Smishing, fake websites, and remote access trojans all contributed to the wealthy fortune of the cunning criminal.
From June 2021 to April 2023, a Mexican hacker known as "Neo Net" used malware for Android devices to launch numerous cyberattacks on banks across the globe, focusing on Spain and Chile. Paul Till, a security researcher, made this claim in a recent SentinelOne report that was co-published with VX-Underground.
The primary technique used to spread the mobile virus was SMS phishing, or "smishing," in which the hacker used false reports of problems with their bank accounts to frighten his victims before redirecting them to phoney banking websites where they collected personal information about their targets.
Paul Till said that phishing pages had several security features that were carefully configured using the PRIV8 panels, including blocking requests from desktop browsers and hiding pages from bots and web crawlers.
These pages have been created with animations and other components to closely resemble actual banking applications, the researcher continued.
Additionally, the hacker persuaded bank customers to install fake Android apps that looked like security software but actually requested access to SMS in order to intercept two-factor authentication (2FA) codes sent by the bank. These apps then asked for permission to access SMS after being installed.
Till said, "Despite the use of relatively simple tools, Neo_Net has achieved a high degree of success by tailoring its infrastructure to specific purposes, which has resulted in the theft of more than 350 thousand euros from the victims' bank accounts and the compromise of personal data for thousands of them."
Neo_Net is connected to a Mexican-born Hispanic assailant. He has established himself as a skilled cybercriminal by operating a Smishing-as-a-Service called Ankarex that targets numerous nations worldwide and selling phishing panels and stolen victim data to third parties.
Since May 2022, the Ankarex platform has been operational. The hacker's Telegram channel, which has about 1,700 subscribers right now, actively promotes it.
According to a SentinelOne expert, "the service itself is available at ankarex[.]net, and after registration, users can replenish their balance with cryptocurrency transfers and start their own Smishing campaigns, indicating the content of the SMS and phone numbers of the targets."
It's interesting that news of Neo Net's activities broke right after ThreatFabric researchers published a report about a fresh attack by the Anatsa Trojan (also known as TeaBot), which has been targeting bank customers in the US, UK, Germany, Austria, and Switzerland since the beginning of March 2023.