Microsoft’s DCU has seized websites used to sell phish kits developed by Abanoub Nady, enabling widespread phishing attacks targeting various sectors, especially financial services, leading to significant financial losses for victims.
Researchers observed that a significant portion of monthly phishing emails originate from DIY kits like ONNX, as this PhaaS service, among the top 5 phish kit providers in H1 2024, was disrupted by DCU, which targets the cybercriminal supply chain, safeguarding users from various threats.
Cybercriminals are increasingly using sophisticated AiTM phishing attacks to bypass MFA protections, which involve injecting themselves into network communications to steal credentials and cookies, allowing them to access sensitive information.
FINRA warns of rising AiTM attacks using QR code phishing, where embedded QR codes redirect users to malicious impersonation domains. Bypassing traditional security measures, which has been on the rise since September 2023, poses a significant challenge for cybersecurity providers due to its visual nature.
The DCU is actively disrupting the cybercriminal ecosystem by targeting the tools used for cyberattacks, which aim to protect customers by denying bad actors access to essential infrastructure and making it harder and riskier for them to operate.
In collaboration with the Linux Foundation, it is taking legal action against individuals and entities using the “ONNX” trademark to distribute malicious software, aiming to disrupt cybercriminal activities and protect the integrity of the open-source machine learning community.
The company is taking proactive measures to safeguard online users by publicly identifying and naming a cybercriminal, Abanoub Nady, who led a fraudulent operation, aiming to deter future cyberattacks.
Abanoub Nady, operating under various aliases, has been involved in large-scale phishing campaigns since 2017, whose operations, including the fraudulent ONNX brand, offer tiered phishing kits and support services to facilitate cybercrime.
Phishing kits are predominantly marketed, sold, and customized via Telegram, often accompanied by instructional videos on social media platforms that guide users on purchasing and deploying these malicious tools.
Cybercriminals purchase phishing kits with ONNX infrastructure and templates, enabling them to launch and scale their own phishing attacks using custom domains connected to the fraudulent ONNX setup.
Microsoft, through a court order, has seized malicious infrastructure used by the fraudulent ONNX operation and its cybercrime customers, effectively disrupting their phishing attacks and preventing future misuse of these domains.
The recent legal action against the fraudulent ONNX service will temporarily disrupt its operations, but cybercriminals will likely adapt and new providers will emerge.
It is essential to maintain a state of constant vigilance and constant improvement of both technical and legal strategies in order to safeguard users and services in the face of this threat.