KUALA LUMPUR, Nov 8 — The Royal Malaysia Police announced today it has crippled a transnational cybercrime syndicate that specialised in offering phishing as-a-service operations through joint efforts with law enforcement agencies from Australia and the United States.
Inspector-General of Police Tan Sri Razarudin Husain said vital information provided by the Australia Federal Police and the Federal Bureau of Investigation (FBI) had led to the arrests of eight people linked to the syndicate last November 6.
According to Razarudin, the syndicate — which has been active since 2015 and based in Sabah — provided large-scale phishing-as-a-service operation called BulletProftLink that sold phishing kits, spamming services and phishing templates to steal users’ credentials.
“From our investigations, not only the syndicate has compromised websites those of financial and education institutions; and official government sites in Australia, but they are also involved with the selling of stolen credentials (obtained from their phishing operations),” he told a press conference here.
By definition, phishing is an act of sending emails or other messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.
Modern phishing attacks are typically facilitated by a large economy of email and false sign-in templates, code, and other assets.
In fact, US-based Microsoft had in 2021 unearthed and wrote about the aforementioned phishing service, with researchers noting the monthly service costs as much as US$800 (RM3,746), while other services cost about US$50 for a one-time hosting link.
Razarudin said preliminary investigations and profiling from the Commercial Crimes Investigation Department also discovered a money trail, and that the syndicate was also involved in two investment scams.
“A total of 37 reports were lodged in relation to the investment scams involving a total of RM1,223,701.80,” he added.
As for the suspects arrested, Razarudin said all were local men except a foreign woman of Thai nationality with arrests made in KL, Selangor, Sabah and Perak.
During the arrests, authorities also seized servers registered to the main suspect located in Technology Park Malaysia used for web hosting services.
Other items seized including a cryptocurrency wallet valued at RM965,808.80, CPUs, electronic devices, jewellery and vehicles.
Elaborating further, Razarudin said the main suspect from Sabah was given the responsibility of a software developer tasked with creating the phishing templates to be supplied for overseas use.
“He had no legitimate income,” Razarudin said when asked if the suspect held a full-time job.
Investigations also revealed the same suspect had full access to the phishing service website.
“We believe the credentials stolen through their phishing services are then sold on the dark web,” Razarudin said.
A total of 17 investigation papers (IP) have been opened under the Computer Crimes Act and Section 420 of the Penal Code for cheating.