Mexican hacker stole over 350 thousand euros from banking users around the world

A Mexican hacker nicknamed “Neo_Net” from June 2021 to April 2023 carried out multiple cyber attacks on banks in different countries, especially in Spain and Chile, using malware for Android devices. This was reported by security researcher Paul Till in recent report companies SentinelOnereleased in collaboration with VX Underground.

SMS phishing has become the main method of spreading a mobile virus (smishing), in which the hacker frightened his victims with false reports about problems with their bank accounts and then redirected them to fake banking sites, where they collected personal data of their targets.

“Phishing pages were carefully configured using the PRIV8 panels, and had several protective measures, including blocking requests from desktop browsers and hiding pages from bots and web crawlers,” explained Paul Till.

“These pages have been designed to closely resemble real banking applications, with animations and other elements to create a compelling illusion,” the researcher added.

In addition, the hacker convinced bank customers to install fake Android apps disguised as security programs that, once installed, asked for permission to access SMS in order to intercept two-factor authentication codes (2FA) sent by the bank.

“Despite the use of relatively simple tools, Neo_Net has achieved a high degree of success by tailoring its infrastructure to specific purposes, which has led to the theft of more than 350 thousand euros from the bank accounts of victims and the compromise of the personal data of thousands of them,” Till explained.

Neo_Net is associated with a Hispanic attacker living in Mexico. He has proven himself to be a skilled cybercriminal, selling phishing panels, stolen victim data to third parties, and running a Smishing-as-a-Service called Ankarex designed to attack a number of countries around the world.

The Ankarex platform has been active since May 2022. It is actively promoted in the hacker’s Telegram channel, which currently has about 1,700 subscribers.

“The service itself is available at ankarex[.]net, and after registration, users can replenish their balance with cryptocurrency transfers and launch their own Smishing campaigns, indicating the content of the SMS and phone numbers of the targets, ”said the SentinelOne specialist.

It is noteworthy that the news about the activities of Neo_Net appeared just against the backdrop of recent report researchers ThreatFabric about the new campaign of the Anatsa Trojan (aka TeaBot), which has been attacking bank customers in the US, UK, Germany, Austria and Switzerland since the beginning of March 2023.