Cybercrime as-a-service , Fraud Management & Cybercrime , Fraud Risk Management
Dutch Police Arrest 2 Tied to Phishing Operation
Investigators Attempt to Break Up 'Fraud Family' Fraud-as-a-Service SyndicateDutch police made two arrests this week in an effort to break up the alleged fraud-as-a-service syndicate known as "Fraud Family," which they say developed, sold and rented phishing frameworks to fraudsters who stole financial information.
See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk
The security firm Group-IB says it assisted Dutch investigators in identifying the alleged criminals - who are believed to have been active since at least 2020. Police say the investigation dates back to April.
Dutch police arrested an unidentified 24-year-old man Tuesday. The suspect is believed to have facilitated the phishing attacks. The country's National Public Prosecutors Office says the suspect developed and distributed phishing panels that could collect login data from bank customers. He was slated to be arraigned Friday.
A 15-year-old was arrested Tuesday for allegedly selling the phishing tools; he has since been released pending further investigation, police say.
Group-IB analyzed the phishing panels' source code, examined sellers distributing the packages and "distinguished the core team," ultimately identifying group members and their roles, says Anton Ushakov, deputy head of the company's European high-tech crime investigation department.
Witeke Koorn, a Dutch public prosecutor, says that countering digital fraud requires a "joint effort between police, public prosecutors, banks, government agencies, and others."
Fraud Family Tactics
Fraud Family's attacks, Group-IB says, started with an email, SMS or WhatsApp message impersonating a financial organization. Later, communication imitating well-known institutions "gained users' immediate trust," the company says. Fake notifications were then sent to victims with malicious links to adversary-controlled phishing websites that stole payment information. The activity, they say, was "a massive fraud-as-a-service operation."
Fraud Family, which mainly targeted users in the Netherlands and Belgium, rented "plug-and-play" phishing kits to other criminals. These were equipped with web panels that allowed criminals to interact with a phishing site in real time, effective in obtaining information needed to bypass two-factor authentication set up by banks.
The crime syndicate allegedly used at least eight channels on the instant messaging service Telegram to advertise its services, Group-IB says.
Its most prevalent tool, "NL Multipanel," was a "tuned and customized" version of a similar platform developed by "Kaktys," a Ukrainian threat actor, the security firm notes.
"Fraud Family's panels inherited features of its initial version produced by the Ukrainian developer, which allowed us to track the panels and conduct [our] investigation faster and more efficiently," says Roberto Martinez, senior threat intelligence analyst at Group-IB, Europe.
Fraud Family's Telegram network has approximately 2,000 subscribers, half of which could be buyers, investigators say.
Dutch police say these "phishing kits and phishing panels make committing this type of crime easy and seem to lower the threshold for it. The impact of this form of crime is enormous. It damages confidence in the financial system and it causes financial damage to victims and banks."
Interactions With Victims
Fraud Family allegedly contacted various sellers on a Dutch classified advertising platform pretending to be a buyer. They then moved conversations to third-party apps, such as WhatsApp, and asked sellers to make a "small payment" to prevent scams. The fraudsters then allegedly provided a payment link - routed to a phishing site - that asked victims to select a Dutch bank.
Fake sites for these institutions, investigators say, were nearly identical to the actual websites, making it appear like the transactions were authentic.
Using a "very convincing banking interface," victims were prompted to enter login details. To bypass two-factor authentication, victims were sent to a fraudster-controlled web panel, backed by a plugin called "Token," allowing scammers to request additional information to access the account. While commands were executed on the web panel, victims were left with a "please wait" screen, Group-IB says.
From there, it's believed the syndicate directly accessed victims' bank accounts, though the extent of their thefts is not clear.
"Some very active Dutch cybercriminals we track have recently switched from using other phishing tools to the ones offered by the Fraud Family," Martinez adds.
Dutch investigators say they are now providing information to affected organizations, including financial institutions, whose brands were being abused by the fraudsters.