Likely Mexican Hacker Targets Bank Customers in Spain, ChileThreat Actor Offers Smishing-as-a-Service Scam to Other Hackers in 9 Countries
A hacker suspected to be based in Mexico is targeting financial institutions using "relatively unsophisticated" tools but is achieving a high degree of success among banking customers, according to SentinelOne.
The hacker, dubbed "Neo_Net," has been active since June 2021 and has targeted customers of major banks, primarily in Spain and Chile, including Santander, BBVA, CaixaBank, Deutsche Bank, Crédit Agricole and ING, according to new research from SentinelOne. Victims lost more than 350,000 euros in the scams.
The hacker's technique included a multistage SMS-phishing - or smishing - campaign to target victims. To create a sense of urgency for the victims, messages used in the campaign generally included a fake text alert warning them that the bank had detected unauthenticated access to their account. Victims clicked a link to a fake login page and were asked to provide credentials. The text message contained a hyperlink directing the user to a phishing page that researchers said was "meticulously" created using Neo_Net's phishing panels.
The hacker siphoned off the stolen data to a Telegram chat via the Telegram Bot API. In addition to login credentials, the victims' IP addresses and user agents were transmitted to the threat actor through the designated Telegram chat.
Neo_Net used this data to log into the victims' accounts, bypassing multifactor authentication by using separate modified Android SMS spyware. The Android Trojans used in the campaign had obfuscation capabilities and secretly exfiltrated incoming SMS traffic from victims' mobile phones to the hacker-controlled Telegram chat.
In addition to defrauding victims, the hacker exfiltrated their personally identifiable information and sold it to interested third parties, Sentinel One said
SentinelOne attributed its findings to security researcher Pol Thill, who submitted his research for the Malware Research Challenge, which the security company ran in collaboration with vx-underground, a malware repository.
The hacker also created a smishing-as-a-service platform called Ankarex. Active since May 2022, Ankarex's services are advertised on a Telegram channel that has 1,700 subscribers and regularly posts updates about the software and its exclusive offerings. Most of the communication in the Ankarex channel is in Spanish.
Registered users can simply pay the fees in cryptocurrency and launch their own smishing campaigns specifying the SMS content and targeted phone numbers. Users, at the moment, can target nine countries using the Ankarex platform, SentinelOne said.