An entrepreneur thief made a fortune with the use of smishing, fake websites, and remote Trojan access. Between June 2021 and April 2023, a Mexican hacker going by the handle “Neo_Net” launched many cyberattacks against banks throughout the globe, focusing on those in Chile and Spain. Paul Till, a security investigator, made this claim in a recent paper that SentinelOne produced in association with VX-Underground.
What is Known About the Hack
In order to distribute a mobile virus (mixing), SMS phishing has emerged as the primary distribution strategy. In this virus, the attacker first uses phony claims of difficulties with their victims’ bank accounts to alarm them before redirecting them to bogus banking websites where they gather confidential data about their targets.
Paul Till said the phishing pages had various security features that were meticulously modified using the PRIV8 panels, including preventing requests from desktop browsers and concealing pages from bots and web crawlers.
“These pages have been designed to closely resemble real banking applications, with animations and other elements to create a compelling illusion,” the researcher continued.
The hacker also tricked bank clients into installing phony Android applications that looked like security tools but really requested access to SMS messages in order to intercept two-factor authentication credentials (2FA) supplied by the bank.
“Despite the use of relatively simple tools, Neo_Net accomplished an elevated level of success by modifying its networks for specific reasons that resulted in the theft of more than 350 thousand euros from the financial accounts of victims and the compromise of personal data of thousands of them,” Till explained.
Neo_Net is connected to a Hispanic assailant residing in Mexico. Through the sale of phishing panels, stolen victim data, and a Smishing-as-a-Service called Ankarex that targets many nations worldwide, he has established himself as a proficient cybercriminal.
The Ankarex platform first became operational in May 2022. It is being widely advertised on the hacker’s 1,700+ user Telegram channel. According to a SentinelOne expert, “the service itself is available at ankarex[.]net, and after registration, users can replenish their balance with cryptocurrency transfers and start their own Smishing campaigns, indicating the content of the SMS and phone numbers of the targets.”
Notably, the news of Neo_Net’s activities broke right after the recent ThreatFabric report by researchers on the new campaign of the Anatsa Trojan (also known as TeaBot), which has been attacking bank customers in the US, UK, Germany, Austria, and Switzerland since the beginning of March 2023.