Full Report
Meta Platforms, Microsoft, and the U.S. Department of Justice (DoJ) have announced independent actions to tackle cybercrime and disrupt services that enable scams, fraud, and phishing attacks. To that end, Microsoft's Digital Crimes Unit (DCU) said it seized 240 fraudulent websites associated with an Egypt-based cybercrime facilitator named Abanoub Nady (aka MRxC0DER and mrxc0derii), who
Analysis Summary
# Incident Report: Coordinated Takedown of Phishing-as-a-Service (PhaaS) and Fraud Infrastructure
## Executive Summary
Global security actions led by Microsoft and the U.S. Department of Justice (DoJ) resulted in the seizure of phishing infrastructure (ONNX/Caffeine) operated by Abanoub Nady and the shutdown of the PopeyeTools marketplace. These coordinated efforts targeted significant facilitators of online fraud, notably impacting financial services through advanced phishing kits capable of bypassing 2FA, and disrupting the sale of stolen financial data and fraud tools.
## Incident Details
- **Discovery Date:** Ongoing tracking, with ONNX kit documented in June 2024 and PopeyeTools operating since 2016. Major coordinated action announced around November 2024.
- **Incident Date:** Activity spans from circa 2017 (ONNX) to the present; PopeyeTools operated since 2016.
- **Affected Organization:** Microsoft Customers, Financial Services Industry (heavily targeted by ONNX).
- **Sector:** Technology, Financial Services (Targeted).
- **Geography:** Facilitator (Nady) based in Egypt; PopeyeTools administrators from Pakistan and Afghanistan; Scam compounds in Cambodia, Myanmar, Laos, UAE, and Philippines.
## Timeline of Events
### Initial Access
- **Date/Time:** Not explicitly defined, but Nady's operation dates back to 2017.
- **Vector:** Phishing-as-a-Service (PhaaS) kits (ONNX/Caffeine) sold via Telegram.
- **Details:** The ONNX kit served QR codes embedded in PDF files directing victims to fake Microsoft 365 login pages, capable of intercepting 2FA requests.
### Lateral Movement
- Not detailed in the source regarding internal network pivoting, as the focus is on pre-breach delivery/facilitation via external infrastructure.
### Data Exfiltration/Impact
- **ONNX:** Gained unauthorized access to Microsoft customer accounts, heavily targeting the financial services industry.
- **PopeyeTools:** Sold PII and access devices (stolen credit cards, bank info) of at least 227,000 individuals, generating $1.7 million in revenue for fraud.
- **Meta Action:** Disrupted over two million accounts tied to "pig butchering" scam centers, preventing further victimization.
### Detection & Response
- **How it was discovered:** Microsoft's Digital Crimes Unit (DCU) tracked the operator (Storm-0867). DarkAtlas exposed Nady's identity, prompting a temporary halt. FINRA issued alerts regarding the ONNX kit targeting financial firms.
- **Response actions taken:** Microsoft obtained a civil court order to seize 240 fraudulent websites associated with Nady. The DoJ seized the PopeyeTools marketplace domains and charged three administrators. Meta took down millions of scam accounts.
## Attack Methodology
- **Initial Access:** Delivery of phishing kits (ONNX) via QR codes embedded in PDFs; use of compromised/illegitimate accounts for scams (Meta action).
- **Persistence:** Not explicitly detailed for the infrastructure operator, but PhaaS models inherently offer persistent access tools to their buyers.
- **Privilege Escalation:** ONNX was documented to bypass 2FA by intercepting 2FA requests.
- **Defense Evasion:** The phishing kits were designed to bypass "additional security measures."
- **Credential Access:** Interception of M365 login credentials and 2FA tokens via phishing.
- **Discovery:** Not applicable to the attackers’ initial reconnaissance, but law enforcement conducted intelligence tracking on the threat actors.
- **Lateral Movement:** Not mentioned specific to the kit owner, but necessary for buyers of the kits.
- **Collection:** Theft of PII, access devices, and bank information via PopeyeTools sales and phishing victims.
- **Exfiltration:** Not detailed, but implied through the resulting compromise of customer accounts.
- **Impact:** Financial fraud, account takeover, and identity theft enabled by sold tools and compromised accounts.
## Impact Assessment
- **Financial:** PopeyeTools generated at least $1.7 million. Financial services were heavily targeted by ONNX. $283,000 in cryptocurrency seized from a PopeyeTools administrator.
- **Data Breach:** PII and financial data (access devices, credit cards) from at least 227,000 individuals sold via PopeyeTools.
- **Operational:** Disruption of cybercrime supply chain components (PhaaS kits, fraud marketplaces). Operational disruption to scam compounds responsible for pig butchering schemes.
- **Reputational:** Damage to victims of successful phishing and financial scams.
## Indicators of Compromise
*Due to the nature of the report focusing on infrastructure takedown, specific IOCs for active threats are generally excluded or defanged.*
- **Network indicators (Defanged):** Seized domains associated with Abanoub Nady's operation (e.g., noticeofpleadings[.]com/fakeonnx/). Seized domains associated with PopeyeTools (e.g., PopeyeTools[.]com).
- **File indicators:** ONNX Phishing Kit templates, PDF files containing embedded QR codes.
- **Behavioral indicators:** Use of Telegram for sales/configuration; promotion of Phishing-as-a-Service; Pig butchering social engineering tactics.
## Response Actions
- **Containment measures:** Microsoft obtained a civil court order to neutralize the malicious technical infrastructure (240 fraudulent websites). Judicial authorization obtained to seize crypto assets linked to PopeyeTools administrators.
- **Eradication steps:** Removal of phishing kit hosting infrastructure; Deplatforming PopeyeTools marketplace.
- **Recovery actions:** Meta took down over two million associated scam accounts; ongoing efforts to protect impacted customers.
## Lessons Learned
- **Key takeaways:** Major cybercrime operations rely heavily on a supply chain (PhaaS models like ONNX and marketplaces like PopeyeTools) which, when targeted, offers significant disruption. Advanced phishing kits (ONNX) pose a severe threat by circumventing standard MFA protections (2FA via QR code interception).
- **What could have been done better:** The coordination between private industry (Microsoft, Meta) and law enforcement (DoJ) is critical for effective global dismantling of these operations.
## Recommendations
- **Prevention measures for similar incidents:** Enhance MFA capabilities to specifically counter session interception or QR code relay attacks, especially within high-value sectors like finance. Increase monitoring and disruption efforts targeting social media platforms (e.g., Telegram) used for selling illicit cyber toolkits. Vigorously pursue coordinated seizures of associated cryptocurrency assets used to fund these operations.