Group-Ib reports about the activities of the Spanish-language cybergroup GXC Team, which utilizes phishing kits through malicious Android applications. These cybercriminals offer sophisticated MAAS solutions, significantly enhancing the efficiency of their attacks.
Since January 2023, Group-Ib has been monitoring this group and has labeled the hackers’ actions as a “high-tech Poshing Platform as a service managed by artificial intelligence.” The PHAAS platform targets users of over 36 Spanish banks, state institutions, and 30 global organizations.
The phishing kits are being sold for prices ranging from $150 to $900 per month, with the package including a phishing kit + Android malware priced at $500 per month. The victims of this campaign have been users of financial institutions in Spain, as well as tax and public services, e-commerce platforms, banks, and cryptocurrency exchanges in the USA, Great Britain, Slovakia, and Brazil. A total of 288 phishing domains have been uncovered.
The cybergroup also deals in stolen banking account data and provides development services for other cybercriminal groups targeting banking, financial, and cryptocurrency companies.
What sets the GXC Team apart is their combination of phishing kits with malicious software designed to steal one-time passwords (OTPs) via SMS. Instead of using phishing pages to capture account data, the attackers trick victims into downloading a banking application for Android under the guise of preventing phishing attacks. These phishing pages are distributed through various means, including through spamming.
An example of a phishing page prompts victims to install an application to prevent fraud attempts.
Once installed, the application requests permission to be the default SMS application, enabling it to intercept OTPs and other messages and send them to the attackers’ Telegram bot. Finally, the application opens the legitimate bank site in a WebView, allowing users to interact with the site as they normally would.
The application requests permission to become the default SMS application.
Along with the contents of the SMS messages, the attacker also receives additional information such as the device manufacturer and model, firmware version, current IP address, sender phone number, and SMS content. This information is sent to the attackers’ Telegram channel.