The Spanish police announced on Wednesday the arrest of 13 people and the launch of investigations on another seven for their participation in a phishing scheme that stole online bank credentials.
The threat actors used phishing lures to deceive their victims into believing they received an alert from their bank and then proceeded to steal their account credentials.
After accessing the bank accounts, the cybercriminals used the victims’ money to make online purchases, direct transfers to “money mule” accounts, or request personal loans.
The police said the threat actors stole at least 443,600 Euros ($466,000) from approximately 146 victims as part of their phishing attacks.
“The operation, carried out in several phases between January 2019 and April of this year, has ended with the arrest of 13 people — and another 7 investigated but not detained — in A Coruña, Córdoba (5), Huelva, Madrid (2), Málaga, Murcia, Palma de Mallorca and Terrassa (Barcelona),” said Spain’s Policia Nacional in Wednesday’s press release.
The police first opened the investigation in 2018 when complaints were submitted both by victims and the impersonated bank. They noticed unauthorized purchases in electronic stores in foreign countries (most often in France).
The following investigation uncovered the use of VPNs (virtual private networks) to make it appear like the threat actors were based in Morocco, France, Germany, or the US.
For their phishing attacks, the threat actors sent out fake “security alerts” via email that claimed there were problems with bank cards and accounts.
The links provided for “resolving” the issue instead took the victims to a phishing site that spoofed the bank’s actual website and tricked them into entering their login credentials.
After attaining the credentials, the threat actors accessed the accounts and changed the client’s mobile number to one under their control in order to bypass two-factor authentication protections.
“Likewise, this modus operandi allowed them to access the victims’ bank details and receive the Keys for Secure Electronic Commerce (CES) necessary to complete operations on the telephone line controlled by the members of the organization,” the police explained.
The threat actors then funneled the stolen money through a network of money mules and sent cash through direct cash-transfer services to the Ivory Coast.