When your smartphone, regardless of age or value, gets stolen, you’d like to think that it would at least be safe from snooping eyes while you remotely wipe all the data and report the theft to the police. That wasn’t the case for at least 483,000 victims whose phones were unlocked thanks to the iServer phishing-as-a-service platform. Law enforcement investigators uncovered a criminal operation that had targeted more than a million people with messages informing them that their stolen device had been found but actually enabled the hackers to harvest the credentials required to unlock the phone instead.
Europol And Group-IB Collaborate In Operation Kaerb To Take Down The iServer Network
According to a Europol press release, Operation Kaerb took place from Sept. 10 through 17 and resulted in a total of 17 arrests. With 921 “items” seized, most of which were smartphones, the action was deemed a huge success. Long before the busts, however, there was an equally huge amount of work involved from Europol, the Latin American Specialised Cybercrime Centre of Ameripol and security specialists from Group-IB. The investigation began in 2022 after Group-IB intelligence gave law enforcement agencies the information needed to identify victims and track down the operators of the criminal iServer network.
The administrator of the iServer phishing platform was traced and arrested, turning out to be an Argentinian national. A total of 16 other cybercriminals spread across Argentina, Chile, Colombia, Ecuador, Peru, and Spain were also arrested.
Group-IB Details How It Uncovered The iServer Network Criminal Operation
In a new report, Group-IB has detailed how it was able to identify the structure and roles of criminal syndicates operating with the platform. It found that the owners and developers of iServer would sell access to customers known as unlockers. Hackers who sell their services to criminals who have stolen and locked smartphones that need unlocking, funnily enough.
The iServer network used phishing attacks that had been “specifically designed to gather data that grants access to physical mobile devices, enabling criminals to acquire users’ credentials and local device passwords to unlock devices or unlink them from their owners.,” Group-IB researchers said. The unique selling point of iServer was the automation of both the creation and delivery of these phishing pages, cloning cloud-based smartphone platforms.
Nearly 500,000 smartphones were successfully unlocked using iServer, which just shows how effective the network was in gathering unlocking information such as IMEI number, language, owner details, and contact details.
“Ultimately,” Group-IB concluded, “criminals receive the stolen and validated credentials through the iServer web interface, enabling them to unlock a phone, turn off “Lost mode” and untie it from the owner’s account.”