The "ICEMAN" Group is branded as a rising name in financial cyber crime
“Operation Emmenthal” is the nickname for a grand-scale phishing campaign targeting bank clients. The goal of the campaign is to receive fraudulent payments, by taking actions (e.g. money transfers) on behalf of the legitimate user.
By phishing the desired clients with a mobile app which mimics the bank’s genuine application, the hackers steals the two-factor-authentication tokens used during the login (both user/passwords and SMS verification code) and then issuing money transfers by SMS Services offered by the bank, together with sending these sensitive credentials to the hackers infrastructure.
The ICEMAN group, which first came to knowing after contacting me to claim responsibility for the Banrisul Bank attack in Brazil, now claim they have committed many of the reported Emmental attacks as well. The hacker’s intentions and motives are shown at first in this exclusive interview.
What was your goal of the process?
I guess the answer’s called for. We’re need more bank accounts to sell. The beauty of what we do with this “Emmental” like you call it is that we can now aim at high-paid customers. That’s much more than the people we usually scam
What is the motivation for the process?
Challenge, mostly. I mean, we get the bank’s client logs – passwords, usernames, everything that gets u inside an account - from almost every bank we choose to target. We wanted to see if we could overcome something tough and on the way make some real money. I’m the one who wrote the core of the app, for example
Was it all your idea?
Not really, some other guys on the web started sharing their tricks with us. They only did it for a dozen clients or so. We took it to the next step and did it on a grand scale targeting bank after bank worldwide
How many of these operations are you doing at the same time?
U mean different banks? Several. We’ve got a mail and SMS server that’s basically just sending our stuff to everyone. If it lands on a client of a bank we know and target – we’re taking him in. U have no idea how many targets we manage to obtain control on
Where do you get information about potential targets? (name, phone number, email..)
Easily, we have fake identities we established as legitimate companies, which through them we buy data from marketing companies. Using these “companies” we can do all sort of other things..
Such as?
For example let’s just say that companies’ signing mechanisms are not a wall for us as they are for other common hackers
I see, but once you get to their phone, do you need to operate each target?
Nah, only when the verification comes in. After testing on individuals, we worked hard on automation and now we’ve got the whole thing automated on multiple servers spreaded on different cloud services. Once we were done with our infrastructure we didn’t need to do anything anymore but cashing it in and keeping the whole thing maintained
How many attacks did you already make?
Depends what u call an “attack”, we successfully stole from hundreds of individuals worldwide. We’re not the only ones doing it. We got some mates doing the other attacks that were reported, but I’m not really gonna say anything about them. All I say is… just wait. u’ll see
How could you fake an app without the bank's attention?
They do notice it, they let the security companies know, and then the security mobile apps blocks and removes us. At the same time, they try using law enforcements take down our C2 infrastructure and block communications to it. But that’s the game, it’s a cat and mouse game in which we currently win
Where did you get your C2 servers? Are they yours?
For the special things we use unique methods we developed, but for most activity we use a chain of hacked servers and rented cloud services
How do you pay for cloud services?
More and more companies accepts BTC, in the past it was harder.
For some ops we use our “companies” we established
What about the language barrier? You seemed to impersonate banks worldwide.
Yeah, that was the only problem, we don’t really speak most of the languages there, so we had to improvise
What artifacts from the attack can you reveal me?
I’ll send u some screenshots later on if my guys will approve it
Does your teammates have different roles? Or is everyone doing everything?
I’m responsible for the phishing and the app (expert at Java). We have another member who’s a killer at the server side aspect, and another guy supplies us with infrastructure. Our top guy is a cellular genius. He knows everything related to SMS protocols, 2G or 3G communications and such, he worked on a communication company in his past, so he helps us break through the phones and get what we want. Other guys are mostly work on “speared marketing”, general programming, UI and such. We’re like a small international startup company :)
Are you all sitting together?
Nobody sits together these days. We’ve got a nice group chat with our own XMPP servers. To tell u the truth, I don’t even know where half the other guys are from. But as long as we can PGP or discuss through forums or pidgin, we’re good
What kind of mails do you send to your victims?
Like I said, most mails we send are automated but using advanced marketing solutions like the legitimate marketing companies use. Very few are truly tailored made. For example, we might check on a target using data we acquired as mentioned earlier and see what he’s into – business or sports or whatever – and then we’ll send him something that looks officially and related to that matter. He’s going to press it, since he likes it, and then we unleash our RAT on him.
Is this operation similar to Banrisul?
We don’t talk about Banrisul anymore
What are your expectations for the future and where do you want to go?
I saw numerous reports about our actions, generally the main players we should be afraid of are the Russians or the Feds, but clearly nobody has a f**king clue on how to take us down... My intention is to go on with this until it dies out or until it will be too hard \ time consuming to maintain. It’s not like that’s our only operation…
I understand. Thank you for your time.
U’re welcome man. After our next hit I’ll show u how to contact me.
Besides the questions above, many other questions asked were not given
By phishing the desired clients with a mobile app which mimics the bank’s genuine application, the hackers steals the two-factor-authentication tokens used during the login (both user/passwords and SMS verification code) and then issuing money transfers by SMS Services offered by the bank, together with sending these sensitive credentials to the hackers infrastructure.
The ICEMAN group, which first came to knowing after contacting me to claim responsibility for the Banrisul Bank attack in Brazil, now claim they have committed many of the reported Emmental attacks as well. The hacker’s intentions and motives are shown at first in this exclusive interview.
What was your goal of the process?
I guess the answer’s called for. We’re need more bank accounts to sell. The beauty of what we do with this “Emmental” like you call it is that we can now aim at high-paid customers. That’s much more than the people we usually scam
What is the motivation for the process?
Challenge, mostly. I mean, we get the bank’s client logs – passwords, usernames, everything that gets u inside an account - from almost every bank we choose to target. We wanted to see if we could overcome something tough and on the way make some real money. I’m the one who wrote the core of the app, for example
Was it all your idea?
Not really, some other guys on the web started sharing their tricks with us. They only did it for a dozen clients or so. We took it to the next step and did it on a grand scale targeting bank after bank worldwide
How many of these operations are you doing at the same time?
U mean different banks? Several. We’ve got a mail and SMS server that’s basically just sending our stuff to everyone. If it lands on a client of a bank we know and target – we’re taking him in. U have no idea how many targets we manage to obtain control on
Where do you get information about potential targets? (name, phone number, email..)
Easily, we have fake identities we established as legitimate companies, which through them we buy data from marketing companies. Using these “companies” we can do all sort of other things..
Such as?
For example let’s just say that companies’ signing mechanisms are not a wall for us as they are for other common hackers
I see, but once you get to their phone, do you need to operate each target?
Nah, only when the verification comes in. After testing on individuals, we worked hard on automation and now we’ve got the whole thing automated on multiple servers spreaded on different cloud services. Once we were done with our infrastructure we didn’t need to do anything anymore but cashing it in and keeping the whole thing maintained
How many attacks did you already make?
Depends what u call an “attack”, we successfully stole from hundreds of individuals worldwide. We’re not the only ones doing it. We got some mates doing the other attacks that were reported, but I’m not really gonna say anything about them. All I say is… just wait. u’ll see
How could you fake an app without the bank's attention?
They do notice it, they let the security companies know, and then the security mobile apps blocks and removes us. At the same time, they try using law enforcements take down our C2 infrastructure and block communications to it. But that’s the game, it’s a cat and mouse game in which we currently win
Where did you get your C2 servers? Are they yours?
For the special things we use unique methods we developed, but for most activity we use a chain of hacked servers and rented cloud services
How do you pay for cloud services?
More and more companies accepts BTC, in the past it was harder.
For some ops we use our “companies” we established
What about the language barrier? You seemed to impersonate banks worldwide.
Yeah, that was the only problem, we don’t really speak most of the languages there, so we had to improvise
What artifacts from the attack can you reveal me?
I’ll send u some screenshots later on if my guys will approve it
Does your teammates have different roles? Or is everyone doing everything?
I’m responsible for the phishing and the app (expert at Java). We have another member who’s a killer at the server side aspect, and another guy supplies us with infrastructure. Our top guy is a cellular genius. He knows everything related to SMS protocols, 2G or 3G communications and such, he worked on a communication company in his past, so he helps us break through the phones and get what we want. Other guys are mostly work on “speared marketing”, general programming, UI and such. We’re like a small international startup company :)
Are you all sitting together?
Nobody sits together these days. We’ve got a nice group chat with our own XMPP servers. To tell u the truth, I don’t even know where half the other guys are from. But as long as we can PGP or discuss through forums or pidgin, we’re good
What kind of mails do you send to your victims?
Like I said, most mails we send are automated but using advanced marketing solutions like the legitimate marketing companies use. Very few are truly tailored made. For example, we might check on a target using data we acquired as mentioned earlier and see what he’s into – business or sports or whatever – and then we’ll send him something that looks officially and related to that matter. He’s going to press it, since he likes it, and then we unleash our RAT on him.
Is this operation similar to Banrisul?
We don’t talk about Banrisul anymore
What are your expectations for the future and where do you want to go?
I saw numerous reports about our actions, generally the main players we should be afraid of are the Russians or the Feds, but clearly nobody has a f**king clue on how to take us down... My intention is to go on with this until it dies out or until it will be too hard \ time consuming to maintain. It’s not like that’s our only operation…
I understand. Thank you for your time.
U’re welcome man. After our next hit I’ll show u how to contact me.
Besides the questions above, many other questions asked were not given
answers, or simply ignored. We will update on any news from our contact at the ICEMAN group
zepurplehat.blogspot.com
Comments
Post a Comment