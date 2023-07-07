Home » write a title for this article This new virus on your mobile is draining bank accounts all over the world. Photo: Getty ImagesAlthough almost no one escapes encounters with hackers or scam attempts, Android users have been especially exposed to a virus that has been operating since 2021 and aims to steal your bank details and drain your accounts.It is a malware campaign, managed by an attacker codenamed “Neo_Net”, capable of accessing your personally identifiable information (PII), a set of data with which any specific individual can be identified.very sensitive dataPII information gathers highly sensitive and private data that is often used in identity theft. Whoever has access can do almost anything on behalf of the victim, so this activity is legally regulated, to a greater or lesser extent depending on each country.A report by security expert Pol Thill, Cyber ​​Intelligence and Threats analyst at QuoIntelligence company, indicates that “Neo_Net” has been targeting banking users around the world, focusing mainly on Spain and Chile.Among the affected banks are Santander, BBVA, CaixaBank, Deutsche Bank, Crédit Agricole and ING.The attacker, who appears to be located in Mexico, did two things: he ran a phishing campaign to collect data, and he distributed a malware for Android designed to steal multi-factor authentication (MFA) codes.Unsophisticated, but effective“Despite using relatively unsophisticated tools, Neo_Net has achieved a high success rate by tailoring its infrastructure to specific targets, resulting in the theft of over €350,000 from victims,” Pol Thill wrote on the Sentinel blog. The report notes that this attacker created "convincing-looking" landing pages, which could easily be mistaken for genuine websites belonging to the aforementioned banks. He then ran an SMS sending campaign, urging victims to click the link and leave their identity details which he then collected using a Telegram bot.Neo_Net went on to establish a wide-ranging infrastructure. Photo: Getty Images“The pages of phishing they were meticulously configured using Neo_Net panels, PRIV8, and implemented multiple defense measures, including blocking non-mobile user agent requests and hiding bot pages and network scanners,” the researcher said in his article.Neo_Net went on to establish a wide-ranging infrastructure, including Android Trojan and phishing panels, to numerous affiliates, sold compromising victim data to third parties, and launched a successful Smishing-as-a-Service offering targeting multiple countries.that’s how they deceive youIn some cases, attackers also trick victims into downloading malicious Android apps that pretend to be security software, but are in fact only there to steal MFA codes. Upon installation, the apps ask for SMS permissions.“The SMS messages employed various fear-based tactics, such as claiming that an unauthorized device had accessed the victim’s account or that their card had been temporarily limited due to security concerns. The messages also contained a hyperlink to the threat actor’s phishing page.Once they submitted their credentials, the victims’ information was surreptitiously extracted into a designated Telegram chat via the Telegram Bot API, giving threat actors unrestricted access to the stolen data, including the IP addresses of the victims and user agents.Why does it matter?According to the specialized website The Hacker News, there are two important conclusions from this malicious campaign: one, it is very successful, and two, it appears to be implementing a proprietary SMS delivery platform (Ankarex).The actual stolen sum is likely to be much higher than 350,000 euros, Sentinel One noted, as older trades and transactions that do not require multi-factor authentication were not added to the total sum.Man hands usThe actual stolen sum is probably much higher than 350,000 euros. Photo: Getty ImagesThis specific campaign was active between June 2021 and April 2023, suggesting that the threat actor was likely active for much longer. He is described as an “experienced cybercriminal” who not only runs malicious campaigns but also sells tools and services on the Dark Web.Ankarex, which was used in this campaign, is actively promoted on Neo_Net’s Telegram channel, to some 1,700 subscribers.“The service itself can be accessed on Ankarex and, once registered, users can upload funds via cryptocurrency transfers and launch their own Smishing campaigns by specifying the SMS content and destination phone numbers,” Thill said.Despite the threat actor appearing to be targeting almost exclusively the Spanish-speaking community, the campaign still casts a relatively wide net. The researcher claims that Neo_Net attacked clients of 50 financial institutions, 30 of which were based in Spain or Chile.In its article, Sentinel One calls Neo_Net the “cornerstone of electronic crime in Spanish.” It was detected that he maintains a public GitHub profile under the name “notsafety”, as well as a Telegram account where he presents his work. This is also where the hacker claims to be the founder of Ankarex.The stolen sensitive data included phone numbers, national identity numbers, and names of thousands of victims.It’s a common scamThe Hacker News recalls that banking Trojans are a common practice in the world of cybercrime. Just a week ago, the Anatsa banking Trojan was found to be behind multiple confirmed cases of fraud. Anatsa was being distributed via Android apps sold on the Google Play Store, ThreatFabric reported at the time.These apps had more than 30,000 installs and targeted nearly 600 financial apps around the world, while targeting victims in the United States, Germany, Austria, and Switzerland.Neo_Net has also been observed to collaborate with non-Spanish speakers, including another cybercriminal identified on Telegram as devilteam666. One operation in particular involved the use of Google Ads targeting crypto wallet owners, and devilteam666 continues to offer malicious Google Ads services on its Telegram channel.You may also be interested in | ON VIDEO: Motorist witnesses an assault and goes with everything against the thief
