Operation “Emmental” is the nickname for a grand-scale phishing campaign targeting bank clients. The goal of the campaign is to receive fraudulent payments by taking actions (e.g. money transfers) on behalf of the legitimate end user.

By phishing the victims with a mobile application which mimics the bank’s genuine application, the hackers steal the two-factor-authentication tokens used during the login (both user/passwords and SMS verification code) and then issuing money transfers by SMS Services offered by the bank, together with sending these sensitive credentials to the hackers infrastructure.

The ICEMAN group, which first came to knowing after contacting me to claim responsibility for the Banrisul Bank attack in Brazil, now claim they have committed many of the reported “Emmental” attacks as well. The hacker’s intentions and motives are shown at first in this exclusive interview.

We need more bank accounts to sell. The beauty of what we do with “Emmental”, like you call it is that we can now aim at high-end customers. That’s much bigger than the people we usually scam. Also, this whole attack was a huge challenge, we wanted to see if we could overcome something tough (security wise) and on the way make some real money. I’m the one who wrote the core of the app, perhaps.

Not really, some other guys on the web shared their tricks with us. They only did it for a dozen clients or so. We took it to the next step and did it on a grand scale targeting banks worldwide.

U mean different banks? Several. We mass email and mass SMS which basically sending our stuff to everyone. If it lands on a client of a bank we know and target – we’re taking him in. U have no idea how many targets we manage to obtain control on.

Easily, we have fake identities which are established as legitimate companies, which through them we buy data from marketing companies. Using these “companies” we can do all sort of other things.

For example, let’s just say that companies signing mechanisms are not a wall for us as they are for other hackers.

Nah, only when the verification comes in. After testing on individuals, we worked hard on automation and now we’ve got the whole thing automated on multiple servers on different cloud services. Once we were done with our infrastructure we didn’t need to do anything anymore but cashing it in and keeping the whole thing maintained.

Depends on what u call an “attack”, we successfully stole from hundreds of individuals worldwide. We’re not the only ones doing it. We got some mates doing other attacks that were already reported, but I’m not really gonna say anything about them. All I say is… just wait you will see.

They do notice it, they let the security companies know, and then the security mobile apps blocks and removes us. At the same time, they try using law enforcement take down our C2 infrastructure and block communications to it. But that’s the game, it’s a cat and mouse game in which we currently win.

For the special operations, we use unique methods we developed in-house, but for most activity we use a chain of hacked servers and rented cloud services.

More and more companies accept BTC, in the past, it was harder.

For some ops we use our “companies” we established.

Yeah, that was the only problem, we don’t really speak most of the languages there, so we had to improvise

I’ll send u some screen-shots later on if my guys will approve it

I’m responsible for the phishing and the app (expert at Java). We have another member who’s a killer at the server side aspect, and another guy supplies us with infrastructure. Our top guy is a cellular genius. He knows everything related to SMS protocols, 2G or 3G communications and such, he worked on a communication company in his past, so he helps us break through the phones and get what we want. Other guys are mostly working on “speared marketing”, general programming, UI and such. We’re like a small international startup company.

Nobody sits together these days. We’ve got a nice group chat with our own XMPP servers. To tell u the truth, I don’t even know where half the other guys are from. But as long as we can PGP or discuss through forums or pidgin, we’re good.

Like I said, most mails we send are automated but using advanced marketing solutions like the legitimate marketing companies use. Very few are truly tailored made. For example, we might check on a target using data we acquired as mentioned earlier and see what he’s into – business or sports or whatever – and then we’ll send him something that looks officially and related to that matter. He’s going to press it since he likes it, and then we unleash our RAT on him.

We don’t talk about Banrisul anymore

I saw numerous reports about our actions, generally the main players we should be afraid of are the Russians or the Feds, but clearly, nobody has a f**king clue on how to take us down… My intention is to go on with this until it dies out or until it will be too hard \ time consuming to maintain. It’s not like that’s our only operation…

Besides the questions above, many other questions asked were not given answers, or simply ignored. We will update on any news from our contact at the ICEMAN group.

Marc Miller is a web journalist, focused on cybercrime.

He started a blog called: THE PURPLE HAT – Cyber Gangs NAKED, dedicated to exposing the methods and works of cybercrime gangs such as “CARBANAK” or similar sophisticated syndicated Cybercrime organizations.

In the past. he worked as a web front-end programmer. Also, he is passionate about hardware, hacking, security and marketing.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – ICEMAN group, op Emmental)

[adrotate banner=”5″]

[adrotate banner=”13″]