al capone
Advanced
- Joined
- 13.09.20
- Messages
- 159
- Reaction score
- 1,911
- Points
- 93
Group-IB took part in the Interpol operation "Falcon" to stop the activities of cybercriminals from Nigeria. The group, called Group-IB TMT specialists, has been committing massive hacks of corporate mail for several years and stealing user authentication data from browsers, email, and FTP servers, including for sale.
The criminals have been operating since at least 2017 and compromised at least 500,000 public and private companies in more than 150 countries, including Russia. Three cybercriminals were arrested in Lagos as a result of a cross-border operation involving the Interpol cybercrime Directorate, the Nigerian police and Group-IB (international cybercrime investigation division, Singapore). The investigation is ongoing, and some members of the criminal group are still at large.
OC, IO, and OI
The group was engaged in BEC attacks (from the English business email compromise – compromising business mail). Three members of the group, known by the initials " OC "(32 years old)," IO "(34 years old) and" OI "(35 years old), who were identified through the use of cybercriminal tracking technologies group-IB, as well as the operational work of the international investigation team Group-IB and the cyber security incident response Center CERT-GIB, were arrested in Lagos by the Nigerian cyber police Department as part of operation Falcon.
According to representatives of the Nigerian police, information found on the devices of the arrested members of the TMT group confirmed their involvement in the criminal scheme and contained data belonging to at least 50,000 victims.
Phishing without a vaccine
Analysis of the activities of criminals showed that the group, masquerading as brands of various organizations, used mass phishing mailings to deliver popular malware under the guise of purchase orders, requests for product data, and even offers of help in the fight against coronavirus.
The attackers used the Gammadyne Mailer and Turbo-Mailer tools to send phishing emails. They also used the MailChimp platform to find out if the victim opened the message they received.
Experts note that the group used previously hacked email accounts for new phishing attacks. The sample emails detected and analyzed by the Group-IB Threat Hunting Framework were written in English, Russian, Spanish, and other languages, depending on the targets being attacked.
Experts also believe that the cybercriminals behind these campaigns use only publicly available spyware and remote access Trojans (RAT), such as AgentTesla, Loky, AzoRult, Pony, NetWire. To avoid detection and tracking by traditional security systems, the group uses public cryptors. In particular, the attackers used SMTP, FTP, and HTTP protocols to communicate with the command server.
The group's goal is to steal authentication data from browsers, email, and FTP clients. In the course of their activities, the attackers managed to compromise organizations around the world, including in the United States, great Britain, Singapore, Japan, Russia, and even at home in Nigeria.
Although experts continue to study methods for monetizing stolen data, it is already known that cybercriminals most likely sold access to accounts, as well as confidential data extracted from emails, on hacker forums to those who offered the highest price.
Interpol's Director of cybercrime investigations, Craig Jones, highlighted the role of cooperation between all parties involved in the investigation and the importance of public-private relations in the fight against crime.
"This group used an established criminal business model. From compromising to cashing out, they used a variety of tools and methods to extract maximum profits. We look forward to further results of the joint operation," said Craig Jones.
"This cross — border operation has once again demonstrated that only effective cooperation between private companies in the field of cybersecurity and international law enforcement agencies can bring criminals to justice," comments Vesta Matveeva, head of the high-tech crime investigation Department at Group-IB (Singapore). — This approach allows you to overcome differences in the legislation of countries that prevent the exchange of criminally significant data. The investigation is still ongoing, but we are pleased with the results achieved thanks to the coordinated efforts of Interpol with the support of the Nigerian cyber police."
The criminals have been operating since at least 2017 and compromised at least 500,000 public and private companies in more than 150 countries, including Russia. Three cybercriminals were arrested in Lagos as a result of a cross-border operation involving the Interpol cybercrime Directorate, the Nigerian police and Group-IB (international cybercrime investigation division, Singapore). The investigation is ongoing, and some members of the criminal group are still at large.
OC, IO, and OI
The group was engaged in BEC attacks (from the English business email compromise – compromising business mail). Three members of the group, known by the initials " OC "(32 years old)," IO "(34 years old) and" OI "(35 years old), who were identified through the use of cybercriminal tracking technologies group-IB, as well as the operational work of the international investigation team Group-IB and the cyber security incident response Center CERT-GIB, were arrested in Lagos by the Nigerian cyber police Department as part of operation Falcon.
According to representatives of the Nigerian police, information found on the devices of the arrested members of the TMT group confirmed their involvement in the criminal scheme and contained data belonging to at least 50,000 victims.
Phishing without a vaccine
Analysis of the activities of criminals showed that the group, masquerading as brands of various organizations, used mass phishing mailings to deliver popular malware under the guise of purchase orders, requests for product data, and even offers of help in the fight against coronavirus.
The attackers used the Gammadyne Mailer and Turbo-Mailer tools to send phishing emails. They also used the MailChimp platform to find out if the victim opened the message they received.
Experts note that the group used previously hacked email accounts for new phishing attacks. The sample emails detected and analyzed by the Group-IB Threat Hunting Framework were written in English, Russian, Spanish, and other languages, depending on the targets being attacked.
Experts also believe that the cybercriminals behind these campaigns use only publicly available spyware and remote access Trojans (RAT), such as AgentTesla, Loky, AzoRult, Pony, NetWire. To avoid detection and tracking by traditional security systems, the group uses public cryptors. In particular, the attackers used SMTP, FTP, and HTTP protocols to communicate with the command server.
The group's goal is to steal authentication data from browsers, email, and FTP clients. In the course of their activities, the attackers managed to compromise organizations around the world, including in the United States, great Britain, Singapore, Japan, Russia, and even at home in Nigeria.
Although experts continue to study methods for monetizing stolen data, it is already known that cybercriminals most likely sold access to accounts, as well as confidential data extracted from emails, on hacker forums to those who offered the highest price.
Interpol's Director of cybercrime investigations, Craig Jones, highlighted the role of cooperation between all parties involved in the investigation and the importance of public-private relations in the fight against crime.
"This group used an established criminal business model. From compromising to cashing out, they used a variety of tools and methods to extract maximum profits. We look forward to further results of the joint operation," said Craig Jones.
"This cross — border operation has once again demonstrated that only effective cooperation between private companies in the field of cybersecurity and international law enforcement agencies can bring criminals to justice," comments Vesta Matveeva, head of the high-tech crime investigation Department at Group-IB (Singapore). — This approach allows you to overcome differences in the legislation of countries that prevent the exchange of criminally significant data. The investigation is still ongoing, but we are pleased with the results achieved thanks to the coordinated efforts of Interpol with the support of the Nigerian cyber police."