Cyber fraudsters stole money in the amount of 276 470 euros.
Spanish law enforcement officials have arrested 16 people linked to the use of the banking Trojans Mekotio and Grandoreiro as part of a malicious campaign targeting financial institutions in Europe.
Arrests were made in Ribeira (La Coruña), Madrid, Parla and Mostoles (Madrid), Seseña (Toledo), Villafranca de los Barros (Badajoz) and Aranda de Duero (Burgos) during Operation Aguas Vivas. According to the police, with the help of malicious software installed on the victim’s computer, criminals could transfer large amounts of money to their accounts.
Police confiscated computer equipment, mobile phones and documents, and analyzed more than 1,800 spam emails, allowing law enforcement to successfully block transaction attempts totaling € 3.5 million. The proceeds of the criminals amounted to 276 470 euros, of which 87 thousand euros were successfully returned.
The cyber fraudsters sent phishing emails to potential victims, ostensibly on behalf of legitimate delivery services and government agencies such as the Spanish Treasury. In emails, users were asked to follow a link that quietly downloaded malicious software onto a computer system.
The Mekotio and Grandoreiro malware allows operators to intercept transactions on the bank’s website and unauthorizedly redirect funds to accounts under the control of the attackers. To carry out fraudulent purposes, criminals have hacked into at least 68 email accounts belonging to official bodies.
Grandoreiro and Mekotio (also known as Melcoz) are part of the Brazilian banking Trojan family, which also includes the Guildma and Javali malware. In operation since at least 2016, Grandoreiro has been used to target users in Brazil, Mexico, Spain, Portugal and Turkey. Mekotio, on the other hand, was seen in attacks targeting Brazil starting in 2018, and then operators began attacking users in Chile, Mexico and Spain.
Mekotio allows you to steal passwords from browsers and device memory, providing remote access to online banking operations. The malware also contains functionality to steal Bitcoin wallet addresses.
Catch up on more stories here
Follow us on Facebook here