Spanish law enforcement agencies on Wednesday arrested 16 individuals belonging to a criminal network in connection with operating two banking trojans as part of a social engineering campaign targeting financial institutions in Europe.
The arrests were made in Ribeira (A Coruña), Madrid, Parla and Móstoles (Madrid), Seseña (Toledo), Villafranca de los barros (Badajoz), and Aranda de Duero (Burgos) following a year-long investigation, the Civil Guard said in a statement.
“Through malicious software, installed on the victim’s computer by the technique known as ’email spoofing’, [the group] would have managed to divert large amounts of money to their accounts,” authorities noted.
Computer equipment, mobile phones, and documents were confiscated, and more than 1,800 spam emails were analyzed, enabling law enforcement to block transfer attempts totaling €3.5 million successfully. The campaign is said to have netted the actors €276,470, of which €87,000 has been successfully recovered.
As part of an effort to lend credibility to their phishing attacks, the operators worked by sending emails under the guise of legitimate package delivery services and government entities such as the Treasury, urging the recipients to click on a link that stealthily downloaded malicious software onto the systems.
The malware — dubbed “Mekotio” and “Grandoreiro” — functioned by intercepting transactions on a banking website to unauthorizedly siphon funds to accounts under the attackers’ control. At least 68 email accounts belonging to official bodies were infected to facilitate such fraudulent transfers.
“After that, the money was diversified by sending it to other accounts, or by withdrawing cash at ATMs, transfers by BIZUM, REVOLUT cards, etc., in order to hinder the possible police investigation,” the Civil Guard said.
Grandoreiro is part of a Tetrade of Brazilian banking trojans as detailed by cybersecurity firm Kaspersky in July 2020, while Mekotio’s evolving tactics were disclosed by ESET in August 2020, which involved displaying fake pop-up windows to its victims in an attempt to entice them into divulging sensitive information.
“These windows are carefully designed to target Latin American banks and other financial institutions,” the Slovak cybersecurity company had noted.
To avoid falling prey to such attacks, the agency is recommending that email and SMS recipients scrutinize messages carefully, particularly if it is about entities with urgent requests, promotions, or very attractive bargains, while also taking steps to be on the lookout for grammatical errors and ensure the authenticity of the sender of the message.