Background

Group-IB constantly honors its vision of zero tolerance towards cybercrime, by supporting missions to apprehend criminals and protect businesses and citizens from falling victim to cybercrimes.

One of many such initiatives was our collaboration with the Dutch National Police to uncover and stop the operations of a criminal syndicate – the Fraud Family. This group has been targeting residents of the Netherlands and Belgium since the start of 2020.

Operating predominantly in Dutch-speaking regions, the Fraud Family operated by offering phishing frameworks through the Fraud-as-a-Service (FaaS) model on a network of Telegram channels with 2,000 subscribers.

These phishing kits, developed by the syndicate, included web pages that impersonated some of the biggest local financial organizations. A typical attack of fraudsters who used the Fraud Family’s phishing infrastructure started with obtaining the target’s personal and banking information using common attack vectors such as email, SMS, or WhatsApp messages. The messages that appeared benign or enticing to victims were, in reality, leading them to phishing sites embedded with malicious links.

When Group-IB’s Threat Intelligence system detected these phishing pages, we immediately initiated a thorough investigation. By connecting the dots and unraveling the phishing infrastructure, Group-IB exposed the cybercriminals behind the Dutch-speaking criminal syndicate. We shared the findings with the authorities, which further led to the apprehension of the cybercriminals responsible.

Behind the scenes

The analysis of the technical infrastructure and the phishing templates created by the Fraud Family brought a lot of critical details to the surface regarding their Fraud-as-a-Service (FaaS) operations. This included insights into how the Fraud Family engaged with criminals to develop, sell, or rent their phishing frameworks for fraud.

Between April and July 2021, Group-IB continued the investigation, eventually identifying two individuals behind the development, sale, and rental of sophisticated phishing frameworks. They were a duo of a 24-year-old suspect who developed the phishing panels and a 15-year-old accomplice who sold them.

Figure 1: Dutch police shared photos from the operation

Figure 2: The Dutch Police posited the following message to the threat actor’s contacts

After the operation, Dutch police wrote to the purchasers of the Fraud Family tools in Telegram, warning them about the operation and informing them of an ongoing investigation into their identities and activities.

Impact

What once stood as one of the most effective phishing instruments in the region was rendered ineffective in the end with the intervention of Group-IB. Immediately upon discovery, Group-IB shared its findings with the Dutch Police and notified the organizations whose names were being abused by fraudsters. As a result of the investigation, two individuals were arrested by the Dutch Police.

The perpetrators’ illegal business was shut down, leading to a decrease in the number of online fraudsters who were the group’s clients. The insights shared by Group-IB also helped understand the scope of the attack and take additional steps to restore the safety and security of Dutch and Belgian citizens, otherwise disrupted by these large-scale phishing campaigns.

Storyline

As more people go digital, the opportunities for profitable fraud also rise. Advanced skills are no longer a prerequisite for orchestrating sophisticated scams, all thanks to Fraud-as-a-Service (FaaS) platforms like the one provided by Fraud Family.

This investigation is a clear example of that shift that uncovered not just the FraudFamily cybercriminals, but also a larger network of criminals in the region that used the Fraud Family’s phishing tools to commit fraud.

Fraudsters leveraging the Fraud Family’s phishing framework typically kick off their attacks with emails, SMS, or WhatsApp messages posing as legitimate companies. The Fraud Family built a sophisticated fraud-as-a-service infrastructure offering ready-made phishing frameworks, domains, and hosting services managed by the Fraud Family, being offered to less experienced or skilled cybercriminals.

Operating since 2020, the syndicate used Telegram to promote its services, including selling phishing tools or renting ‘ready-to-use’ infrastructure equipped with phishing frameworks and anti-bot measures. These measures aim to thwart crawlers, automated analysis tools, and services like VirusTotal and URLScan, as well as researchers, from accessing the phishing sites. Interested fraudsters could rent the Express Panel for €200 per month or the Reliable Panel for €250.

Group-IB’s cyber investigations team identified at least 8 Telegram channels run by the Fraud Family gang. These channels collectively boast close to 2,000 subscribers, with the most popular group having 640 members.

Figure 3: Advertisement promoting the rent of phishing infrastructure

Debunking the shady Fraud-as-a-Service network

For cybercriminals, brand impersonation has proven to be a time-tested strategy for gaining users’ trust and extracting sensitive information from them. The Fraud Family, in particular, mastered the tactic of crafting highly personalized phishing campaigns that included convincing fake online banking interfaces, designed to minimize suspicion. Moreover, the Fraud Family didn’t rely on just one method to assist fraudsters in devising their campaigns.

Variant 1: Disguising as well-known brands

The phishing pages, identified by Group-IB’s Threat Intelligence system, closely resemble legitimate banking websites of major local financial organizations. Their objective is to deceive unsuspecting victims into giving their personal and banking details through malicious links leading to phishing websites controlled by the Fraud Family.

Figure 4: Fraud Family’s phishing scheme using well-known brand names

Variant 2: Impersonating a well-known marketplace

Another tactic was when fraudsters contacted a seller on a Dutch classified advertising platform pretending to be a buyer. Their immediate move was to take the conversation to a third-party messenger, WhatsApp in this case, and then proceed to ask the seller to make a small payment using an e-commerce payment system used in the Netherlands, to “verify the seller is not a scammer”. The real scammer provides a payment link that is none other than a phishing site. This method was well documented by Opgelicht?!

Figure 5: Fraud Family impersonating a well-known marketplace, redirecting users to fake banking pages.

Figure 6: Phishing site using Dutch online Marketplace lure

Putting a stop to their fraudulent activities

Group-IB’s High-Tech Crime Investigations took decisive action to halt the activities of the threat actor by thoroughly analyzing all aspects of the Fraud Family’s operations. They uncovered phishing frameworks, domains, and illicit discussions within Telegram channels. Once Group-IB experts unraveled the entire scheme and exposed the criminal syndicate’s operations, they promptly shared their findings with the authorities. This collaboration aimed to dismantle the network facilitating the crime and alert impersonated businesses. Ultimately, these actions helped prevent citizens from falling victim to online fraud.

Following the operation, the Dutch police stepped in by warning purchasers of Fraud Family tools on Telegram about the ongoing investigation into their involvement.

And justice for all

Group-IB’s Amsterdam Cyber Investigation team identified the individuals responsible for the Dutch-speaking syndicate and provided this information to law enforcement authorities. The investigation tracked the perpetrators and their network of buyers of phishing frameworks, including tools and resources utilized for information theft and fraud.

The operation resulted in the arrest of two suspects, a 24-year-old man and his 15-year-old accomplice, who are thought to be the developer and seller of the phishing frameworks distributed by the Fraud Family.

Digital fraud such as phishing is a social problem that requires an integrated approach. This approach involves a joint effort between the Police, Public Prosecutors, banks, government agencies and others together for investigation, prosecution and prevention.
Witeke Koorn
Dutch Public Prosecutor, Attorney

Conclusion

When it comes to combating cybercrime, Group-IB’s global presence has enabled us to collaborate with regional authorities promptly, effectively addressing regional threats and preventing potential harm to individuals and organizations. Operation Family Fraud serves as a notable example, where our Amsterdam team helped in the investigations, and shared intelligence about the individuals behind the FaaS platform to the Dutch Police.

Upon discovering pertinent findings, Group-IB promptly shared them with the Dutch Police, facilitating the arrest of suspects, dismantling their fraudulent infrastructure, and alerting associated fraudsters. Additionally, we notified organizations whose names were being abused by fraudsters to help them take subsequent steps in safeguarding their brand and minimizing the amount of fraudulent activity. This investigation has bolstered our reputation as a trusted provider, enabling us to continue assisting authorities with crime-nabbing operations in the region.

Want to know more about Group-IB Сyber Investigation service?

Go to Cyber Investigation