Since the beginning of 2020, Dutch and Belgian residents have been increasingly targeted by financially motivated cybercriminals looking to obtain access to their bank accounts. In many strikingly similar cases, fraudsters reach out to victims via email, SMS, or WhatsApp messages to deliver fake notifications containing malicious links pointing to a phishing site. The phishing pages, detected by Group-IB Threat Intelligence & Attribution
system, are almost identical and disguised to look like legitimate banking websites of the biggest local financial organizations with the goal of tricking unsuspecting victims into providing their personal and banking information.
Having analyzed the technical infrastructure and phishing templates used in these fraudulent campaigns, Group-IB Threat Intelligence and Cyber Investigations teams uncovered a massive Fraud-as-a-Service operation. Our researchers identified a Dutch-speaking criminal syndicate, codenamed Fraud Family
by Group-IB, which develops, sells and rents sophisticated phishing frameworks to other cybercriminals targeting users mainly in the Netherlands and Belgium
. The phishing frameworks allow attackers with minimal skills to optimize the creation and design of phishing campaigns to carry out massive fraudulent operations all the while bypassing 2FA.
Fraud Family advertises their services and interacts with fellow cybercriminals on Telegram messenger. The criminal syndicate is likely to be active since at least 2020. However, phishing kits similar to those advertised by the group were already used to target Dutch residents as early as 2018. Group-IB shared its findings with the Dutch Police immediately upon discovery and notified the organizations whose names are being abused by fraudsters. The probe initiated as a consequence resulted in the arrest of two individuals by the Dutch Police.
The arrested suspects, a 24-year-old man and a 15-year-old man, are thought to be the developer and seller of the Fraud Family phishing framework. The 24-year-old suspect will be arraigned before the examining magistrate in Rotterdam on Friday, July 23, while his 15-year-old accomplice has since been released pending further investigation.
The blog post analyzes the methods and techniques used by Fraud Family's shady customers, Fraud Family's technical infrastructure, and their phishing panels. Group-IB researchers also described how Fraud Family attracts customers and interacts with fellow criminals. The post provides comprehensive recommendations to regular users on how not to fall prey to this type of attack.