In theever-evolving world of combating threats and safeguarding data, aSpanish-speaking group known as the GXC Team is shaking things up. They've taken the art of deception to new heights by bundling phishing kits with malicious Android applications, creating a potent mix of malware-as-a-service(MaaS) offerings that are both innovative and alarming.
Active Use and Evolution:
SinceJanuary 2023, the Singaporean cybersecurity firm Group-IB has been trackingthis crafty crew. Their latest creation? A "sophisticated AI-poweredphishing-as-a-service platform" that targets users across more than 36Spanish banks and extends its reach to governmental bodies and institutionsworldwide. Imagine a toolkit that costs between $150 and $900 a month for aphishing kit, or about $500 monthly for a complete package that includes Android malware—this is cybercrime reinvented.
Threat Actor and Distribution Tactics:
The GXCTeam's targets span not just Spain but also the U.S., U.K., Slovakia, andBrazil, aiming at financial institutions, tax services, e-commerce sites, andeven cryptocurrency exchanges. They’ve set up a staggering 288 phishing domainsto ensnare unsuspecting victims. Instead of the usual tactics, they lurepotential victims into downloading seemingly legitimate banking apps, using smishing (SMS phishing) and other crafty methods.
Attack Process:
Here’s whereit gets really sneaky: once the victim installs the malicious app, it requestspermissions to become the default SMS app. This allows it to interceptone-time passwords (OTPs) and other crucial messages, sending them straight toa Telegram bot controlled by the attackers. The app then opens a genuinebank's website in a WebView, making it look like everything is normal.When the bank prompts for an OTP, the malware quietly captures the code andsends it to the criminals. It’s a masterclass in manipulation.
The GXCTeam’s tactics represent a new frontier in cybercrime, blending advancedtechnology with traditional fraud methods to create a highly effective phishingecosystem.
To combatthis sophisticated threat, organizations must:
Ensure staffrecognize phishing attempts and understand the dangers of downloading unknownapps.
Use strong MFA methods that aren't solely SMS-based toprotect sensitive accounts.
Conduct frequent assessments of security measures andthird-party vendor practices to identify vulnerabilities.