In a recent development in the realm of cybercrimes, a Spanish-speaking cybercrime group known as GXC Team has been making waves with their innovative approach to phishing attacks. This group has been observed combining phishing kits with malicious Android applications, taking the concept of malware-as-a-service (MaaS) to unprecedented levels.

The Singaporean cybersecurity company Group-IB has been closely monitoring the activities of this e-crime actor since January 2023. According to their findings, GXC Team is offering a sophisticated AI-powered phishing-as-a-service platform that is capable of targeting users of more than 36 Spanish banks, governmental bodies, and 30 institutions globally.

The pricing for the phishing kit ranges from $150 to $900 per month, while the bundle that includes the phishing kit and Android malware is available on a subscription basis for approximately $500 per month. The targets of this campaign span across various sectors, including Spanish financial institutions, tax and governmental services, e-commerce platforms, banks, and cryptocurrency exchanges in countries such as the United States, the United Kingdom, Slovakia, and Brazil. To date, a total of 288 phishing domains have been identified in connection with this malicious activity.

One of the unique aspects of the services offered by GXC Team is the sale of stolen banking credentials and custom coding-for-hire schemes for other cybercriminal groups targeting banking, financial, and cryptocurrency businesses. The security researchers Anton Ushakov and Martijn van den Berk highlighted the innovative approach taken by GXC Team in combining phishing kits with an SMS OTP stealer malware, pivoting the traditional phishing attack scenario in a new direction.

Instead of directly using a bogus page to steal credentials, the threat actors persuade victims to download an Android-based banking app under the pretext of preventing phishing attacks. These pages are distributed via smishing and other methods to unsuspecting users. Once the app is installed, it requests permissions to act as the default SMS app, allowing it to intercept one-time passwords and other messages which are then sent to a Telegram bot controlled by the cybercriminals.

Furthermore, GXC Team offers AI-infused voice calling tools that enable customers to generate voice calls to potential targets based on a series of prompts directly from the phishing kit. These calls are designed to appear as if they are coming from a legitimate bank, instructing users to provide their two-factor authentication codes or perform other actions as instructed.

The use of AI-powered voice cloning has also been highlighted as a growing concern in the cybersecurity landscape. Threat actors can mimic human speech with remarkable accuracy, making vishing (voice phishing) attacks more convincing and effective. This technology enables cybercriminals to impersonate executives, colleagues, or IT support personnel to trick victims into divulging sensitive information or granting access to systems.

Phishing kits with adversary-in-the-middle (AiTM) capabilities have gained popularity due to their ability to streamline phishing campaigns and lower the technical barriers for cybercriminals. These kits can manipulate user interfaces to create convincing login pages for phishing attacks, as demonstrated by security researcher mr.d0x in a recent report.

In addition, AiTM phishing kits can be used to compromise accounts protected by passkeys on various online platforms through authentication method redaction attacks. This method exploits the less-secure authentication fallback mechanisms still offered by services even when passkeys are configured.

The rise of social engineering attacks involving encoded URLs and obfuscated code executed through PowerShell terminals has raised concerns among cybersecurity experts. Malicious PowerShell commands are being used to download and execute payloads, deploying dangerous malware like DarkGate and Lumma Stealer.

As cybercriminals continue to innovate and adapt their tactics, the cybersecurity community faces a constant challenge in defending against these evolving threats. The use of AI-powered tools in phishing attacks and the exploitation of voice cloning technology highlight the need for robust security measures and increased awareness among users to prevent falling victim to these increasingly sophisticated cybercrimes.

Lidhja e burimit