GXC Team, a Spanish-speaking cybercrime group, has been discovered using phishing kits with malicious Android applications, bringing malware-as-a-service (MaaS) provides to the next level.
GXC Team has been under monitoring by Singapore-based cybersecurity firm Group-IB since January 2023. The company highlights GXC Team’s crimeware as a “sophisticated AI-powered phishing-as-a-service platform” capable of targeting customers of over 36 Spanish banks, federal organisations, and thirty global institutions.
This unusual system allows fraudsters to perform sophisticated phishing attacks on a wide spectrum of targets, making it a significant threat to the privacy and security environment.
The cost of their phishing kits ranged from $150 to $900, and a package that included the kit plus malware for Android was available for around $500 each month.
The campaign of the GXC Team is aimed against several organisations. They target banks, cryptocurrency exchanges, e-commerce sites, tax and government services, and consumers of Spanish financial institutions.
They operate in the US, UK, Slovakia, and Brazil. Authorities have so far discovered 288 phishing domains associated with this operation, demonstrating their impact and reach.
The GXC Team provided customers with a comprehensive suite of phishing resources, including fully configured phishing websites and domain names that frequently resembled actual bank domains.
Attackers managed the technological setup, including the infrastructure required for these harmful actions. This made it easy for less technical malious actors to also launch successfull attacks because everything was ready to go.
The Multi-Pronged Attack Strategy of the GXC Team
The clever way that the GXC Team combined SMS OTP stealer malware with phishing kits made their disruptive tools quite noticeable. This clever technique led users to believe they were downloading a banking application, all while pretending to stop a “phishing attack”.
After installation, the application changed the SMS permissions, enabling the attackers to redirect SMS messages from the target device to a Telegram bot they managed.
Furthermore, attackers might use the AI-powered voice caller included in the phishing kits developed by the GXC Team to automatically contact victims and persuade them to install malicious applications or disable their two-factor authentication 2FA credentials.
The GXC Team launched a complex attack on some financial institutions by creating phishing websites that led victims to believe they were installing authentic Android banking apps.
These fake apps cleverly duplicated authentic banking apps by utilising authentic design and trademarks. Following installation, the applications request victims for permission to change SMS messages.
Once set as the default SMS handler, the app could read, forward, and delete messages without the user’s knowledge. The victim might then engage with the bank normally as the app would take them to the real website.
At the same time, the Android malware would secretly record and transfer OTP messages to an attacker-controlled Telegram conversation whenever the attacker made an OTP request.
Security researcher Mr.d0x brought attention to a serious vulnerability in progressive web applications (PWAs) that attackers may take advantage of in a report published last month. Phishing attacks become more convincing when attackers change the user interface to generate realistic-looking login pages with a false URL.
Moreover, advanced AiTM (Adversary-in-the-Middle) phishing kits can be used to breach passkey-protected accounts. This is executed through the use of an “authentication method redaction attack,” which takes advantage of the fact that, even with passkeys enabled, certain online services still provide less secure backup authentication methods.
Attacks using artificial intelligence (AI) have become increasingly complex and serious. Artificial intelligence-powered phishing kits can create highly customised emails using public data from social media and other sources, making them more difficult to identify.
Attackers can modify their strategies in real time to increase their chances of success, and deepfake technology makes it possible to create highly realistic voice and video impersonations, which boosts the accuracy of social engineering.
More sophisticated security measures are needed to keep up with the ever-changing threat landscape and these dynamic phishing attacks.
Phishing attacks are on the rise, and it is important to protect your organisation. One effective way to do this is by increasing user awareness about these types of attacks. Phishing Tackle is a great resource that can help you in this regard. They offer a free 14-day trial to help train your users to recognise and avoid phishing attacks.
Although technology can be helpful, it cannot spot 100% of phishing emails. Therefore, user education is important to minimising the impact of any successful attacks. Consulting with Phishing Tackle can provide valuable insights and tools to help you strengthen your defences against phishing attacks.