Person with hands handcuffed behind back

The Spanish police have announced the arrest of 13 people and the launch of investigations on another seven for their participation in a phishing ring that stole online bank credentials.

The threat actors used phishing lures to trick their victims into believing they received an alert from their bank and proceeded to steal their account credentials.

Having access to banking accounts, the adversaries used their victims’ money to make online purchases, direct transfers to “money mule” accounts, or request personal loans.

The police say the threat actors stole at least 443,600 Euros ($466,000). from approximately 146 victims as part of these phishing attacks.

“The operation, carried out in several phases between January 2019 and April of this year, has ended with the arrest of 13 people -and another 7 investigated but not detained- in A Coruña, Córdoba (5), Huelva, Madrid (2), Málaga, Murcia, Palma de Mallorca and Terrassa (Barcelona).” – Policia Nacional.

The police opened the investigation in 2018 when the first complaints were submitted both by victims and by the impersonated bank, who noticed unauthorized purchases in electronic stores in foreign countries, most often in France.

The subsquent investigation uncovered the use of VPNs (virtual private networks) to make it appear as if the threat actors were based in Morocco, France, Germany, or the USA.

As part of the phishing attack, the threat actors sent out fake “security alerts” via email, claiming there were problems with bank cards and accounts.

The links provided for supposedly resolving the issue took the victims to a phishing site that masqueraded the bank’s actual website, tricking them into entering their login credentials.

Having those credentials, the threat actors accessed the accounts and changed the client’s mobile number to one under their control to bypass two-factor authentication protections.

“Likewise, this modus operandi allowed them to access the victims’ bank details and receive the Keys for Secure Electronic Commerce (CES) necessary to complete operations on the telephone line controlled by the members of the organization,” the police explained.

The threat actors then moved the stolen money through a network of money mules that were often extorted to take part in the scheme, sending cash through direct cash-transfer services to the Ivory Coast.

In November 2021, the Spanish police uncovered another local crime network that used money mules to direct funds to Benin, so using African countries to evade scrutiny seems common among Spanish cyber-criminals.

Source: www.bleepingcomputer.com