Arrest, Raids Tied to ‘U-Admin’ Phishing Kit

Cyber ​​police in Ukraine made an arrest and several raids last week in relation to a writer A. 0 – Admin, A software package that uses what is being called “one of the world’s largest phishing services”. The operation was carried out in coordination with the FBI and officials in Australia, which was particularly difficult due to phishing scams imposed by U-Admin customers.

U-Admin Phishing Panel Interface. Image:

Ukrainian Attorney General’s Office Said Worked with the Country’s police force Identifying a 39-year-old man from the Ternopil area who developed a phishing package and special administrative panel for the product.

The attorney general’s office said, “According to the analysis of foreign law enforcement agencies, more than 50% of all phishing attacks in Australia in 2019 were done thanks to the development of Ternopil hackers,” – etc. Customers

Brad pardon, Superintendent of Cyber ​​Crime Operations for Australian Federal Police (AFP) said, an investigation into who was behind the U-Admin began in late 2018, as Australian citizens began to suffer from phishing attacks via mobile text messages leveraging the software.

“It was furious,” Mardan said, noting that AFP identified the suspect and sent the case to Ukrainians for trial. “At one stage in 2019, we had a pair of hundred SMS phishing campaigns which were only associated with this particular actor. Many Australians received half a dozen of these phishing attempts. ”

U-Admin, aka “Universal Admin”, is the Crimeware platform that first surfaced in 2016. U-Admin was sold by a person who used a hacker handle “Cacti” On several cybercrime forums.

According to This comprehensive breakdown of the phishing toolkits U-Admin control panel is not sold on its own but is included when customers contact the developer and a set of phishing pages designed to mimic a specific brand – such as a bank website or social media platform Buy sets.

Cybersecurity intelligence firm Intel 471 Describes U-Admin as information that uses multiple plug-ins in one location to help protect users more efficiently. These plug-ins include a phishing page generator, a victim tracker, and even a component to help manage money mules (for automatic transfers from victims’ accounts that have already been funded Were hires to obtain and steal).

Perhaps the biggest selling point for U-Admin is a module that helps fishers intercept multi-factor authentication code. This basic functionality is known as “web injection”, as it allows phishers to dynamically interact with victims in real-time by injecting content into the phishing page that allows the victim to enter additional information Inspires. The video below, produced by a U-Admin developer, shows some examples (click to enlarge).

A demonstration video showing the real-time web injection capabilities of the U-Admin phishing kit. Sincerely:

There have been several recent reports that U-Admin has been used in conjunction with malware – specifically Kakobat (aka Kaabut) – To harvest the one-time codes required for multi-factor authentication.

“paired with [U-Admin’s 2FA harvesting functionality], A threat actor can remotely connect to a Kakob-infected device, enter stolen credentials plus 2FA tokens, and initiate transactions, ”explains. This November 2020 blog post was on the ongoing cake but the expedition First documented three months ago By Checkpoint research.

In the days following the Ukrainian law enforcement action, several U-Admin customers’ forums where Kaki was most active began discussing whether the product was still safe to use after the arrest of the administrator.

Mardon of AFP indicated that the suspicion raised by U-Admin’s customer base may be warranted.

“I wouldn’t be sad to continue using that piece of kit, without saying anything on that front,” Marden said.

While Kaki’s customers may be primarily concerned about the risks of using a product endorsed by someone who has just run out, perhaps they should be more concerned about other crooks [or perhaps the victim banks themselves] Walking on your turf: It appears that the U-Admin package being sold in the underground has long been involved with a weakness that can allow anyone to view or change data prepared with the help of this kit.

The security flaw was briefly mentioned 2018 write-up on U-Admin by SANS Internet Storm Center.

“Given the professionalism, layout, and functionality of the code, I’m giving this control panel 3 stars out of 5,” Remo Verhoef. We wanted to give them 4 stars, but we gave one star less SQL injection vulnerability” [link added].

That vulnerability was documented in more detail in exploitation archives Packet storm protection In March 2020 and Indexed by Check Point Software In May 2020, suggesting that it still remains in the current versions of the product.

The best advice to prevent a phishing scam is to avoid clicking on unsolicited links in emails, text messages, and other means. This advice is the same whether you are using a mobile or desktop device. In fact, this phishing framework specialized in lures specifically designed for loading on mobile devices.

Most phishing scams invoke a cosmic element, which warns you of serious consequences. If you are unsure whether the message is legitimate, take a deep breath and manually visit the site or service – ideally, using browser bookmarks to avoid potential typosquatting sites.

Stay on top - Get the daily news in your inbox

DMCA / Correction Notice

Recent Articles

Related Stories