neo net targeted countries

Unmasking Neo_Net: How a Mexican Threat Actor Targeted Global Banks

A cybercrime campaign, launched by a Mexican threat actor known as “Neo_Net” has been revealed in a recent collaborative study of vx-underground and SentinelOne.

This campaign primarily targeted clients of financial institutions, focusing on Spanish and Chilean banks, between June 2021 and April 2023.

Despite employing relatively unsophisticated tools, Neo_Net achieved remarkable success as the campaign resulted in the theft of over 350,000 EUR from victims’ bank accounts.

Neo_Net Campaign Targeted Financial Institutions

Neo_Net’s eCrime campaign targeted prominent banks worldwide, with a particular emphasis on Spanish and Chilean financial institutions.

Thirty of the 50 targeted institutions, including prominent names such as Santander, BBVA, and CaixaBank, were headquartered in Spain or Chile.

Other banks in the region were also targeted by the threat actor, including Deutsche Bank, Crédit Agricole, and ING.

Neo_Net’s targeted countries (Source: SentinelOne)

Neo_Net Attack Strategy and Infrastructure

Neo_Net’s campaign follows a “multi-stage attack strategy”, that initiates with SMS phishing messages sent throughout Spain and additional countries.

To create an illusion of authenticity, Neo_Net employed Sender IDs (SIDs) and mimicked reputable financial institutions in these messages.

The phishing pages created by Neo_Net closely resembled genuine banking applications, incorporating animations and employing defensive measures to evade detection.

Neo_Net’s Phishing pages (Source: SentinelOne)

Neo_Net has established a strong and extensive infrastructure that included phishing panels, Android trojans, and Smishing software.

The threat actor rented out this infrastructure to multiple affiliates, sold compromised victim data to third parties, and launched Ankarex, a successful Smishing-as-a-Service platform.

The Role of Ankarex

Ankarex, created by Neo_Net, is a Smishing-as-a-Service platform operating since May 2022.

It boasts approximately 1,700 subscribers and enables users to launch their own Smishing campaigns by specifying the SMS content and target phone numbers.

The platform has targeted multiple countries and has served as a hub for Neo_Net’s criminal activities.

Ankarex target countries and prices list (Source: SentinelOne)

Neo_Net’s Operations and Collaboration

Neo_Net has been traced back to several IP addresses in Mexico and primarily operates in Spanish-speaking countries.

The threat actor has also been linked to the forum, suggesting collaboration with individuals from the forum to establish his infrastructure.

Communication within the Ankarex channel and other operations is predominantly conducted in Spanish, but Neo_Net also collaborates with non-Spanish speakers.

Neo_Net’s Telegram Profile (Source: SentinelOne)

Success and Impact

Despite the use of relatively unsophisticated tools, Neo_Net’s campaign resulted in the theft of over 350,000 EUR from victims’ bank accounts.

Additionally, thousands of victims had their Personally Identifiable Information (PII) compromised.

According to the report,

The success of the campaigns can be attributed to their highly targeted nature, with a focus on specific banks, and the replication of bank communications to impersonate legitimate agents.

For more news and Updates on Cybersecurity, visit The Cybersecurity Club.

Two Russian Nationals Charged For Conspiring To Hack The Taxi Dispatch System At JFK Airport

Cyber Attack Targets Blizzard Entertainment, Reasons Unknown

CISA Issues Warning: Critical Vulnerabilities in Ivanti’s Endpoint Manager Mobile

Xenomorph Banking Trojan: Targets 35+ US Financial Institutions