Microsoft seizes 240 websites used by Egyptian phishing-as-a-service operation ‘ONNX’

Avatar

Hundreds of websites used by an Egyptian cybercriminal to sell “do-it-yourself” phishing kits have been disrupted by Microsoft and LF Projects, the corporate entity behind the Linux Foundation. 

The two companies sued Abanoub Nady and four unidentified people for running ONNX — a key cybercrime operation that is part of the wider phishing-as-a-service industry.

Nady and his team are accused of running 240 fraudulent websites — now seized by the Microsoft’s Digital Crimes Unit — that offered kits to cybercriminals to run phishing campaigns that could bypass additional security measures and break into Microsoft customer accounts.

Steven Masada, assistant general counsel with the Digital Crimes Unit, said in a blog post that the financial services industry “has been heavily targeted given the sensitive data and transactions they handle.” 

“Much like how e-commerce businesses sell products, Abanoub Nady and his associates marketed and sold their illicit offerings through branded storefronts, including the fraudulent ‘ONNX Store,’” he said. 

“By targeting this prominent service, DCU is disrupting the illicit cybercriminal supply chain, thereby protecting customers from a variety of downstream threats, including financial fraud, data theft, and ransomware.”

Masada noted that an alert was recently sent out to U.S. broker-dealers warning that ONNX tools were being used to target Microsoft 365 users with a new attack known as quishing — where QR codes are embedded in PDF documents and redirect victims to phishing URLs.

Microsoft said it has seen a significant increase in phishing attempts involving QR codes.

LF Projects is the trademark owner of the name and logo for ONNX, which is a legitimate machine learning tool. 

A spokesperson for the company said it had collaborated with Microsoft “to defend millions of individuals and organizations from a global phishing-as-a-service criminal operation.” 

“We encourage organizations who find themselves in a position to fight one element of a cybercrime problem to identify ways to collaborate and build a stronger collective response,” they said. 

Earlier this year, researchers at the cyber intelligence firm Dark Atlas revealed that Nady was behind ONNX and its predecessors by tracing his identity back to a now-deleted Facebook profile that used the moniker “MRxC0DER.” The researchers even obtained his phone number and LinkedIn profile.

Masada said Microsoft has been tracking Nady since 2017, when he began selling his phishing kits under operations named “Caffeine” or “FUHRER.”

Other researchers were able to reproduce that investigation and confirm Nady was responsible for ONNX. Mandiant also did a deep dive into Caffeine in 2022, highlighting its use by government-backed hacking groups around the world. 

The operation became increasingly professionalized over time, offering cybercriminals different subscription tiers providing add-on features and more hands-on support for how to start phishing email campaigns. 

A screenshot of the scheme’s subscription tiers. Credit: Microsoft

Most of the operation is conducted through Telegram, and customers are offered how-to videos explaining how to operate the phishing kit. 

Through a court action, Microsoft was allowed to redirect the malicious technical infrastructure to its own servers, cutting off cybercriminals’ access to the platform. 

“Effectively combatting cybercrime requires persistence and ongoing vigilance to disrupt new malicious infrastructure,” Masada explained. 

“While today’s legal action will substantially hamper the fraudulent ONNX’s operations, other providers will fill the void, and we expect threat actors will adapt their techniques in response.”

NewsCybercrime
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

 

Total
0
Shares
Previous Post

Gambling and lottery giant disrupted by cyberattack, working to bring systems back online

Next Post

‘PopeyeTools’ marketplace for stolen credit cards disrupted by feds

Related Posts

Google Exposes GLASSBRIDGE: A Pro-China Influence Network of Fake News Sites

Government agencies and non-governmental organizations in the United States have become the target of a nascent China state threat actor known as Storm-2077. The adversary, believed to be active since at least January 2024, has also conducted cyber attacks against the Defense Industrial Base (DIB), aviation, telecommunications, and financial and legal services across the world, Microsoft said.
Avatar
Read More

Researchers Discover “Bootkitty” – First UEFI Bootkit Targeting Linux Kernels

Cybersecurity researchers have shed light on what has been described as the first Unified Extensible Firmware Interface (UEFI) bootkit designed for Linux systems. Dubbed Bootkitty by its creators who go by the name BlackCat, the bootkit is assessed to be a proof-of-concept (PoC) and there is no evidence that it has been put to use in real-world attacks. Also tracked as IranuKit, it was uploaded
Avatar
Read More