The malicious outfit used 563 trojanized mobile applications to steal victims’ data and spy on them, the police said. The threat actors relied on SMS phishing attacks to gain initial access to their target’s devices. Hong Kong police worked with Interpol to investigate the group and take down their servers. While neither the cybercriminals nor their victims are based in Hong Kong, the threat actors maintained a vast network of servers in the city, and often switched between them to evade detection.
Police Shut Down 192 Servers, Identify 258 Others
In February 2022, the Hong Kong Police and Interpol launched a joint operation called “MagicFlame” to take down the cybercrime outfit. Senior superintendent Raymond Lam Cheuk-ho of the Hong Kong Police Force said they shut down 192 servers in the city and identified 258 servers belonging to the group in other parts of the world. The Hong Kong-based servers contained information from 519 mobile devices, including victims’ login credentials, payment details, I.D. cards, and even intimate photos. “We believe it was an overseas-based syndicate that made use of the city’s internet network to carry out its illegal activities,” the senior superintendent said. “We believe the syndicate ceased its illegal operations after the joint operation with Interpol,” he added. Most victims are from Japan and South Korea. The police did not make any arrests in Hong Kong. However, they’ve identified potential suspects and shared the information with the relevant law enforcement authorities.
Trojanized Apps Impersonated Banks, Media Players, Dating Apps
In a typical attack, the actors send victims a phishing SMS from a seemingly official source. The messages would direct victims to click on a link. Doing so would install a malicious application on the victim’s device. Lam said the apps impersonated a wide variety of businesses such as “banks, financial institutions, media players, and dating and camera apps.” Once installed on a device, the trojanized apps would monitor and collect sensitive information. This data was sent to servers in Hong Kong before it was re-routed to overseas servers. The attackers could access victims’ text messages, emails, and audio recordings. They could track victims’ locations, and turn the compromised device into a surveillance instrument by controlling the microphone and camera. Superintendent Wilson Fan Chun-yip told local media that the cybercriminals used the stolen data to steal money from victims’ accounts, impersonate victims on social media, and even blackmail them. There has been an uptick in phishing and other social engineering scams across the world. Threat actors are going to great lengths to impersonate trusted organizations and platforms to get victims to lower their guard. In September, the Internal Revenue Service (IRS) warned of a “significant” rise in SMS phishing scams where cybercriminals impersonate the agency. To avoid falling victim to phishing attacks, Hong Kong police recommend that you stay alert and avoid clicking on suspicious links or downloading apps outside official app stores. Fan also recommends that you keep your phone updated, use antivirus software, and avoid jailbreaking your device. Interested in leaning more about how to protect yourself from phising? Check out our in-depth guides to phishing and social engineering.