Pierluigi Paganini November 23, 2024

Microsoft disrupted the ONNX phishing service, seizing 240 sites and naming an Egyptian man as the operator behind the operation.

Microsoft announced the disruption of the ONNX phishing service, another success against cybercrime which led to the seizure of 240 sites.

The IT giant also identified and publicly disclosed the identity of an Egyptian man, Abanoub Nady (aka MRxC0DER), who allegedly runs the platform. 

Microsoft states that Nady developed and sold phishing kits under the ONNX phishing service. 

“Microsoft’s Digital Crimes Unit (DCU) has seized 240 fraudulent websites associated with an Egypt-based cybercrime facilitator. Abanoub Nady (known online as “MRxC0DER”) developed and sold “do it yourself” phish kits and fraudulently used the brand name “ONNX” to sell these services.” reads the analysis published by Microsoft.

Multiple threat actors purchased the kits developed by Nady and used them in widespread phishing campaigns to steal credentials of Microsoft customer accounts.

Microsoft states that phishing heavily targets financial services, risking losses like life savings. DIY phishing kits fuel millions of phishing emails Microsoft detects monthly.

The ONNX phishing operation demonstrates the rise of sophisticated Adversary-in-the-Middle (AiTM) phishing attacks, which bypass MFA protections by stealing credentials and session cookies. Microsoft observed a 146% increase in AiTM attacks, crooks are rapidly adapting their techniques, tactics and procedure to evade detection.

On June 18th, researchers at Dark Atlas observed a lot of news and activity associated with the “ONNX phishing-as-a-service (PhaaS).” The PhaaS was created by “MRxC0DER,” previously associated with the “Caffeine Phishing Kit.”

The researchers were among the first to discover the real identity of identity of MRxC0DER.

Microsoft has tracked Nady, linked to phishing services since 2017. The ONNX phishing-as-a-service kits start at $150/month for a basic subscription and $550 for professional plans, enabling large-scale credential theft campaigns.

Phishing kits are sold mainly via Telegram, complemented by instructional videos on social media platforms that guide buyers on purchasing and deploying them.

“Once a kit is purchased, cybercriminal customers can conduct their own phishing attacks using the templates provided and the fraudulent ONNX technical infrastructure. They can use domains they purchase elsewhere and connect to the fraudulent ONNX technical infrastructure, enabling their phishing operations to grow and scale.” concludes Microsoft.  

“Through a civil court order unsealed today in the Eastern District of Virginia, this action redirects the malicious technical infrastructure to Microsoft, severing access of threat actors, including the fraudulent ONNX operation and its cybercrime customers, and permanently stopping the use of these domains in phishing attacks in the future.  “

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, phishing-as-a-service)