ONNX Store: The Rise and Fall of a Phishing-as-a-Service Platform Targeting Financial Institutions

Подробнее о видео

In February 2024, EclecticIQ analysts identified a rebranded Phishing-as-a-Service (PhaaS) platform called ONNX Store, which originated from the Caffeine Phishing Kit first detected by Mandiant in 2022. ONNX Store’s malicious users primarily targeted financial institutions using QR code-based phishing techniques, 2FA bypass methods and operated through Telegram bots to streamline its services for cybercriminals. The platform's operations were disrupted in June 2024 following the attribution of its creator, MRxC0DER.

This presentation will detail the development and operations of ONNX Store, the role of cyber threat intelligence (CTI) in its disruption, and the impact of attribution on financially motivated cybercriminal activities.

Key Takeaways:

1. PhaaS Model Overview: An explanation of the Phishing-as-a-Service model and its relevance to the financial sector, using ONNX Store as a case study.
2. Technical Details: Analysis of the phishing methods employed by ONNX Store, including QR code phishing and 2FA bypass, and their implications for cybersecurity defenses.
3. CTI and Attribution: Discussion on how cyber threat intelligence contributed to the identification and disruption of ONNX Store, and the significance of attribution in countering cybercrime.
4. Practical Recommendations: Guidelines for financial institutions on monitoring and defending against similar PhaaS threats, focusing on technical defenses and proactive threat identification.

What Attendees Can Expect to Learn:

• Understanding of the Phishing-as-a-Service (PhaaS) Model: The abstract outlines that attendees will learn about the PhaaS model, specifically how ONNX Store operated and targeted financial institutions using phishing techniques.
• Insight into ONNX Store’s Operations: The presentation will cover the technical aspects of ONNX Store, including its phishing methods like QR code-based phishing and 2FA bypass techniques. This provides attendees with an in-depth understanding of the tools and methodologies used by the financially motivated threat actors.
• Role of Cyber Threat Intelligence (CTI) and Attribution: Attendees will learn how CTI was used to attribute and disrupt the operations of ONNX Store, showcasing the practical application of threat intelligence in real-world scenarios.
Highlighted Actionable Takeaways:
• Monitoring and Defense Strategies: The abstract provides actionable guidance for financial institutions on how to monitor and defend against similar PhaaS platforms, focusing on technical defenses and proactive threat hunting.
• Importance of Attribution: It highlights the significance of attribution in deterring and disrupting cybercriminal activities, which is a key lesson for cybersecurity professionals.

View upcoming Summits:

SANS Cyber Threat Intelligence Summit 2025
ONNX Store: The Rise and Fall of a Phishing-as-a-Service Platform Targeting Financial Institutions
Arda Büyükkaya, Senior Cyber Threat Intelligence Analyst, EclecticIQ