A cybercriminal known as Neo_Net, with Mexican origins, has been identified as the perpetrator behind a large-scale Android mobile malware campaign aimed at financial institutions worldwide.
The campaign, which targeted Spanish and Chilean banks specifically from June 2021 to April 2023, has resulted in the theft of over 350,000 EUR from victims’ bank accounts and compromised the Personally Identifiable Information (PII) of thousands of individuals.
Despite employing relatively unsophisticated tools, Neo_Net achieved a high success rate by customizing their infrastructure to suit each target. Security researcher Pol Thill, who attributed the activity to Neo_Net, highlighted the cybercriminal’s involvement in various illicit activities. These include the sale of phishing panels, the dissemination of compromised victim data to third parties, and the provision of a smishing-as-a-service offering called Ankarex, which targets multiple countries worldwide.
The attack methodology begins with SMS phishing, where Neo_Net employs scare tactics to trick recipients into interacting with bogus landing pages, ultimately harvesting their credentials through a Telegram bot. Neo_Net’s phishing pages were meticulously designed to resemble genuine banking applications, incorporating animations to create a convincing façade.
To further evade detection, the cybercriminal implemented multiple defense measures, such as blocking requests from non-mobile user agents and concealing the pages from bots and network scanners.
Additionally, the threat actor deceived bank customers by tricking them into installing malicious Android apps disguised as security software. These apps, once installed, requested SMS permissions to capture two-factor authentication (2FA) codes sent by the bank. The recent revelation of Neo_Net’s activities sheds light on the persistent threat posed by cybercriminals in the financial sector.
With the cybercriminal’s involvement in various illicit activities and the success of their targeted attacks, financial institutions globally must remain vigilant and implement robust security measures to protect against emerging threats.
The uncovering of Neo_Net’s activities serves as a reminder of the importance of continuous security monitoring, user education, and the adoption of strong authentication methods to safeguard against sophisticated cyberattacks.
