Skip to main content

ICEMAN: Banks holes like in Cheese

Operation "Emmenthal" is the nickname for a grand-scale phishing campaign targeting bank clients. The goal of the campaign is to receive fraudulent payments by taking actions (e.g. money transfers) on behalf of the legitimate end user.

By phishing the victims with a mobile application which mimics the bank’s genuine application, the hackers steals the two-factor-authentication tokens used during the login (both user/passwords and SMS verification code) and then issuing money transfers by SMS Services offered by the bank, together with sending these sensitive credentials to the hackers infrastructure.

The ICEMAN group, which first came to knowing after contacting me to claim responsibility for the Banrisul Bank attack in Brazil, now claim they have committed many of the reported "Emmental" attacks as well. The hacker’s intentions and motives are shown at first in this exclusive interview.

What was your goal of the attack?

We need more bank accounts to sell. The beauty of what we do with “Emmental”, like you call it is that we can now aim at high-end customers. That’s much bigger than the people we usually scam. Also, this whole attack was a huge challenge, we wanted to see if we could overcome something tough (security wise) and on the way make some real money. I’m the one who wrote the core of the app, perhaps.

Was it all your idea?
Not really, some other guys on the web shared their tricks with us. They only did it for a dozen clients or so. We took it to the next step and did it on a grand scale targeting banks worldwide.

How many of these operations are you doing at the same time?

U mean different banks? Several. We mass email and mass SMS which basically sending our stuff to everyone. If it lands on a client of a bank we know and target – we’re taking him in. U have no idea how many targets we manage to obtain control on.

Where do you get information about potential targets?
Easily, we have fake identities which are established as legitimate companies, which through them we buy data from marketing companies. Using these “companies” we can do all sort of other things.

Such as?
For example let’s just say that companies signing mechanisms are not a wall for us as they are for other hackers.

I see, but once you get to their phone, do you need to operate each target?
Nah, only when the verification comes in. After testing on individuals, we worked hard on automation and now we’ve got the whole thing automated on multiple servers on different cloud services. Once we were done with our infrastructure we didn’t need to do anything anymore but cashing it in and keeping the whole thing maintained.

How many attacks did you already do?

Depends on what u call an “attack”, we successfully stole from hundreds of individuals worldwide. We’re not the only ones doing it. We got some mates doing other attacks that were already reported, but I’m not really gonna say anything about them. All I say is… just wait you will see.

How could you fake an app without the bank's attention?
They do notice it, they let the security companies know, and then the security mobile apps blocks and removes us. At the same time, they try using law enforcements take down our C2 infrastructure and block communications to it. But that’s the game, it’s a cat and mouse game in which we currently win.

Where did you get your C2 servers? Are they yours?

For the special operations, we use unique methods we developed in house, but for most activity we use a chain of hacked servers and rented cloud services.

How do you pay for cloud services?
More and more companies accepts BTC, in the past it was harder.
For some ops we use our “companies” we established.

What about the language barrier? You seemed to impersonate banks worldwide.
Yeah, that was the only problem, we don’t really speak most of the languages there, so we had to improvise

What artifacts from the attack can you reveal me?
I’ll send u some screen-shots later on if my guys will approve it

Does your teammates have different roles? Or is everyone doing everything?
I’m responsible for the phishing and the app (expert at Java). We have another member who’s a killer at the server side aspect, and another guy supplies us with infrastructure. Our top guy is a cellular genius. He knows everything related to SMS protocols, 2G or 3G communications and such, he worked on a communication company in his past, so he helps us break through the phones and get what we want. Other guys are mostly work on “speared marketing”, general programming, UI and such. We’re like a small international startup company.

Are you all sitting together?
Nobody sits together these days. We’ve got a nice group chat with our own XMPP servers. To tell u the truth, I don’t even know where half the other guys are from. But as long as we can PGP or discuss through forums or pidgin, we’re good.

What kind of mails do you send to your victims?

Like I said, most mails we send are automated but using advanced marketing solutions like the legitimate marketing companies use. Very few are truly tailored made. For example, we might check on a target using data we acquired as mentioned earlier and see what he’s into – business or sports or whatever – and then we’ll send him something that looks officially and related to that matter. He’s going to press it, since he likes it, and then we unleash our RAT on him.

Is this operation similar to Banrisul?

We don’t talk about Banrisul anymore

What are your expectations for the future and where do you want to go?

I saw numerous reports about our actions, generally the main players we should be afraid of are the Russians or the Feds, but clearly nobody has a f**king clue on how to take us down... My intention is to go on with this until it dies out or until it will be too hard \ time consuming to maintain. It’s not like that’s our only operation…

Besides the questions above, many other questions asked were not given answers, or simply ignored. We will update on any news from our contact at the ICEMAN group.

ICEMAN group.


Popular posts from this blog

NanoCore developper busted and senteced for 33 months

A hacker who was arrested and pleaded guilty last year—not because he hacked someone, but for creating and selling a remote access trojan that helped cyber criminals—has finally been sentenced to serve almost three years in prison.

Taylor Huddleston, 26, of Hot Springs, Arkansas, pleaded guilty in July 2017 to one charge of aiding and abetting computer intrusions by building and intentionally selling a remote access trojan (RAT), called NanoCore, to hackers for $25.

Huddleston was arrested in March, almost two months before the FBI raided his house in Hot Springs, Arkansas and left with his computers after 90 minutes, only to return eight weeks later with handcuffs.
This case is a rare example of the US Department of Justice (DOJ) charging someone not for actively using malware to hack victims' computers, but for developing and selling it to other cybercriminals.
Huddleston admitted to the court that he created his software knowing it would be used by other cybercrimina…

ICEMAN : Infecting Crystal Finance Millennium

Iceman gang member confirms that they are behind the introduction and spreading of malwares that have affected Crystal Finance Millennium, a Ukraine-based accounting software firm. Was this a political based attack? Read more to find out.
I’ve had a chance to speak to one of the gang member on XMMP and he confirmed that the Iceman group is behind this attack. They started by a simple web attack (SQLI which lead to web shell upload, no privilege escalation was needed) in order to gain access to the web servers of the company. He confirmed that the math was simple, the Ukrainian company had many clients in the financial and medical sector which facilitated the propagation of their malware. From the archived web page, it becomes apparent they provide accounting software, personalization of medical records, blood service and "full automation of the doctor's office" - contrary to what their company name suggests, it appears they are (mostly) focused on medical software.

KillaMuvz: Undercovered british hacker

The Briton Goncalo Esteves (24), also known as KillaMuvz, has pleaded guilty to charges related to creating and running malware services. The Briton Goncalo Esteves (24) has pleaded guilty to charges related to creating and running malware services.
Such kind of platforms allows crooks to improve the development of their malicious codes. The malware created with the Esteves’ malware services would not be detected by antivirus software.
Esteves that was used the moniker ‘KillaMuvz’ is the creator of Cryptex tool commonly used by vxers to encrypt their files in an effort to avoid the detection. The first version of Cryptex was released in October 2011 and was continuously improved.
According to the NCA, Esteves has pleaded guilty to two computer misuse charges and one count of money laundering, the sentence is planned for February 12. “A cyber criminal has admitted running a product-testing service for hackers following a joint investigation by the National Crime Agency (NCA) a…