EXECUTIVE SUMMARY:
A newly dismantled fraud infrastructure involved a malicious domain which was leveraged to harvest online banking credentials from unsuspecting users. This domain served as a central repository for stolen login information collected through deceptive tactics that mimicked legitimate banking services. Law enforcement executed a seizure of the domain and its associated database to disrupt the ongoing exploitation of financial accounts and prevent further unauthorized access.
The compromised domain acted as the operational hub for a coordinated fraud campaign in which threat actors deployed malicious advertisements on major search engines that mimicked legitimate sponsored banking links. When users clicked these ads, they were redirected to counterfeit banking portals controlled by the attackers. Embedded malware on those pages captured submitted login information, which was then aggregated and manipulated via the backend panel. Analysis revealed that the compromised infrastructure hosted thousands of stolen credentials used to access legitimate financial services and execute unauthorized transactions, with multiple victims across different sectors impacted and substantial financial losses attributed to the campaign.
The disruption of this backend system represents a significant setback to the operators of the bank account takeover scheme by cutting off access to the stolen credential repository. Authorities encourage continued vigilance against phishing and malvertising attacks, including careful monitoring of account activity and avoiding navigation to sensitive login pages via search engine ads. The action underscores the importance of layered defenses and proactive monitoring to protect against credential theft and account takeover fraud.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Initial Access | T1566.003 | Phishing | Spearphishing via Service |
| T1566.002 | Spearphishing Link | ||
| T1190 | Exploit Public-Facing Application | — | |
| Credential Access | T1556.001 | Modify Authentication Process | Domain Controller Authentication |
| Collection | T1119 | Automated Collection | — |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
| Impact | T1531 | Account Access Removal | — |
REFERENCES:
The following reports contain further technical details: