Meta Platforms, Microsoft, and the U.S. Department of Justice (DoJ) have announced independent actions to tackle cybercrime and disrupt services that enable scams, fraud, and phishing attacks.
To that end, Microsoft’s Digital Crimes Unit (DCU) said it seized 240 fraudulent websites associated with an Egypt-based cybercrime facilitator named Abanoub Nady (aka MRxC0DER and mrxc0derii), who advertised for sale a phishing kit called ONNX. Nady’s criminal operation is said to date as far back as 2017.
“Numerous cybercriminal and online threat actors purchased these kits and used them in widespread phishing campaigns to bypass additional security measures and break into Microsoft customer accounts,” Microsoft DCU’s Steven Masada said.
“While all sectors are at risk, the financial services industry has been heavily targeted given the sensitive data and transactions they handle. In these instances, a successful phish can have devastating real-world consequences for the victims.”
ONNX, offered under the phishing-as-a-service (PhaaS) model for anywhere between $150 per month to $550 for six months, was documented earlier this June by EclecticIQ, detailing the phishing kit’s ability to serve QR codes embedded within PDF files that ultimately direct victims to fake Microsoft 365 login pages.
It’s worth noting that Nady’s identity was exposed by DarkAtlas around the same time, prompting them to abruptly cease their activities. Microsoft has been tracking the owner and operator of ONNX under the moniker Storm-0867.
Subsequently, It was also the subject of an alert from the U.S. Financial Industry Regulatory Authority (FINRA), which warned that financial institutions were being targeted by the ONNX kit, stating it can circumvent two-factor authentication (2FA) by intercepting 2FA requests.
According to Microsoft, the PhaaS platform also went by other names like Caffeine and FUHRER, allowing customers to conduct phishing campaigns at scale. The kits, promoted, sold, and configured almost exclusively through Telegram, contained phishing templates and the associated technical infrastructure.
The tech giant said it obtained a civil court order in the Eastern District of Virginia to neutralize the malicious technical infrastructure, effectively severing threat actors’ access and preventing these domains from being used for phishing attacks in the future.
Microsoft’s co-plaintiff in its legal fight is LF (Linux Foundation) Projects, LLC, which is the trademark owner of ONNX, short for Open Neural Network Exchange, an open-source runtime for representing machine learning models.
The development comes as the DoJ publicized the shutdown of PopeyeTools, a marketplace that dabbled in the sale of stolen credit cards and other tools for carrying out financial fraud. In tandem, charges have been unsealed against three of its administrators from Pakistan and Afghanistan: Abdul Ghaffar, 25; Abdul Sami, 35; and Javed Mirza, 37.
All three individuals have been charged with conspiracy to commit access device fraud, trafficking access devices, and solicitation of another person for the purposes of providing access devices. If convicted, they face a maximum penalty of 10 years in prison on each of the three access device offenses.
The marketplace (www.PopeyeTools.com, www.PopeyeTools.co.uk, and www.PopeyeTools.to), per the DoJ, functioned as an online hub for selling sensitive financial data and other illicit tools since 2016, attracting thousands of users across the world, including those associated with ransomware activity.
PopeyeTools is estimated to have sold the access devices and personally identifiable information (PII) of at least 227,000 individuals and generated at least $1.7 million in revenue. Its motto was “We Believe in Quality Not Quantity.”
Some of the services advertised included unauthorized payment card data to perform fraudulent transactions, stolen bank account information, email spam lists, scam templates, educational guides, and tutorials.
“To attract members to the marketplace, PopeyeTools allegedly promised to refund or replace purchased credit cards that were no longer valid at the time of sale,” the DoJ said. “In addition, at different times, PopeyeTools provided customers with access to services that could be used to check the validity of bank account, credit card, or debit card numbers offered through the website.”
The department further said it obtained judicial authorization to seize approximately $283,000 worth of cryptocurrencies from a cryptocurrency account managed by Sami.
Coinciding with the seizures of ONNX and PopeyeTools, Meta announced that it took down over two million accounts associated with scam centers in Cambodia, Myanmar, Laos, the United Arab Emirates and the Philippines that were used to pull off pig butchering schemes.
The fraudulent operations, which take place out of scam compounds in Southeast Asia, are run by organized crime syndicates, and often involve building trusted personal and romantic relationships online with prospective targets globally using social media platforms and dating apps, manipulating them to deposit their hard-earned funds into bogus investments.
“These criminal scam hubs lure often unsuspecting job seekers with too-good-to-be-true job postings on local job boards, forums and recruitment platforms to then force them to work as online scammers, often under the threat of physical abuse,” Meta said.
Back in May, the company teamed up with Coinbase, Ripple, and Match Group, which owns Tinder and Hinge, to form a coalition called Tech Against Scams that aims to devise ways to counter the transnational threat and other forms of online fraud. Google, for its part, has partnered with the Global Anti-Scam Alliance (GASA) and DNS Research Federation (DNS RF) with similar goals in mind.
