Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,198
- Points
- 113
Group-IB reports on the activities of the Spanish-speaking cyber group GXC Team, which uses phishing kits with malicious Android applications. Cybercriminals offer comprehensive MaaS solutions, which significantly increases the effectiveness of attacks.
Group-IB has been tracking the group's activities since January 2023 and describes the hackers ' solution as "a high-tech phishing platform as a service driven by artificial intelligence." The PhaaS platform is aimed at users of more than 36 Spanish banks, government agencies and 30 organizations around the world.
The phishing kit is priced from $150 to $900 per month, while the phishing kit + malware package for Android is priced at $500 per month. The campaign targeted users of financial institutions in Spain, as well as tax and government services, e-commerce, banks, and cryptocurrency exchanges in the United States, Great Britain, Slovakia, and Brazil. A total of 288 phishing domains were identified.
The cyber group will also sell stolen bank credentials and custom software development services to other cybercrime groups targeting banking, financial and cryptocurrency companies.
A special feature of the GXC Team is that the group combines phishing kits with malware to steal one-time passwords (OTP) via SMS. Instead of using phishing pages to capture credentials, attackers encourage victims to download an Android banking app to supposedly prevent phishing attacks. Phishing pages are distributed in various ways, including through smishing.
After installation, the app asks for permissions to set up as the main SMS app, which allows you to intercept OTP passwords and other messages and send them to the operators ' Telegram bot. At the final stage, the app opens the real bank's website in a WebView, allowing users to interact with the site as usual.
Along with the contents of SMS messages, the attacker receives additional information, including the device manufacturer and model, firmware version, current IP address, sender's phone number, and the contents of the SMS.
Logs sent to the Telegram channel
In addition, in a dedicated Telegram channel, cybercriminals advertise tools for generating AI voice calls, which allow customers to generate voice calls to potential victims based on a series of requests directly from the phishing kit. Calls are usually disguised as calls from the bank, asking you to provide two-factor authentication codes (2FA), install malicious applications, or perform other malicious actions.
The discovery by the GXC Team reveals a new cyber threat specifically targeting customers of Spanish banks. The group has a well-established criminal business and effective phishing tools, which makes GXC Team a significant threat to the region. Special attention is paid to the unusual combination of phishing kit and Android one-time password theft malware, which makes the tool much more versatile for criminals and much more dangerous for unsuspecting users.
• Source: https://www.group-ib.com/blog/gxc-team-unmasked/
Group-IB has been tracking the group's activities since January 2023 and describes the hackers ' solution as "a high-tech phishing platform as a service driven by artificial intelligence." The PhaaS platform is aimed at users of more than 36 Spanish banks, government agencies and 30 organizations around the world.
The phishing kit is priced from $150 to $900 per month, while the phishing kit + malware package for Android is priced at $500 per month. The campaign targeted users of financial institutions in Spain, as well as tax and government services, e-commerce, banks, and cryptocurrency exchanges in the United States, Great Britain, Slovakia, and Brazil. A total of 288 phishing domains were identified.
The cyber group will also sell stolen bank credentials and custom software development services to other cybercrime groups targeting banking, financial and cryptocurrency companies.
A special feature of the GXC Team is that the group combines phishing kits with malware to steal one-time passwords (OTP) via SMS. Instead of using phishing pages to capture credentials, attackers encourage victims to download an Android banking app to supposedly prevent phishing attacks. Phishing pages are distributed in various ways, including through smishing.
After installation, the app asks for permissions to set up as the main SMS app, which allows you to intercept OTP passwords and other messages and send them to the operators ' Telegram bot. At the final stage, the app opens the real bank's website in a WebView, allowing users to interact with the site as usual.
Along with the contents of SMS messages, the attacker receives additional information, including the device manufacturer and model, firmware version, current IP address, sender's phone number, and the contents of the SMS.
Logs sent to the Telegram channel
In addition, in a dedicated Telegram channel, cybercriminals advertise tools for generating AI voice calls, which allow customers to generate voice calls to potential victims based on a series of requests directly from the phishing kit. Calls are usually disguised as calls from the bank, asking you to provide two-factor authentication codes (2FA), install malicious applications, or perform other malicious actions.
The discovery by the GXC Team reveals a new cyber threat specifically targeting customers of Spanish banks. The group has a well-established criminal business and effective phishing tools, which makes GXC Team a significant threat to the region. Special attention is paid to the unusual combination of phishing kit and Android one-time password theft malware, which makes the tool much more versatile for criminals and much more dangerous for unsuspecting users.
• Source: https://www.group-ib.com/blog/gxc-team-unmasked/
