A Mexican hacker known as “Neo_net” conducted multiple cyber attacks on banks from June 2021 to April 2023, targeting countries such as Spain and Chile. The hacker utilized malicious software for Android devices, according to a recent report released by security researcher Paul Till in cooperation with vx-numground, as announced by Sentinelone.
The primary method used to spread the mobile virus was through SMS-fishing. The hacker would send false messages to his victims, creating a sense of urgency regarding their banking accounts, and redirect them to fraudulent bank sites where personal data would be collected.
Paul Till explained, “The phishing pages were meticulously crafted using Priv8 panels and had various protective measures in place, including blocking requests from desktop browsers and hiding pages from bots and chain scanners.” Till also mentioned that the pages were designed to closely resemble real banking applications, incorporating elements such as animation to enhance their authenticity.
In addition to the SMS-fishing technique, the hacker convinced bank customers to install fake Android applications disguised as security programs. Once installed, these applications requested permission to access SMS, enabling the interception of two-factor authentication codes sent by the bank.
Till further detailed, “Despite using relatively simple tools, Neo_NET achieved a high level of success by adapting their infrastructure to specific targets, resulting in the theft of over 350,000 euros from victims’ bank accounts and compromising the personal data of thousands.”
Neo_net is believed to be a Spanish-speaking attacker residing in Mexico. Apart from cyber attacks on banks, the hacker is involved in the sale of phishing panels and the provision of a smishing-as-a-service platform called Ankarex. This platform, active since May 2022, is promoted through a Hacker Telegram channel with approximately 1,700 subscribers.
“Users of Ankarex [.] NET can register, fund their accounts using cryptocurrency transfers, and launch their own smishing campaigns by specifying the SMS content and the target numbers,” explained a specialist from Sentinelone.
It is worth noting that the news about Neo_net’s activities emerged alongside recent reports from Threatfabric researchers regarding a new campaign by the Anatsa Trojan (also known as Teabot). This trojan has been targeting banks in the United States, Great Britain, Germany, Austria, and Switzerland since the beginning of March 2023, as revealed by The Hacker News.