While analyzing a massive phishing campaign aimed at stealing payment data of Dutch residents, the researchers from the Group-IB Computer Emergency Response Team
(CERT-GIB) discovered an approach previously unseen in the Netherlands that allows cybercriminals to limit access to phishing websites to only potential victims. By doing this, they ultimately increase the success rate of their fraudulent operations. According to CERT-GIB data, an average phishing page's lifespan is about 24 hours; the phishing pages that used the new approach lived six days on average.
Group-IB analysts identified multiple phishing websites impersonating Dutch financial organizations that are part of a single network of more than 750 connected domains
. The phishing infrastructure was first seen in March 2021
and remains active until today. The campaign was codenamed RUNLIR
by Group-IB researchers, as it uses RU, NL and IR in the domain naming pattern. As part of the analysis, Group-IB researchers also observed a very unconventional "Cut the card" phishing scheme that requires fraudsters' efforts both online and offline.
RUNLIR uses the combination unique for the Netherlands that involves the BlackTDS
anti-bot service, the notorious bulletproof hosting services of Yalishanda
and different versions of the uAdmin
phishing kit. This approach ensures that their phishing pages are only shown to victims and not to security professionals.
The cybercriminals use this approach as it allows them to distinguish between unsuspecting victims and security researchers by checking if the page viewer is connecting using a Dutch mobile network to narrow down their reach. Nevertheless, Group-IB researchers quickly established the necessary access conditions and upgraded their Threat Intelligence & Attribution system with a specific proxy server to bypass these restrictions. The approach, discovered by Group-IB CERT analysts, is new and has not been seen in phishing attacks in the Netherlands in the past.
This blog post offers a comprehensive analysis of the unusual phishing campaign in which the unconventional approach was first seen and a detailed description of it.