The Royal Malaysian Police (RMP) have arrested eight men in connection with phishing kits that targeted the Australian Government’s myGov website.
The arrests resulted from a joint operation between the Australian Federal Police (AFP), the RMP, and the Federal Bureau of Investigation (FBI). It followed an investigation into an international criminal syndicate that boasted of hosting a “bulletproof” phishing method.
The AFP says the phishing kits contained templates and scripts replicating government websites in Australia, Malaysia, and the United States, including the myGov site.
The site, a one-stop shop for Australian government services, is frequently targeted by phishing campaigns. The genuine site warns that scammers make fake websites that accurately replicate the real site. Consequently, thousands of myGov accounts are suspended every month because Services Australia, the agency responsible for the website, believes they may have been compromised by individuals like the men recently arrested in Malaysia.
Among those arrested was a 35-year-old resident of Borneo who police allege advertised the scam-in-a-box kits and used a Malaysia-based entity to host computer servers and hardware to operate the service.
After searching his home, the RMP seized usernames, passwords, and cryptocurrency wallet details. A separate search of the hosting business at a technology park in Borneo saw four servers, power cables, monitors and a modem confiscated for forensic examination. One server allegedly supported 16 virtual machines running various operating systems and services that supported the hosting service. In total, investigators seized more than 60 terabytes of data across the police activity, including three servers and one network storage device.
“Cybercriminals will use any tools and tricks to exploit people for their own profit. In this case, it mimics trusted government websites,” said AFP A/Detective Superintendent Darryl Parrish.
While the RMP did much of the groundwork in Malaysia leading up to the arrests, the AFP and FBI worked behind the scenes, gathering intelligence and providing it to Malaysia. The FBI linked the scheme to an organized crime syndicate while the AFP, through the Joint Policing Cybercrime Coordination Centre, developed and provided intelligence. Officers from the AFP were on-site during the search of the premises hosting the servers, and FBI agents attended the examination of the man’s home. The RMP later picked up seven other men, allegedly mules for the first man arrested.
The little-known Joint Policing Cybercrime Coordination Centre is a partnership between the AFP, Australian state policing agencies, foreign law enforcement, government and the private sector. The centre was set up in early 2022, and its remit is to combat cybercrime, particularly cybercrime impacting Australians.
A spokesperson from Bill Shorten’s office, the minister responsible for Services Australia, said the agency had identified over 6,000 individual myGov scams this calendar year, adding that Services Australia continued to work with the AFP to crack down on fraud. The spokesperson said the Australian government is improving its ID verification processes on sites like myGov, which he hopes will reduce the impact of phishing campaigns. Services Australia declined to comment.