Image source: INTERPOL
Three members of a cybercriminal gang that has attacked more 50,000 organizations have been arrested in Lagos, Nigeria. The arrests come at the end of a year-long investigation into the prolific business email compromise scammers by INTERPOL, Group-IB, and the Nigerian Police Force.
The three gang members arrested are believed to be responsible for phishing scams, BEC attacks, and malware distribution on tens of thousands of organizations and companies around the world. So far, more than 50,000 victims of the gang in more than 150 countries have been identified dating back to 2017.
The arrested gang members are believed to be part of a larger organized cybercrime group. The group, named TMT by Group-IB, is alleged to have created phishing links and domains and conducted mass mailing campaigns to distribute phishing emails impersonating representatives of many organizations. One of the main aims of the emails was to distribute malware, with the gang known to have distributed at least 26 different types of malware, including LokiBot, AgentTesla, Azorult, and the Nanocore and Remcos Remote Access Trojans.
The malware variants used were either freely available on hacking forums or could be purchased cheaply. Keyloggers and information stealers were used to steal credentials from browsers, FTP clients, and email accounts. The compromised email accounts were subsequently used to send further phishing emails and for business email compromise attacks, where individuals were tricked into making fraudulent wire transfers.
An analysis of the computers used by the three suspects confirmed their involvement in the attacks, although the organization is divided into various subgroups that are responsible for certain parts of the operation, from the initial infiltration through to cashing in on the attacks. The operation is ongoing, but the other subgroups currently remain at large.
In a recent report about its involvement in “Operation Falcon,” Group-IB researchers explained that the arrested gang members used the Gammadyne Mailer and Turbo-Mailer email automation tools for sending their phishing and malspam emails, and MailChimp to track whether the messages had been opened by recipients.
“This group was running a well-established criminal business model. From infiltration to cashing in, they used a multitude of tools and techniques to generate maximum profits. We look forward to seeing additional results from this operation,” said Craig Jones, INTERPOL’s Cybercrime Director.