stealing credit card data from at least 70,000 people, using 40 separate phishing sites.
"The suspects deceived the victims with the help of phishing websites, which disguised themselves as mobile account replenishment services. The pre-determined amount of losses reaches five million hryvnias ($172,500). The perpetrators could face up to eight years in prison," the Ukrainian cyber police say.
The arrested individuals are charged under Part 2 of Article 361 of the Criminal Code of Ukraine, which deals with unauthorized interference in the work of computers, automated systems, computer networks and telecommunications networks, as well as Part 3 of Article 190, which deals with fraud, the police report says.
The police did not name the suspects or offer details on the phishing sites they used.
The police confiscated computer equipment, mobile phones, flash drives, bank cards and more than 2 million hryvnias ($69,000) in cash, the report says.
The investigation was led by officers of Ukraine’s Cyber Police Department with the main investigation department of the National Police, the report says. The 40 fraudulent sites used for phishing by the five alleged perpetrators were designed to look like websites of mobile operators, it says.
"Users entered bank card details on the phishing sites in order to top up their mobile account or make a transfer. Thus, the attacker received payment information from more than 70,000 people. Later, using this data, the group members embezzled citizens' money," the Ukrainian cyber police say.
The agency also says the organizers used paid marketing and analytical resources to promote their sites on social media and show up on top of search engine results and that a member of the group used his own servers to ensure that the fraudulent websites worked smoothly.
The organizers recruited individuals to transfer the stolen money in exchange for a percentage of the "profit" from each fraudulent operation, according to the police report.
Arrests don't necessarily translate to fund recovery, says Garrett Thompson, an intelligence specialist at cybersecurity firm Binary Defense. "Anyone who believes they were a victim of this attack should contact their bank," he adds.
Thompson says threat actors have taken advantage of social media websites' poor advertisement vetting procedures, so end users must be careful. He recommends using credit cards, especially one-time use cards, for online shopping to ensure the card data isn't exposed.
Christos Betsios, cybersecurity officer at cybersecurity firm Obrela, says that although the group's tactics are repeated in most campaigns, they are not highly sophisticated. With each campaign, however, the infrastructure and tools are updated to avoid the previous detection, and the criminals add new tools and techniques to their arsenal.
Besios says affected individuals should use a credit monitoring service to ensure no credit applications are taken out in their names in the future, and organizations should educate employees about the dangers of attacks, particularly in potential conflict zones such as Ukraine. Tools and security products that detect ransomware/malware/phishing attempts before they get onto systems are critical, he says, and so is backing up data.
"Ensure that access to systems and sensitive data is to the absolute business need and with identity management controls," Betsios says. He says organizations must ensure their internal network is properly segmented and use proper user access control to prevent unprivileged users from accessing critical resources on their network. "Last but not least, organizations need to establish a strong cyber resilience strategy and continuous monitoring using an MDR service provider to detect such incidents in a timely manner."
These arrests come amid the rapidly escalating conflict between Russia and Ukraine.
Last week, the European Union confirmed that it will activate its elite cybersecurity team to assist Ukrainians if Russian cyberattacks occur (see: EU Activates Cyber Rapid Response Team Amid Ukraine Crisis).
The news comes after the U.S. government attributed last week's distributed denial-of-service attack on the nation's Ministry of Defense - which oversees Ukraine's military - and at least two banks, to the Russian Main Intelligence Directorate, better known as the GRU. Russia has denied the allegations (see: Report: Cyberattack Hits Ukrainian Defense Ministry, Banks).
In January, after the defacement of multiple Ukrainian government websites and subsequent deployment of destructive malware against Ukraine over the weekend, Lithuanian officials offered to deploy the EU's Cyber Rapid Response Team to help Ukraine deal with cyberattacks.
Lithuanian Vice Minister of National Defense Margiris Abukevičius and Ukrainian Deputy Minister of Defense on Digital Development, Digital Transformation and Digitization Oleh Haiduk also discussed the possibility of activating the Cyber Rapid Response Team, according to the Ministry of National Defense of the Republic of Lithuania (see: EU's Cyber Rapid Response Team on Standby for Ukraine).
Cybercrime Crackdowns in Ukraine
Attacks on Ukrainian companies are not a recent development, and several incidents have been reported in the past year.
In January, police in Ukraine arrested five individuals on suspicion of using ransomware to extort more than 50 companies across the United States and Europe (see: Ukraine Police Bust Ransomware Suspects Tied to 50 Attacks). Authorities said that the group's alleged ringleader, a 36-year-old resident of Kyiv, was arrested together with his wife and three alleged accomplices. The National Police of Ukraine's cyber division said that "according to preliminary estimates, more than 50 companies were affected by the attacks, with the total amount of damage reaching more than $1 million."
In October 2021, the police arrested two members of a ransomware gang they said had attempted to extort up to $80 million from individual victims. The name of the ransomware operation, which allegedly earned more than $150 million from attacking victims, was not released.
In August 2021, the police shuttered multiple allegedly illegal cryptocurrency exchanges in the country that had been processing about $1.1 million in virtual currency transactions each month, at least some of which were allegedly for money laundering purposes.
In June 2021, the police said they had arrested six suspected members of the Clop ransomware operation, in a law enforcement effort dubbed Operation Cyclone and backed by South Korea and the U.S.
In May 2021, following the Conti group's attack against Ireland's Health Service Executive, Interpol facilitated the "identification and takeover of the attackers' command-and-control server in Ukraine," Interpol Director of Cybercrime Craig Jones said.
In February 2021, multiple individuals suspected of being affiliates of the Egregor ransomware-as-a-service operation were arrested in Ukraine, in an operation also involving French authorities.
In January 2021, an international law enforcement operation disrupted the Emotet botnet, with arrests in Ukraine and the U.S., backed by police in the U.K., the Netherlands, Germany, France, Lithuania and Canada.