Neo_Net: The Hispanic Hacker Behind a Series of Financial Institution Attacks
SentinelOne experts have linked the attacker, known as Neo_Net, to a series of attacks on financial institutions around the world, with a special focus on Spanish and Chilean banks. The campaign ran from June 2021 to April 2023 using SMS phishing and Android malware.
The analysis of Neo_Net activity was published jointly with vx-underground as part of the Malware Research Challenge, in which security researchers were invited to showcase previously unpublished work, showcase their talents, and bring their ideas to a wider audience.
Targets of Neo_Net
According to the researchers, Neo_Net’s main targets were banks such as Santander, BBVA, CaixaBank, Deutsche Bank, Crédit Agricole and ING.
Neo_Net’s Tactics
Neo_Net is a Hispanic hacker based in Mexico who has proven himself to be a skilled cybercriminal. It mainly specializes in selling phishing panels and data stolen from victims to third parties, and also offers smishing (SMS phishing) as a service under the “brand” Ankarex.
The starting point for multi-stage Neo_Net attacks is often smishing, for which the hacker uses various scare tactics. The attacker seeks to deceive message recipients and force them to go to fake landing pages, thus obtaining and stealing their credentials through a Telegram bot.
“The phishing pages are carefully configured using the Neo_Net, PRIV8 panels, and come with numerous security measures, including blocking requests from non-mobile user agents and hiding pages from bots and web crawlers,” the experts write.
The attackers also tricked bank customers into installing malicious apps for Android, passing them off as security software. Once installed, this malware requested permission to access SMS in order to receive two-factor authentication (2FA) codes sent by the bank.
Regarding the Ankarex platform, it has been active since May 2022. It is actively advertised in the Telegram channel, which at the time of this writing had about 1,700 subscribers.
“The service itself is available on ankarex[.]net, and after registration, users can deposit funds using cryptocurrency transfers and launch their own smishing campaigns by specifying the content of SMS messages and target phone numbers,” experts say.
The researchers conclude that Neo_Net is quite successful despite using relatively simple tools. Its effectiveness is built on tailoring the infrastructure to specific targets, and as a result, these campaigns have led to the theft of more than 350,000 euros from the bank accounts of the victims and the compromise of the personal data of several thousand people.
Neo_Net: The Hispanic Hacker Behind a Series of Financial Institution Attacks
Financial institutions around the world have been the target of a series of attacks by a Hispanic hacker known as Neo_Net. The campaign ran from June 2021 to April 2023 using SMS phishing and Android malware, and had a special focus on Spanish and Chilean banks.
SentinelOne experts and vx-underground have jointly published an analysis of Neo_Net activity as part of the Malware Research Challenge. The challenge invited security researchers to showcase previously unpublished work, showcase their talents, and bring their ideas to a wider audience.
Targets of Neo_Net
According to the researchers, Neo_Net’s main targets were banks such as Santander, BBVA, CaixaBank, Deutsche Bank, Crédit Agricole and ING.
Neo_Net’s Tactics
Neo_Net is a Hispanic hacker based in Mexico who has proven himself to be a skilled cybercriminal. It mainly specializes in selling phishing panels and data stolen from victims to third parties, and also offers smishing (SMS phishing) as a service under the “brand” Ankarex.
The starting point for multi-stage Neo_Net attacks is often smishing, for which the hacker uses various scare tactics. The attacker seeks to deceive message recipients and force them to go to fake landing pages, thus obtaining and stealing their credentials through a Telegram bot.
“The phishing pages are carefully configured using the Neo_Net, PRIV8 panels, and come with numerous security measures, including blocking requests from non-mobile user agents and hiding pages from bots and web crawlers,” the experts write.
The attackers also tricked bank customers into installing malicious apps for Android, passing them off as security software. Once installed, this malware requested permission to access SMS in order to receive two-factor authentication (2FA) codes sent by the bank.
Regarding the Ankarex platform, it has been active since May 2022. It is actively advertised in the Telegram channel, which at the time of this writing had about 1,700 subscribers.
“The service itself is available on ankarex[.]net, and after registration, users can deposit funds using cryptocurrency transfers and launch their own smishing campaigns by specifying the content of SMS messages and target phone numbers,” experts say.
The researchers conclude that Neo_Net is quite successful despite using relatively simple tools. Its effectiveness is built on tailoring the infrastructure to specific targets, and as a result, these campaigns have led to the theft of more than 350,000 euros from the bank accounts of the victims and the compromise of the personal data of several thousand people.
Neo_Net is a sophisticated hacker who has been able to successfully target financial institutions around the world. His tactics of using SMS phishing and Android malware have proven to be effective, and his Ankarex platform has been used to launch smishing campaigns and steal data from victims.
The researchers urge financial institutions to be aware of the threat posed by Neo_Net and to take steps to protect their customers from his attacks. Banks should ensure that their customers are aware of the dangers of smishing and other forms of phishing, and should also take measures to protect their customers’ data from being stolen. Banks should also ensure that their security systems are up to date and that they are able to detect and respond to any suspicious activity.