A cybercrime group known as Blind Eagle is using a Russian web hosting service that ignores law enforcement to launch phishing attacks against Colombian banks. Criminals steal login credentials and install malware that could impact healthcare organizations that process payments through these financial institutions.
Security researchers have connected Blind Eagle to Proton66, a Russian company that provides "bulletproof" web hosting. This type of hosting is popular with criminals because the providers refuse to shut down malicious websites even when authorities request it.
Since August 2024, Blind Eagle has been creating fake banking websites that look identical to legitimate Colombian banks, including Bancolombia, BBVA, Banco Caja Social, and Davivienda. When victims enter their login information on these fake sites, the criminals steal their credentials and can access their real bank accounts.
The attacks work by sending phishing emails with attached files that appear harmless but contain hidden malicious code. When someone opens these files, they secretly download software that gives criminals remote control of the victim's computer. This software, known as a Remote Access Trojan or RAT, allows attackers to steal files, capture passwords, and monitor everything the victim does.
What makes this campaign unusual is how careless the criminals have been with their own security. Researchers found that Blind Eagle left many of their attack tools visible on public web directories. In one discovery, they found a control panel showing 264 infected computers, mostly in Argentina, that the criminals were actively monitoring.
The group uses older attack methods that many might consider outdated, such as Visual Basic Script files. However, these remain effective because they work on all Windows computers and often slip past security software that focuses on newer threats.
Healthcare organizations that process payments or work with Latin American banks face real risks from this campaign. Many healthcare providers use integrated payment systems for insurance claims, patient billing, and paying suppliers. If criminals compromise a bank that a hospital or clinic uses, they could potentially access payment systems and steal patient financial information.
The use of bulletproof hosting makes these attacks particularly dangerous because the fake websites can't be easily shut down. Traditional takedown requests that work with legitimate hosting companies are simply ignored by bulletproof providers, allowing phishing sites to operate for months or even years.
Bulletproof hosting is a type of web hosting service that refuses to take down websites even when they're used for illegal activities. These companies operate in countries with weak cybercrime laws and ignore complaints from law enforcement, making them perfect for hosting phishing sites and malware.
A RAT is malicious software that gives criminals remote control over an infected computer. Once installed, it allows attackers to steal files, capture passwords, take screenshots, and monitor everything a user does.
Older attack methods like Visual Basic Scripts still work because they're built into Windows, and many security tools don't flag them as suspicious. Criminals know that organizations often focus on protecting against the newest threats while overlooking older but still effective techniques.