Dutch police have arrested two people for their alleged involvement in a phishing fraud-as-a-service scheme, one of them a 15-year-old suspect and the other a 24-year-old due to appear in court on Friday.
Authorities got an assist from security vendor Group-IB in the arrests for the “Dutch-speaking syndicate that develops, sells and rents sophisticated phishing frameworks,” according to the company. Group-IB had dubbed the syndicate and its “massive” operation “Fraud Family.”
The unnamed 24-year-old is accused of developing the phishing service kits, while the 15-year-old allegedly sold them. The younger suspect was released pending further investigation. Dutch police also said they searched a third 18-year-old suspect.
Group-IB said the Fraud Family operation, which has mainly hit victims in the Netherlands and Belgium since at least 2020 but perhaps as far back as 2018, is focused on stealing banking credentials. The criminals advertised their service to less-skilled cyber crooks on the encrypted messaging app Telegram, where Fraud Family’s eight channels have nearly 2,000 subscribers.
It’s a business model that has grown popular in the ransomware world, where developers lend other criminals their malware in exchange for a share of profits.
In one kind of attack using Fraud Family’s phishing infrastructure, the victim gets an email, text or WhatsAp message pretending to be a well-known real company, such as a local business that caters to home buyers. They contain links to information-stealing phishing websites, according to Group-IB.
Another, Group-IB said, involves contacting a seller listed in classified advertising, asking the seller to make a small e-commerce payment to “verify the seller is not a scammer” only for the e-commerce payment link to be a phishing site. When the victim selects their bank from the website’s list, it asks for their credentials.
Fraud Family gives the criminals access to a web panel that interacts with the phishing website, allowing them to ask for credentials including multi-factor authentication tokens.
Group-IB saw Fraud Family-related activity rise toward the end of 2020 and continuing into 2021, but similar-looking infrastructure has been advertised dating back to 2018.
The 15-year-old suspect was released from custody “pending further investigation,” police said. Dutch authorities have differentiated themselves by their willingness to let young suspects off with a warning. The Cyber Offender Prevention Squad, founded in the Netherlands with input from the U.K., aims to direct teenage hackers into a legtimate cyber career.