Police Bust 20 Phishing Suspects in Italy, RomaniaArrests Came After a Two-Year Investigation of 'Highly Organized' Crime Group
Police in Europe arrested 20 Romanian and Italian nationals on Wednesday in a series of coordinated raids aimed at disrupting an Italian-led spear-phishing operation that stole victims' online bank account credentials and then steal more than $1 million.
The arrests of the alleged cybercrime gang members show that phishing attacks are criminally viable way to harvest online bank account credentials and cryptocurrency, as well as corporate and scientific secrets (see Britain Backs US Hacking Allegations Against Iranians).
In the case of this alleged phishing gang, police in Romania detained nine suspects and police in Italy arrested 11 suspects, all on suspicion of bank fraud. Police, conducting numerous house raids, also seized documents, devices and illegal drugs, among other materials.
Criminals faked emails from tax authorities to defraud bank customers across Italy and Romania out of EUR 1 million. Watch this video from @poliziadistato on this great international operation: https://t.co/xUb8Y5eD1C— Europol (@Europol) March 29, 2018
Eurojust, the EU agency that deals with judicial cooperation in European criminal matters, said the arrests were the result of a two-year investigation into the "highly organized" crime group.
Authorities say the gang's main modus operandi was crafting fake emails that appeared to come from local tax authorities. Customers from two banks in Italy and Romania - unnamed by authorities - collectively lost €1 million ($1.2 million) to the gang, they say.
Eurojust says the gang would "use stolen online banking credentials to surreptitiously transfer money from the victims' accounts into accounts under their control, and from there withdrew the money from ATMs in Romania with credit/debit cards linked to the criminal accounts." The gang allegedly coordinated their activities using encrypted chat messages (see Feds: Secure Smartphone Service Helped Drug Cartels).
Gang members are also suspected of being involved in money laundering, drug and human trafficking as well as prostitution, authorities say.
Eurojust says it facilitated two coordination meetings, in March and October of last year. Officials in Romania and Italy agreed to conduct their investigations in parallel, exchange information as well as coordinate the day on which suspects would be arrested, via a joint investigation team set up by the EU's Joint Cybercrime Action Taskforce. The J-CAT is operated by the European Cybercrime Center, or EC3, which is part of Europol, the EU's law enforcement intelligence agency, which also assisted with this investigation.
Spanish Police Detain 'Dennis K.'
News of the alleged phishing gang members' arrest arrives the same week as Spanish police, as part of an operation also coordinated by Europol, said they had arrested "Dennis K." in the city of Alicante. The Ukrainian national has been charged with being the leader of a cybercrime enterprise that used Anunak, Carbanak and then Cobalt malware to steal online bank account credentials from individuals as well as conduct logical attacks against ATMs (see Spain Busts Alleged Kingpin Behind Prolific Malware).
Moscow-based cybersecurity firm Group-IB says that as part of the investigation, the alleged author of Cobalt malware was also arrested in Ukraine. Spanish police say two other individuals - also unnamed by authorities - were also core members of the group, which is variously known as the Anunak, Carbanak or Cobalt gang.
At the time of the Cobalt group's discovery in 2015 by Moscow-based cybersecurity firm Kaspersky Lab, together with Interpol, Europol and a number of other law enforcement agencies, Kaspersky Lab estimated that $1 billion had been lost to the group's activities since 2013.
"The group uses social engineering techniques, such as phishing emails with malicious attachments - for example Word documents with embedded exploits - to target employees in financial institutions of interest," says Sergey Golovanov, a principal security researcher at Moscow-based cybersecurity firm Kaspersky Lab. "Once a victim is infected, the attackers install a backdoor designed for espionage, data theft and remote management of the infected system, looking for financial transaction systems."
Russian Bank Lost $6 Million
At the end of 2017, the Cobalt gang achieved a historical first: It successfully defrauded a Russian bank using fraudulent SWIFT interbank messages, Group-IB says. The Russian bank lost $6 million, Russia's central bank revealed in February. It declined to name the institution.
Despite the two alleged Cobalt gang members' arrests, it's not clear if the remaining gang members might carry on, or themselves form new groups.
"We do not rule out the theory that the remaining members will continue to conduct operations for a period of time with the goal of showing that the individuals arrested were not associated with the group," says Dmitry Volkov, Group-IB's CTO and head of its threat intelligence department.
"Given the arrest of the Cobalt Group's leader, such campaigns will soon subside and the most likely scenario is that remaining Cobalt members will join existing groups or a fresh 'redistribution' will result in a new cybercriminal organization attacking banks across the world," he adds.
Cobalt Group Launches 'SpamHaus' Campaign
Group-IB says a fresh batch of spear-phishing emails sent by the Cobalt gang were spotted on March 26. It's unclear if the messages might have been queued up in advance.
"[The] spear-phishing emails which were sent by Cobalt [masquerading as] SpamHaus, a well-known non-profit organization that fights against spam and phishing," according to Group-IB. "The letter sent to targets from 'firstname.lastname@example.org' - the real domain of 'Spamhaus' is spamhaus.org - claimed that the IP addresses of the target company were blocked due to suspicions of sending spam."
As is typical with phishing emails, the fake messages attempted to trick recipients into pursuing a specific course of action that played into attackers' hands. "In order to 'solve' the problem, the authors of the letter invited the victim to follow the link, leading to the download of a Microsoft Office document which was in fact malware," Group-IB says.
Top Breach Vector: Phishing
Clearly, criminals continue to employ spear phishing because it continues to work.
U.S. law firm BakerHostetler, which helps investigate data breaches, reports that in 2017, phishing was the No. 1 technique that attackers used to gain access to a network or system. BakerHostetler reports that 34 percent of all the breaches it investigated last year began after an employee was "tricked by an email message into providing access credentials to an unauthorized party, visiting a phony website, downloading an infected document, or clicking on a link that installed malware."
After phishing, attackers took such actions as launching network reconnaissance campaigns giving themselves persistent remote access to networks; convincing employees to initiate wire transfers to attacker-owned accounts; and crypto-locking systems and then demanding ransoms.
How Intruders Breach Organizations
Do More Than Change Passwords
BakerHostetler says one up-and-coming phishing attack involves exploiting cloud-based email systems, such as Office 365, for which multifactor or two-factor authentication has not been enabled (see Social Security to Try Two-Factor Authentication Again).
Last year, "we saw a surge in phishing incidents targeting Office 365 login credentials," according to BakerHostetler's report, with attackers sometimes targeting 20 or more employees at once to gain access to numerous accounts at once.
Responding to cloud account takeovers requires special considerations.
"One tactic used by attackers to avoid detection was so common that it is worth a special note," the law firm's report says. "After compromising a user's mail account and using the target's account to send fraudulent emails - in furtherance of a wire fraud scam, W-2 theft or some other fraud - an attacker will typically add mailbox rules to ensure that replies to the imposter emails are forwarded to the attacker and deleted from the mailbox, preventing the real user from seeing replies to the imposter's emails."
As a result, incident responders dealing with phishing attacks leading to takeovers of Office 365 accounts must do more than simply change passwords. "Entities must search for and deactivate unauthorized rules changes immediately upon learning of an incident. Important: Do not delete these rules - they must be preserved for forensic investigation," BakerHostetler says.