Spain arrests 16 hackers in crackdown on banking malware campaigns

Spain arrests 16 hackers in crackdown on banking malware campaigns

Spain arrests 16 hackers in crackdown on banking malware campaigns

In a major victory against organised cyber crime, Spanish law enforcement agencies arrested as many as sixteen hackers who used two banking malware variants and email-based phishing attacks to steal money from European financial institutions.

The arrested hackers operated two banking malware variants- Melcoz (also known as Mekotio) and Grandoreiro to steal money from banking websites. Their modus operandi involved sending phishing emails to selected financial institutions and using malware to transfer money out of their bank accounts.

The two banking trojan variants were first observed by security firm Kaspersky in May this year. The firm said that these two variants form part of “the Tétrade” of Brazilian banking malware that also includes Bizarro and Javali. Bizarro was the most widely used malware until recently, with hackers using it to target 70 banks from different European and South American countries, including Argentina, Chile, Germany, Spain, Portugal, France, and Italy.

Hackers used Melcoz and Grandoreiro to steal £236,947 from victims

In the emails sent to targeted victims, the hackers posed as legitimate package delivery services or government agencies and asked the recipients to click on malicious links. Once a victim clicked on a link, the malware installed itself in the victim’s computer and according to The Hacker News, intercepted “transactions on a banking website to unauthorisedly siphon funds to accounts under the attackers’ control. At least 68 email accounts belonging to official bodies were infected to facilitate such fraudulent transfers.”

“Through malicious software, installed on the victim’s computer by the technique known as ’email spoofing’, [the group] would have managed to divert large amounts of money to their accounts. After that, the money was diversified by sending it to other accounts, or by withdrawing cash at ATMs, transfers by BIZUM, REVOLUT cards, etc., in order to hinder the possible police investigation,” the Spanish Civil Guard said.

The hackers were arrested this month following a year-long investigation, dubbed “Aguas Vivas”. The arrests were made in Ribeira (A Coruña), Madrid, Parla and Móstoles (Madrid), Seseña (Toledo), Villafranca de los barros (Badajoz), and Aranda de Duero (Burgos).

Following the arrests, authorities seized mobile phones, computers, and documents and after analyzing their spam emails, found that the hackers successfully stole £236,947 from financial institutions and were attempting to transfer more than £3 million. Aside from blocking these transfer attempts, the authorities also recovered around £74,000 from the hackers.

Brazilian malware variants ruled the roost in Europe and Latin America

According to Kaspersky, Melcoz is a banking Trojan family developed by the Tetrade group which has been active since at least 2018 in Brazil. “The malware uses AutoIt or VBS scripts, added into MSI files, which run malicious DLLs using the DLL-Hijack technique, aiming to bypass security solutions. This malware steals passwords from browsers and from the device’s memory, providing remote access to capture internet banking access. It also includes a Bitcoin wallet stealing module,” the firm said.

Talking about Grandoreiro, the firm said that it has been used widely by hackers since 2016 to target victims in Latin America and Western Europe. The malware has also been used regularly as a Malware-as-a-Service (MaaS) project and since January last year, has been mostly used to target victims in Brazil, Mexico, Spain, Portugal, and Turkey.

“Cybercriminals are constantly looking for new ways to spread malware that steals credentials for e-payment and online banking systems. Today, we witness a game-changing trend in banking malware distribution – regional actors actively attack users, not only in their region but also around the globe.

“Implementing new techniques, Brazilian malware families started distributing to other continents, and Bizarro, which targets users from Europe, is the clearest example of this. It should serve as a sign for greater emphasis on the analysis of regional criminals and local threat intelligence, as soon enough it could become a problem of global concern,” said Fabio Assolini, a security expert at Kaspersky.

Also Read: EventBot banking trojan targets users of over 200 different financial apps

Copyright Lyonsdown Limited 2021

Top Articles

Top 6 Mobile App-Related Data Breaches

Smartphones are a prevalent feature in modern life. With more than three billion smartphone users around the world, who downloaded over 200 billion apps in 2019, it comes as no…

Cyber-security blind spots in PaaS and IaaS environments

Research finds that 100% of companies experienced a security incident, but continue to expand their footprint

Popping the hood on deep learning

Now that cyber-criminals have learned how to compromise machine learning defences, deep learning provides a way forward for security teams

Related Articles

[s2Member-Login login_redirect=”https://www.teiss.co.uk” /]