International Phishing Net Targets Australian Government's Web

Published: 28 November 2023

Australia Malaysia PhishingThe phishing kits were promoted through a 'bulletproof' hosting service, which made it immune to restrictions and facilitated the illegal activity. (Photo: Australian Federal Police, License)

By Lieth Carrillo

Eight members of an international phishing ring, involved in trading kits designed to fake government websites in Malaysia, Australia, and the United States, were arrested in Malaysia, the Australian Federal Police (AFP) stated on Monday.

Malaysian Royal Police (MRP) also arrested seven other people, suspected of acting as mules for the main suspect, whom the Australian authorities identified as a 35-year-old Malaysian national. He was discovered while advertising one of the phishing kits, promoting fake templates and scripts of the Australian Government's myGov website.

The kits, priced at AUS$80 (US$53) a piece, allowed cybercriminals to conduct phishing attacks and obtain victims' credentials, according to authorities.

In a separate investigation, the U.S. Federal Bureau of Investigations (FBI) linked the “bulletproof” hosting service to an alleged organized criminal syndicate, according to AFP.

The man used the services of a technology park based in Malaysia to physically host several computer servers plus hardware responsible for the "bulletproof" hosting service he employed to advertise the phishing kits. This type of server allows hosting any content without many restrictions, so they are commonly used for illicit activities and for websites with explicit content.

During a raid at the suspect’s Borneo home on Nov. 6, the authorities discovered usernames, passwords, and cryptocurrency wallet passphrases. Other raids were simultaneously carried out in the technology park, where four servers, power cables, monitors, and a modem were seized.

The AFP warns that “cybercriminals will use any tools and tricks to exploit people for their own profit – in this case, it is mimicking trusted government websites.”

In 2022 alone, Australians lost more than AUS$24.6 million (US$16.28 million) to phishing attacks, according to Australian Federal Police Acting Detective Superintendent Darryl Parrish.