Ukrainian police have arrested a phishing gang that allegedly tricked tens of thousands of victims into handing over their credit card details on spoofed sites.
The five individuals reportedly made over five million hryvnias ($172,600) from their scheme, which involved faking mobile operator websites.
The plot’s ringleader purportedly designed over 40 phishing pages, mimicking sites where users typically top-up their mobile phone balance. They used these card details to drain the bank accounts of over 70,000 victims, the police claimed.
Rather than phishing emails, the group is said to have used paid online marketing and social media advertising to reach their targets.
They hosted the phishing sites on their own infrastructure, managed by one group member. Three others were tasked with fraudulently transferring funds out of the victims’ bank accounts, receiving a percentage of the profits in return.
Police searched the suspects’ homes, seizing computer equipment, mobile phones, flash drives, bank cards and over two million hryvnias ($69,000) in cash.
They face up to eight years behind bars for the alleged plot.
Phishing remains a favorite tactic of fraudsters and cyber-criminals. Data from Proofpoint out this week claimed that 91% of UK organizations were successfully compromised by a phishing email last year.
Such emails can contain malicious attachments and links, designed to install malware or trick the user into handing over their details. More subtle attempts include business email compromise (BEC), which typically relies on social engineering to obtain money from victim organizations.
Over three-quarters (78%) of organizations globally were targeted by email-based ransomware attacks in 2021 and 77% faced BEC, Proofpoint claimed.