Security researcher Pol Thill has identified a Mexico-based hacker known as Neo_Net as the mastermind behind a series of cyber-attacks targeting global banks.
According to Thill’s findings, published by SentinelOne following a Malware Research Challenge in collaboration with vx-underground, Neo_Net utilized sophisticated Android malware to compromise the security of numerous financial institutions worldwide.
Neo_Net’s campaign spanned from June 2021 to April 2023, specifically focusing on prominent banks in various countries, mainly Spanish and Chilean financial institutions. Notable targets of the cyber-criminal include Santander, BBVA and CaixaBank.
Despite employing relatively unsophisticated tools, Neo_Net achieved remarkable success, stealing over €350,000 ($382,153) from victims’ bank accounts and compromising the personal information of thousands of individuals.
The hacker’s attack strategy revolved around deploying SMS phishing messages disguised as legitimate communications from reputable financial institutions. These carefully crafted messages deceived victims into revealing their sensitive credentials.
Neo_Net also developed and distributed Android Trojans disguised as security applications, exploiting the trust of unsuspecting victims to gain access to their banking information.
Thill explained that Neo_Net’s operation stands out due to his Smishing-as-a-Service platform called Ankarex, which allowed him to rent out his infrastructure to multiple affiliates. This strategy enabled the cyber-criminal to expand his reach and execute successful attacks in various countries.
Moreover, Neo_Net further monetized his criminal activities by selling compromised victim data to interested third parties.
“The success of their campaigns can be attributed to the highly targeted nature of their operations, often focusing on a single bank and copying their communications to impersonate bank agents,” SentinelOne wrote.
“Furthermore, due to the simplicity of SMS spyware, it can be difficult to detect, as it only requires permission to send and view SMS messages.”
According to SentinelOne, these campaigns underscore the vulnerability of multi-factor authentication (MFA) when relying on SMS, emphasizing the need for more robust safeguards such as physical tokens or external applications to ensure better protection against circumvention.
Source: www.infosecurity-magazine.com
