Websites associated with an Egypt-based cybercrime facilitator have been seized.

According to Microsoft, its Digital Crimes Unit (DCU) seized 240 fraudulent websites that were used to sell services to enable widespread phishing campaigns to bypass additional security measures and break into Microsoft customer accounts.

ONNX

The services are promoted by Abanoub Nady - known online as MRxC0DER - who developed and sold “do it yourself” phish kits using the brand name “ONNX”.

Saying it has tracked activity tied to Nady’s operation as far back as 2017, the DCU said the phish kits are designed to send emails at scale, specifically for coordinated phishing campaigns.

This includes a subscription model - offering Basic, Professional, and Enterprise subscriptions - each for different tiers of access and support. Enterprise users can also purchase the add-on feature of ‘Unlimited VIP Support’, offering ongoing technical support that provides step-by-step instructions on how to successfully use the phishing kits to commit cybercrime.

The phish kits are promoted, sold and configured almost exclusively through Telegram, and paired with ‘how to’ videos on social media platforms that provide guidance on the purchase and implementation of these phishing kits.

Civil Court Order

Through a civil court order unsealed today in the Eastern District of Virginia, this action redirects the malicious technical infrastructure to Microsoft, severing access of threat actors, including the fraudulent ONNX operation and its cybercrime customers, and permanently stopping the use of these domains in phishing attacks in the future.

Steven Masada, assistant general counsel at the DCU, said that by targeting this prominent service, DCU is disrupting the illicit cybercriminal supply chain, thereby protecting customers from a variety of downstream threats, including financial fraud, data theft, and ransomware.   

“As we’ve said before, no disruption is complete in one action,” Masada said. “Effectively combatting cybercrime requires persistence and ongoing vigilance to disrupt new malicious infrastructure. While today’s legal action will substantially hamper the fraudulent ONNX’s operations, other providers will fill the void, and we expect threat actors will adapt their techniques in response.

“However, taking action sends a strong message to those who choose to replicate our services to harm users online: we will proactively pursue remedies to protect our services and our customers and are continuously improving our technical and legal strategies to have greater impact.”

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.