Microsoft Seizes 240 Domains Used By phishing-As-A-Service (PhaaS) Platform

The Digital Crimes Unit (DCU) of Microsoft has taken down 240 fraudulent websites that were utilized by the Egyptian phishing-as-a-service operation “ONNX.”

Abanoub Nady, also known online as “MRxC0DER,” created and marketed “do it yourself” phish kits under the false identity of “ONNX”.

These kits were purchased by a large number of cybercriminals and online threat actors, who then utilized them in extensive phishing campaigns to bypass security measures and access Microsoft user accounts.

The financial services industry has been aggressively targeted due to the sensitive data and transactions it handles. In some cases, the victims of a successful phish may suffer terrible real-world consequences. 

Significant sums of money, including life savings, may be lost as a result, and once stolen, they may be extremely difficult to get back.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar   

Overview Of The Fraudulent ONNX Operation

As early as 2017, Microsoft monitored activities connected to Abanoub Nady’s operation. In addition to using the ONNX trademark fraudulently, Nady also operated under the names “Caffeine” and, more recently, “FUHRER,” which DCU witnessed.

The phish kits are made especially for coordinated phishing attacks and are intended to send emails at large volumes. 

One example of a subscription model is the fraudulent ONNX organization, which sells Basic, Professional, and Enterprise subscriptions for varying levels of access and assistance. 

The “Unlimited VIP Support” add-on option, which is effectively continuous technical support that offers detailed instructions on how to successfully utilize the phishing kits to commit cybercrime, is also available to enterprise users.  

Phish kit subscription model
Phish kit subscription model   

After purchasing a kit, cybercriminals can use the supplied templates and fake ONNX technological facilities to carry out their own phishing attacks.

They can expand and scale their phishing operations by connecting to the fraudulent ONNX technical infrastructure using domains they buy elsewhere.   

According to this year’s Microsoft Digital Defense Report, the fraudulent ONNX operations were one of the top five phish kit providers by email volume in the first half of 2024. 

They are a part of the larger “Phishing-as-a-Service” (PhaaS) industry. Abanoub Nady and his companions used branded storefronts, such as the fake “ONNX Store,” to market and sell their illegal offerings, just like e-commerce companies do. 

Example of a fraudulent ONNX phishing email

DCU is safeguarding consumers against a range of downstream threats, such as financial fraud, data theft, and ransomware, by attacking this well-known service and disrupting the illegal cybercriminal supply chain. 

According to Microsoft’s Digital Defense Report for this year, the company has seen a 146% increase in these AiTM threats alone. 

A public Cyber Alert was recently released by FINRA, the non-profit self-regulatory body that regulates U.S. broker-dealers, alerting members of an increase in AiTM assaults that are being driven by the fraudulent ONNX scheme. 

In this warning, FINRA outlined new methods that hackers are using to get over cybersecurity safeguards, such as QR code phishing, or quishing.

When a user scans an embedded QR code, “Quishing” exploits it to take them to malicious impersonation domains, usually fake sign-in pages where they are asked to provide credentials. 

Microsoft analysts noticed a sharp rise in phishing attempts employing QR codes starting about September 2023 (to almost one quarter of all email phishes).

“Our goal in all cases is to protect customers by severing bad actors from the infrastructure required to operate and to deter future cybercriminal behavior by significantly raising the barriers of entry and the cost of doing business”,  Steven Masada, Assistant General Counsel, Microsoft’s Digital Crimes Unit.

“We are joined by co-plaintiff LF (Linux Foundation) Projects, LLC, the trademark owner of the actual registered “ONNX” name and logo”.

He added that rather than watching helplessly while bad actors unlawfully use our names and trademarks to give their attacks more validity, we are working together to take proactive steps to defend internet users everywhere.

Companies and individuals must remain knowledgeable and cautious as cybercriminals continue to develop their tactics. 

Hence, we can all work together to create a safer online environment by comprehending the strategies used by hackers and putting strong security measures in place.

Are you from SOC/DFIR Teams? – Analyse Malware & Phishing with ANY.RUN -> Try for Free

The post Microsoft Seizes 240 Domains Used By phishing-As-A-Service (PhaaS) Platform appeared first on Cyber Security News.