17 arrested in takedown targeting phishing service with nearly 500,000 victims

Europol on Thursday said authorities disrupted an international phishing campaign that ensnared 483,000 victims, mainly from Spanish-speaking countries.

Law enforcement in Spain, Argentina, Chile, Colombia, Ecuador and Peru last week conducted 17 arrests and seized more than 900 items, including phones, electronic devices, cars and weapons. The administrator of the phishing platform, an Argentinian national who had operated it for the last five years, is in custody, Europol said.

The phishing-as-a-service platform known as iServer had more than 2,000 users, who provided phone unlocking services to other criminals in possession of stolen phones.

According to cybersecurity company Group-IB, which originally tipped off Europol to the operation in 2022, iServer was primarily used by Spanish-speaking criminals in North and South America, but also expanded into Europe and other areas because it helped low-skilled cybercriminals harvest credentials to unlock phones.

“The phishing attacks are specifically designed to gather data that grants access to physical mobile devices, enabling criminals to acquire users’ credentials and local device passwords to unlock devices or unlink them from their owners,” Group-IB said Thursday. “iServer automates the creation and delivery of phishing pages that imitate popular cloud-based mobile platforms, featuring several unique implementations that enhance its effectiveness as a cybercrime tool.”

A screenshot of an iServer phishing page disguised as a popular cloud-based mobile service website. Image: Group-IB

Users of the service could create a phishing page and send an SMS with a malicious link to the victim. The SMS would often appear to come from Apple, offering details about how to find the device. The link, however, would redirect victims to a phishing page that would harvest credentials used to unlock their phones.

Europol said the criminal network was able to unlock more than 1.2 million phones, and local law enforcement was able to identify most of the victims with help from Europol’s European Cybercrime Centre (EC3) and Ameripol’s Specialised Cybercrime Centre.