Operation Kaerb resulted in the arrest of 17 cybercriminals in Argentina, Chile, Colombia, Ecuador, Peru, and Spain. This international operation is coordinated by Europol, Group-IB, and Ameripol.
These individuals were key players behind the notorious iServer phishing-as-a-service platform, which targeted mobile users globally.
iServer’s Domain Seized
The iServer platform has been operational for over five years and has primarily served Spanish-speaking criminals in North and South America.
However, its reach extended into Europe and other regions. Unlike typical phishing platforms, Europol said, iServer specializes in harvesting credentials to unlock stolen phones.
It featured a web interface that allowed low-skilled criminals, known as “unlockers,” to steal device passwords and user credentials from cloud-based mobile platforms.
This capability enabled them to bypass “Lost Mode” and unlock phones obtained through illegal means.
Meet the CISOs, Join the Virtual Panel to Learn compliance – Join for free
Crimeware-as-a-Service Model
Group-IB’s investigation revealed the sophisticated structure of the criminal syndicates using Server.
The platform’s owner sold access to “unlockers,” who then provided phone unlocking services to other criminals with locked stolen devices.
The phishing attacks were meticulously designed to gather data granting physical mobile device access.
iServer automated creating and delivering phishing pages that mimicked popular cloud-based mobile platforms, making it an effective tool for cybercriminals.
Unlockers obtained crucial information for unlocking phones, such as IMEI numbers, language settings, owner details, and contact information.
They often accessed this data through lost mode or cloud-based platforms. Unlockers set up phishing attacks using phishing domains provided by iServer or ones they created themselves.
After selecting an attack scenario, iServer generated a phishing page and sent the victim an SMS with a malicious link.
Phishing Tactics Unveiled
A critical component of iServer’s operation was using a “redirector” link. This link filtered and verified visitors before leading them to the final phishing page; access was denied if visitors did not comply with specific rules.
Once victims enter their credentials on these pages—disguised as legitimate cloud-based mobile service websites—the platform verifies them and might request additional information like OTP codes.
The arrests mark a significant victory for law enforcement agencies worldwide in curbing cybercrime.
The Argentinian national administrating the iServer platform was apprehended during the operation conducted between September 10 and 17, 2024.
Law enforcement officials report that the platform targeted over 1.2 million mobile phones and claimed approximately 483,000 victims globally.
The dismantling of the iServer network underscores the importance of international cooperation in tackling cybercrime.
It also highlights the evolving nature of crimeware-as-a-service models that empower even low-skilled criminals to engage in sophisticated cyberattacks.
As authorities continue to investigate and dismantle similar networks, this operation reminds us of the persistent threat posed by cybercriminals and the need for robust cybersecurity measures.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14-day free trial