Busted! Fraud-as-a-Service gang that sold 2FA-proof phishing arrested

Busted! Fraud-as-a-Service gang that sold 2FA-proof phishing arrested

The Dutch police announced that they arrested two Dutch citizens, aged 24 and 15, for developing and selling phishing panels. The police also searched the house of another suspect, an 18 year old who was not arrested.

The people behind this illegal business called themselves the Fraud Family and were active on Telegram to sell their panels to interested parties. For cybercriminals that lacked the technical knowledge or means, the Fraud Family also offered to host the phishing sites and backend panels.


During their investigation the police received help from the threat intelligence firm Group-IB that specializes in investigating and preventing cybercrimes. Group-IB published a blogpost that goes into detail about the activities of the Fraud Family and the different panels that were developed by them. If you are interested in more details about the phishing methods, their blog is well worth the read.

2FA bypass

The developers of these phishing kits made sure their customers, fellow cybercriminals, could bypass 2FA. The crooks who use this phishing infrastructure get access to a web panel that interacts, in real time, with the phishing site. When victims submit their banking credentials, the phishing site sends them to the web panel where the fraudster is waiting. This one actually notifies the scammers that a new victim is online. The scammers will lie waiting because the scammers need to react fast enough so they can then request the additional information that will help them to gain access to the bank accounts, two factor authentication tokens, and personal identifiable information (PII). While the phishing site is waiting for further instructions from the attackers, the unsuspecting victim is looking at a “Please wait…” screen.

The lures

The phishers themselves were free to set up methods to get their victims to the phishing sites that were designed to look exactly like the real, legitimate websites. Well-known tactics include phishing emails and texts that ask for urgent, but usually small payments as not to raise suspicion. Another is to act as an interested buyer on an online platform and ask for a 1 cent payment to verify that the seller is not a scammer.

The amount the scammers ask for is not relevant for the end-result as the scammers can enter any number they like on the real banking site while they wait for the victim to provide them with the necessary details.

Delay takedowns

Any successful phishing site will eventually get reported and taken down, or blocked. But the time that such sites stay alive can be prolonged by using certain precautions. The more important part of the service are the panels, and the Fraud Family offered a “plug and play” phishing service that kept the framework under control and prevented it from leaking to the public. By using anti-bot tools developers can prevent crawlers, automated analysis tools, and services like VirusTotal and URLScan from accessing the phishing sites, as well as make it harder for researchers to find them.


There are a few methods for victims to avoid phishing scams that could lead to emptied bank accounts. These are a few pointers to keep in mind:

  • Be mindful when providing payment details even if you are only making a small payment. Behind the scenes someone could be altering the number.
  • Always go to your banking site directly. Do not use a link provided in a mail or text. Save a shortcut in your browser if you find typing to cumbersome or if you want to avoid typo squatting.
  • Double check the payment request with the party that sent it to you by using another method of communication.
  • If someone, even if you think it’s one of your loved ones, sends you a text to tell you they have a new phone number, call them on the number you have on record to verify.
  • Banks and other reputable organizations do not use URL shorteners when they send you a link.
  • Check the information of the website in the address bar. The green padlock is needed but not enough.
  • If you think you may be a victim of a phishing attack, quickly communicate with your bank, the organization being impersonated by the fraudsters, and the police. They can issue an alert which may help others and maybe limit the damage.
  • Use a password manager. A password manager will not fill out your details if the website’s domain does not fit what it has on record.

For banks:

Do better 2FA than sending verification codes that can be passed along from victims to scammers. Dutch research last year showed that the customers of some banks fall victim more often than others and not because those banks are bigger. Instead, it is because they use less reliable 2FA methods. It’s a lot easier for a scammer to ask their victim for a 4 digit code than it is to get to show them a QR code. And this whole type of scam falls apart if the bank login procedure relies on a hardware key.

Stay safe, everyone!


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.