Last week, the Cyber Police of Ukraine disclosed that it apprehended nine members of a criminal gang that embezzled 100 million hryvnias via hundreds of phishing sites that claimed to offer financial assistance to Ukrainian citizens as part of a campaign aimed at capitalising on the ongoing conflict.
The agency said in a press statement that “criminals created more than 400 phishing links to obtain bank card data of citizens and appropriate money from their accounts. The perpetrators may face up to 15 years behind bars.”
The law enforcement operation ended in the seizure of computer equipment, bank cards, mobile phones, as well as the criminal proceeds illicitly obtained through the scheme.
Some of the rogue domains registered by the actors included ross0.yolasite[.]com, foundationua[.]com, and euro24dopomoga0.yolasite[.]com, among others.
The malicious landing pages, designed to siphon victim’s banking information, operated under the guise of surveys designed to look like an application for payment of financial assistance from E.U. countries. This highlights the opportunistic nature of the social engineering attack.
Once bank details have been obtained, the threat actors unauthorisedly logged into the accounts and fraudulently withdrew money totalling more than 100 million hryvnias ($3.37 million) from over 5,000 citizens.
The distribution vector used to propagate the links is not clear. It could have been achieved through different methods though, including SMS phishing scams (smishing), direct messages on social media apps, spam emails, SEO poisoning, or seemingly benign ads.
The agency has warned citizens to “obtain information about financial payments only from official sources, not to click on dubious links, and in no case to communicate confidential, in particular banking, information to third parties or to indicate such data on suspicious resources.”