The gang is likely operating out of Ukraine and the attacks it launches are designed to trick those with account access to divulge their company’s online banking credentials, one-time passwords and two-factor authentication codes. The goal of this targeted phishing attack is to take the account over and transfer money to mule accounts that the criminals control.

During the investigation of these targeted attacks, the X-Force observed that in many cases, the victims were small and midsized businesses (SMBs). Moreover, cybercriminals focus on business banking services, and this ongoing trend became increasingly evident in 2014 with the emergence of financial crime groups that operated Trojans such as Dyre, Dridex and Neverquest.

X-Force research noted that, in many of these cases, the attackers are either situated in or otherwise linked to Eastern Europe, hosting malware and phishing operations from countries in the region.