Full Report
Phishers take an approach to bypass security controls never seen in the country
Analysis Summary
# Incident Report: Novel Phishing Campaign Targeting the Netherlands
## Executive Summary
A sophisticated phishing campaign was detected targeting entities in the Netherlands, employing a unique combination of attack tools and evasion techniques never before observed in the country. The attackers leveraged bulletproof hosting and the U-Admin phishing panel to continuously manage and filter access to their fraudulent sites, specifically excluding security researchers. The incident highlights the rapid evolution of threat actor tradecraft in the region.
## Incident Details
- **Discovery Date:** Not explicitly stated, but implied during the research/reporting period by Group-IB researchers.
- **Incident Date:** Ongoing/Recent activity observed at the time of reporting.
- **Affected Organization:** Multiple targets were implied through the general nature of the phishing campaign.
- **Sector:** General targets implicated by a widespread phishing campaign (Specific sector not detailed).
- **Geography:** Netherlands.
## Timeline of Events
### Initial Access
- **Date/Time:** Not explicitly stated.
- **Vector:** Phishing emails/messages leading to fraudulent websites.
- **Details:** Attackers utilized phishing kits, specifically various versions of the **U-Admin phishing panel**, hosted on **bulletproof hosting services**.
### Lateral Movement
- Not detailed in the provided context, as the primary focus was on initial access and evasion/collection via the phishing infrastructure.
### Data Exfiltration/Impact
- **Details:** Stolen user data collected and managed in real-time via the U-Admin panel. The specific type of data (e.g., credentials) is implied by the nature of phishing.
### Detection & Response
- **How it was discovered:** Group-IB researchers successfully bypassed the attackers' evasion mechanisms by setting up a proxy utilizing mobile networks to reveal the underlying phishing site.
- **Response actions taken:** Group-IB researchers documented the TTPs and shared findings, suggesting reporting to CERT-GIB and relevant authorities (as per user recommendations).
## Attack Methodology
The methodology focuses heavily on sophisticated infrastructure and evasion:
- **Initial Access:** Phishing campaigns distributing malicious links.
- **Persistence:** Not explicitly detailed beyond the use of resilient bulletproof hosting.
- **Privilege Escalation:** Not applicable/not detailed.
- **Defense Evasion:** The key technique was using filtering mechanisms implemented via the U-Admin panel to **exclude unwanted visitors**, specifically cybersecurity researchers and CERT teams, from accessing the actual phishing sites.
- **Credential Access:** Via interaction with the U-Admin-managed phishing sites.
- **Discovery:** Not explicitly detailed.
- **Lateral Movement:** Not detailed.
- **Collection:** Real-time collection and management of stolen user data via the U-Admin panel interface.
- **Exfiltration:** Implied transfer of collected data from the phishing panel infrastructure.
- **Impact:** Gaining unauthorized access to user credentials/information.
## Impact Assessment
- **Financial:** Not quantified.
- **Data Breach:** Theft of user data/credentials (details on volume unknown).
- **Operational:** Potential disruption to targeted organizations dependent on the compromised credentials.
- **Reputational:** Potential harm to the reputation of impersonated organizations.
## Indicators of Compromise
As the context focuses on TTPs rather than specific IOCs, these are listed as technical components used:
- **Network indicators:** Use of infrastructure known for bulletproof hosting (defanged).
- **File indicators:** Use of U-Admin phishing panel variants.
- **Behavioral indicators:** Automated filtering/blocking of traffic originating from known security research IPs/ranges, using techniques designed to specifically defeat security personnel access.
## Response Actions
*Note: Actions listed are recommendations based on the observed attack type rather than confirmed organizational response.*
- **Containment:** Immediate user warnings regarding the phishing activity and TTPs.
- **Eradication:** Potential takedown efforts (hindered by bulletproof hosting).
- **Recovery:** User education on verifying URLs and using official mobile applications for sensitive transactions.
## Lessons Learned
- Threat actors in this region are rapidly adopting advanced infrastructure (bulletproof hosting) combined with sophisticated real-time filtering tools (U-Admin panel) to actively defend against security researchers and response teams.
- Traditional detection methods relying on standard network egress points may fail if attackers successfully block known security researcher traffic.
## Recommendations
1. **User Awareness:** Users must be vigilant, avoiding suspicious links (especially those using URL shorteners like `bit.ly`, `s.id`, `tny.sh`).
2. **Verification:** Always double-check the URL legitimacy before submitting any information.
3. **Security Tooling:** Organizations should review security monitoring to identify traffic patterns indicative of automated filtering behavior designed to shunt security personnel.
4. **Reporting:** Promptly report identified phishing attempts to national CERTs (e.g., CERT-GIB, fraudehelpdesk.nl).
5. **Authentication:** Use official mobile applications for high-stakes activities like banking, where possible.