Law enforcement agencies in Europe and Latin America on Thursday announced the takedown of iServer, a phishing-as-a-service platform enabling the unlocking of stolen and lost phones.
Dismantled as part of an international law enforcement effort named Operation Kaerb, iServer is estimated to have targeted over 1.2 million mobile phones and to have made over 480,000 victims.
“Investigators reported 483 000 victims worldwide, who had attempted to regain access to their phones and been phished in the process. The victims are mainly Spanish-speaking nationals from European, North American, and South American countries,” Europol announced.
The law enforcement operation, which took place between 10 and 17 September, resulted in the arrest of 17 individuals in Argentina, Chile, Colombia, Ecuador, Peru, and Spain, including an Argentinian national believed to be the platform’s administrator.
According to the investigators, the iServer administrator had been building and running phishing services since 2018 and had been running the mobile phone unlocking platform for the past five years.
iServer had over 2,000 registered, paying users, who were “charged extra costs for phishing, SMS, emails or call performing,” Europol says.
According to threat intelligence firm Group-IB, which assisted in the investigation, iServer was an automated phishing platform that specifically focused on harvesting credentials that allowed low-skilled criminals to unlock phones.
The platform allowed users to steal credentials from cloud-based mobile services and other personal information from their victims, which could be used to bypass devices’ Lost Mode function.
iServer’s owner sold access to “unlockers”, individuals who provided phone unlocking services to criminals in the possession of phones that were illegally acquired, Group-IB explains.
The phishing attacks were designed to harvest data such as IMEI, language, owner details, and other information that granted access to physical mobile devices through Lost Mode or via cloud-based mobile platforms.
Victims were sent SMS messages containing phishing links that redirected to phishing pages where they were prompted to enter their credentials and additional information, including OTP codes.
After receiving the credentials and validating them, the criminals unlocked the phones, turned off Lost Mode, and unlinked them from their previous owners.
Related: Radar/Dispossessor Ransomware Operation Disrupted by Authorities
Related: Google Suing Cybercriminals Who Delivered Malware via Fake Bard Downloads
Related: Financial Fraud-Focused Cybercrime Marketplace ‘Styx’ Emerges
Related: Microsoft Creates Cybersecurity Council for the Public Sector in APAC
