Meta Platforms, Microsoft and the US Department of Justice (DoJ) have announced independent actions to combat cybercrime and shut down services that enable scams, fraud and phishing attacks.
This was announced by Microsoft’s Digital Crime Unit (DCU). 240 fraudulent websites were seized linked to an Egyptian cybercrime facilitator named Abanoub Nadi (aka MRxC0DER and mrxc0derii) who advertised a phishing kit called ONNX. Nadia’s criminal operation was launched back in 2017.
“Many cybercriminals and online threat actors have purchased these kits and used them in widespread phishing campaigns to bypass additional security measures and compromise Microsoft customer accounts,” said Steven Masada of Microsoft DCU. said.
“While all sectors are at risk, the financial services industry is heavily targeted given the sensitive data and transactions they process. In such cases, a successful phishing attack can have devastating real-world consequences for victims.”
ONNX, offered on a Phishing as a Service (PhaaS) model priced from $150 to $550 per month for six months, was documented Earlier this June, EclecticIQ detailed the phishing kit’s ability to serve QR codes embedded in PDF files that ultimately direct victims to fake Microsoft 365 login pages.
It should be noted that the personality of Nadia was exposed DarkAtlas around the same time, causing them to abruptly cease operations. Microsoft was tracking owner and operator of ONNX under the alias Storm-0867.
Afterwards it was also the subject of the alert from the US Financial Industry Regulatory Authority (FINRA), which warned that financial institutions were being targeted by the ONNX kit, saying it could bypass two-factor authentication (2FA) by intercepting 2FA requests.
According to Microsoft, PhaaS platform was also called by other names, e.g Caffeine and FUHRER, which allows customers to run large-scale phishing campaigns. The kits, which were promoted, sold and configured almost exclusively via Telegram, contained phishing templates and the relevant technical infrastructure.
The tech giant said it obtained a civil court order in the Eastern District of Virginia to neutralize the malicious technical infrastructure, effectively blocking access by threat actors and preventing those domains from being used for phishing attacks in the future.
Microsoft’s co-plaintiff in the lawsuit is LF (Linux Foundation) Projects, LLC, which owns the trademark ONNXshort for Open Neural Network Exchange, an open source runtime environment for representing machine learning models.
The development comes after the Department of Justice announced the closure of PopeyeTools, a marketplace that sold stolen credit cards and other tools to commit financial fraud. In tandem, charges were dropped against three of its administrators from Pakistan and Afghanistan: Abdul Ghaffar, 25; Abdul Sami, 35; and Javed Mirza, 37.
All three individuals were charged with conspiracy to commit access device fraud, trafficking in access devices and aiding another person to provide access devices. If convicted, they face a maximum sentence of 10 years in prison for each of the three access device crimes.
The marketplace (www.PopeyeTools.com, www.PopeyeTools.co.uk and www.PopeyeTools.to), according to the Ministry of Justice, has operated as an online hub for the sale of sensitive financial data and other illegal tools since 2016, attracting thousands of users on worldwide, including related to ransomware.
PopeyeTools is estimated to have sold access devices and personally identifiable information (PII) to at least 227,000 people and generated at least $1.7 million in revenue. His motto was “We believe in quality, not quantity”.
Some of the advertised services included unauthorized payment card data to carry out fraudulent transactions, stolen bank account information, spam email lists, scammers’ templates, tutorials and tutorials.
“To attract participants to the market, PopeyeTools allegedly promised to refund or replace purchased credit cards that were no longer valid at the time of sale,” DOJ. said. “Furthermore, at various times, PopeyeTools has provided customers with access to services that can be used to verify the validity of bank account, credit or debit card numbers offered through the website.”
The department also said it had received court approval to seize about $283,000 worth of cryptocurrency from a cryptocurrency account controlled by Sami.
Concurrent with the seizure of ONNX and PopeyeTools, Meta announced that it had removed more than two million accounts linked to fraud centers in Cambodia, Myanmar, Laos, the United Arab Emirates, and the Philippines that were used to carry out pig slaughter schemes.
Fraud operations originating from scammers in Southeast Asia are run by organized crime syndicates and often involve establishing trusting personal and romantic relationships online with potential targets around the world using social media platforms and dating apps, manipulating them , to deposit their money – earned funds in fictitious investments.
“These criminal scam centers lure unsuspecting job seekers with too-good-to-be-true job postings on local job boards, forums and recruitment platforms to then force them to work as online scammers, often under threat of physical abuse” , Meta said.
Back in May, the company teamed up with Coinbase, Ripple and Match Group, which owns Tinder and Hinge, to form a coalition called Tech Against Scams, which aims to develop ways to combat the transnational threat and other forms of online fraud. Google, for its part, has partnership with the Global Anti-Fraud Alliance (GASA) and the DNS Research Federation (DNS RF) with similar goals.
