A Spanish-based threat actor Neo_Net has conducted campaigns against financial institutions and banks and achieved the highest success rate in spite of its unsophisticated tools.
The campaign has compromised a significant amount of Personally Identifiable Information (PII), including telephone numbers, national identity numbers, and names of thousands of victims.
Neo_Net has established and rented out a wide-ranging infrastructure, including phishing panels and Android trojans, to multiple affiliates, sold compromised victim data to third parties, and launched a successful Smishing-as-a-Service offering to target various countries worldwide.
As per the latest malware research conducted by SentinelOne with VX underground, they have shared the report regarding Neo_Net.
Tactics Used in Campaign
The campaign utilizes Ankarex, its smashing, as a service platform for targeting the victims through messages which contain Sender IDs (SIDs) to create an illusion of authenticity and impersonate reputable financial institutions.
These sms manipulate the victims by claiming that an unauthorized device had accessed the victim’s account or that their card had been temporarily limited due to security concerns.
The messages also contained a hyperlink to the threat actor’s phishing page.
The phishing pages look like legit banking sites that were implemented with multiple defense measures, including blocking requests from non-mobile user agents and concealing the pages from bots and network scanners.
Once the user submits the details, information will be exfiltrated to a designated Telegram chat via the Telegram Bot API, granting the threat actors unrestricted access to the stolen data, including the victims’ IP addresses and user agents.
Then threat actors coaxed victims into installing a purported security application for their bank account on their Android devices to circumvent the Multi-Factor Authentication (MFA) mechanisms.
The exfiltrated messages could then be utilized to bypass MFA on the targeted accounts by capturing One-Time Passwords (OTPs).
The threat actors were also observed making direct phone calls to victims, possibly impersonating bank representatives and deceiving victims into installing Android spyware or divulging OTPs.The funds illicitly acquired from victims during the course of the year-long operation amounted to a minimum of 350,000 EUR. Through his contributions on Telegram, Neo_Net has been linked to the “macosfera(.)com” forum, a Spanish-language IT forum.
Source: https://cybersecuritynews.com/neo_net-targeting-bank-users/
