Microsoft’s Digital Crimes Unit (DCU) has scored a major win against the cyber criminal underworld after leading an operation to seize 240 fraudulent websites used by an Egyptian national – named today as Abanoub Nady – who sold do-it-yourself phishing kits under the brand name ONNX to less adept crooks.
Nady, who used the handle MRxC0DER, both developed and sold the phishing-as-a-service kits, which were used in multiple campaigns against Microsoft customers in various sectors, although it is understood that the financial services industry was the most heavily targeted.
The DCU believes that emails originating from the ONNX “family of products” made up a significant portion of the tens to hundreds of millions of phishes caught in Microsoft’s nets every month – it was likely among the top five such ops globally.
Redmond said that in targeting ONNX, it was disrupting the illicit cyber criminal supply chain and protecting customers from downstream threats such as fraud, data theft and ransomware.
“This action builds on the DCU’s strategy of disrupting the broader cyber criminal ecosystem and targeting the tools cyber criminals use to launch their attacks,” Microsoft DCU assistant general counsel Stephen Masada explained.
“Our goal in all cases is to protect customers by severing bad actors from the infrastructure required to operate and to deter future cyber criminal behaviour by significantly raising the barriers of entry and the cost of doing business.
“We are joined by co-plaintiff LF (Linux Foundation) Projects, LLC, the trademark owner of the actual registered ONNX name and logo,” he said. “ONNX, or Open Neural Network Exchange, is an open standard format and open source runtime for representing machine learning models, enabling interoperability between different hardware, frameworks and tools for easier deployment and scalability. Together, we are taking affirmative action to protect online users globally, rather than standing idly by while malicious actors illegally use our names and logos to enhance the perceived legitimacy of their attacks.”
Masada said that the DCU had unilaterally opted to name Nady to serve as a further deterrent to others.
A spokesperson for the Linux Foundation said: “At the Linux Foundation, we advocate collaboration as a powerful tool for tackling complex challenges. Today, we celebrate our recent collaboration with Microsoft to defend millions of individuals and organisations from a global phishing-as-a-service criminal operation. We encourage organisations who find themselves in a position to fight one element of a cyber crime problem to identify ways to collaborate and build a stronger collective response.”
Microsoft on the case
Recent months have seen a significant upswing in sophisticated adversary-in-the-middle (AitM) phishing attacks such as those orchestrated through ONNX in recent months, notably a spike in so-called quishing – phishing using malicious QR codes.
However, Microsoft’s action against ONNX is in fact the result of a lengthy investigation dating back to 2017. Over the years, said Microsoft, it has tracked various Nady “enterprises” including other phishing operations known as Caffeine and FUHRER.
All of his kits were designed to send emails at scale in coordinated campaigns, and ONNX was sold on a subscription-based model with various tiers of access and support, even a VIP tier for the most discerning criminals, who benefited from round-the-clock tech support offering step-by-step guidance.
ONNX was mostly promoted, sold and configured via the Telegram messaging platform, alongside demonstration videos. Once bought, customers were able to orchestrate attacks using the provided templates and the fraudulent ONNX technical infrastructure, where they were allowed to connect malicious domains obtained from elsewhere.
Under a civil court order, unsealed today in the Eastern District of Virginia, Microsoft has now taken over this technical infrastructure, putting it beyond use for future attacks.
More to come
Unfortunately, observed Masada, while the DCU’s action will substantially disrupt ONNX, it’s a certainty that other threat actors will fill the void, with adapted techniques.
“However, taking action sends a strong message to those who choose to replicate our services to harm users online: we will proactively pursue remedies to protect our services, and our customers and are continuously improving our technical and legal strategies to have greater impact,” he said.
“Furthermore, as cyber criminals continue to evolve their methods, it is crucial for organisations and individuals to stay informed and vigilant. By understanding the tactics employed by cyber criminals and implementing robust security measures, we can collectively work towards a safer digital environment. Continued collaboration, like the partnership with LF Projects, remains essential if we want to meaningfully dent the cyber threat landscape.”