The Civil Guard dismantles an important network dedicated to committing scams through the Internet

16 people have been arrested in Ribeira (A Coruña), Madrid, Parla and Móstoles (Madrid), Seseña (Toledo), Villafranca de los barros (Badajoz) and Aranda de Duero (Burgos) for the alleged crimes of fraud and belonging to criminal organization

Through malicious software, installed on the victim's computer by the technique known as "email spoofing", they would have managed to divert large amounts of money to their accounts

The agents have managed to block transfer attempts for an amount of 3,500,000 euros, after analyzing more than 1,800 emails








The Civil Guard, within the framework of the AGUAS VIVAS operation, has dismantled a criminal organization dedicated to committing scams through the Internet. Through malicious software, installed on the victim's computer by the technique known as "email spoofing", they would have managed to divert large amounts of money to their accounts.

16 people have been arrested in Ribeira (A Coruña), Madrid, Parla and Móstoles (Madrid), Seseña (Toledo), Villafranca de los barros (Badajoz) and Aranda de Duero (Burgos) for the alleged crimes of fraud and belonging to criminal organization.

20 fraud crimes have been clarified, for a total amount defrauded of 276,470 euros, of which 87,000 euros have been recovered.
Likewise, 2 searches have been made in Madrid, in which a large amount of documentation, mobile devices and computer equipment have intervened.
The investigation began more than a year ago, after several complaints presented by different official bodies, located throughout the national geography, for the alleged infection of their computer equipment with some type of malicious software, with which they would have managed to divert from your accounts, through online banking, large amounts of money.
After analyzing the affected computer equipment, the agents observed that the infection was carried out through a technique known as "email spoofing", consisting of the fraudulent sending of emails in which the attackers hid the sender's true address, replacing it on the other, apparently legitimate, thus succeeding in supplanting the identity of state bodies such as the Tax Agency, the Treasury, the Post Office or the DGT.

Modus operandi

The complainants received messages in their email accounts, supposedly from official bodies such as the Tax Agency, Treasury, Correos, DGT, etc., in which they were required to pay tax debts, pay traffic fines, or collect packages, for which they had to open a link inserted in the email received to see the details. When they accessed that link, they were actually accessing an address or web page from which, in the background, the malicious program was downloaded and installed.
Once installed on the computer, without the user noticing, it remained latent waiting to be activated the moment the user accessed any bank website, executing a banking transaction. At that time, the malicious software carried out an interception and modification of the data issued, making the beneficiary accounts of the money a total of 30 bank accounts belonging to the network. After that, the money was diversified by sending it to other accounts, or by withdrawing cash at ATMs, transfers by BIZUM, REVOLUT cards, etc., in order to hinder the possible police investigation.
One characteristic in which all the victims agreed is that, once they carried out any banking operation through the web, their computers restarted several times until access was blocked, later checking that large amounts of money had been transferred to unknown accounts.

68 email accounts infected by Trojans

The researchers, in collaboration with the Department of Information Technology of the Cáceres Provincial Council, detected suspicious activity in at least 68 email accounts belonging to official bodies, which were infected with the Trojans "Mekotio" and "Grandoreiro", and that were waiting to consummate the fraudulent transfers. The agents have managed to block transfer attempts for an amount of 3,500,000 euros, after analyzing more than 1,800 emails.
The organization was perfectly structured and hierarchical, in 4 levels. On the one hand, there were those who were dedicated to receiving the amounts of fraudulent transfers (Level 1), which they later transferred to other members of the organization (Level 2). On the other hand, there were those who transferred the money to other accounts located abroad (Level 3) and, finally, those who were dedicated to masking the online operations of the accounts (Level 4).

Phishing, Vishing and Smishing

These are three attacks based on social engineering that are very similar in their execution. In general, the cybercriminal will send a message impersonating a legitimate entity, such as a bank, a social network, a technical service or a public entity, with which we feel confident, to achieve its objective. These messages are usually of an urgent or attractive nature, to prevent you from applying common sense and thinking twice.
  • Phishing: E-mail, social networks or instant messaging applications are usually used.
  • Vishing: It is carried out through phone calls.
  • Smishing: The channel used is SMS.
Sometimes, they bring with them a link to a fraudulent website, which could have been spoofed, pretending to be a legitimate link, or it is a malicious attachment to infect us with malware.
Its objective is to obtain personal and / or banking data of the users, making us believe that we are sharing them with someone we trust. They can also use this technique for us to download malware with which to infect and / or take control of the device.

recommendations

The main advice is to be cautious and read the message carefully, especially if it is about entities with urgent requests, promotions or too attractive bargains.
In addition, other guidelines that we can follow to avoid being a victim of this type of deception can be:
  • Detect grammatical errors in the message. And if it is an urgent matter or a very attractive promotion, it is very likely that it is a fraud.
  • Check that the link matches the address it points to. And, in any case, we must enter the url ourselves directly in the browser, without copying and pasting.
  • Check the sender of the message, or make sure it is a legitimate phone.
  • Do not download any attached file and analyze it previously with the antivirus.
  • In the case of vishing, we must not download any file requested by the attacker, or give up control of our computer through any remote control software.
  • Never reply to the message and delete it.
The operation, directed by the Court of First Instance and Instruction nº. 1 of Cáceres, has been carried out by agents belonging to the Technological Crimes Team (EDITE) of the Organic Unit of the Judicial Police (UOPJ) of the Cáceres Command.

separator



Source of new