Mar 28 2022

Shopping trap: The online stores’ scam that hits users worldwide

Category: Cyber crime,Cyber ThreatsDISC @ 8:45 am

Shopping trap: Criminal gangs from China have been using copies of online stores of popular brands to target users all over the world

Malicious schemas linked to online stores are on the rise in 2022. Criminal gangs from China have been using copies of online stores of popular brands to target users all over the world and thereby trick victims. The targets of this massive campaign are online stores geolocated in different countries, including Portugal, France, Spain, Italy, Chile, Mexico, Columbia, among others. The campaign has been active since late 2020 but gained momentum in early 2022, with thousands of victims affected.

Shopping trap

Active domains behind the malicious online stores at the time of analysis (21-03-2022). The shopping platforms are available on servers geolocated in the USA, The Netherlands, and Turkey (ZoomEye).

As observed in Figure 1, 617 active shopping platforms were identified worldwide, 562 created in 2022. The servers are located in three countries: the USA, The Netherlands, and Turkey. However, other servers and online stores were also identified during the research. The complete list of IoCs with more than 1k malicious entries is provided at the end of the article.

The high-level diagram of this campaign is presented below, with a graphical representation of the different steps and actions carried out by criminals.

A new campaign typically starts with the authors setting up the malicious domain at the top of Google search through digital ads (Google ads) – as shown above referring to the Lefties clothing store disseminated in Portugal in 2022. After some days, users are hit as the malicious URL appears at the top of searches. In specific cases, social Ads were also found on Instagram and Facebook social media platforms.

The content of the malicious websites – clones of the official stores –  are based on a static Content Management System (CMS) and a PHP API that communicates with a MySQL cluster in the background. Some artifacts related to the static CMS can be found on a GitHub repository from criminals. In detail, criminals put some effort into developing a generic platform that could serve a mega operation at a large scale, where small tweaks of images and templates would allow the reuse of code for different online stores. Then, all the observed stores use the same code with different templates according to the target brand. As mentioned, the store is also equipped with an API that communicates with a MySQL database cluster where all the victims’ data is stored, including:

  • Name (first and last)
  • Complete address (street, zip-code, city, and country)
  • Mobile phone
  • Email
  • Password
  • Credit card information (number, date, and CVV); and
  • Details about the order and tracking code of the package.

As usual, this Personally Identifiable Information (PII) can be utilized later by criminals to leverage other kinds of campaigns. In order to prevent this type of scenario, we provide a tool that allows you to validate if victims’ information is now in the wrong hands.

Scam Me If You Can: Simple Strategies to Outsmart Today’s Rip-off Artists

Tags: Online scams, Scam Me If You Can


Sep 20 2021

“Back to basics” as courier scammers skip fake fees and missed deliveries

Category: Cyber Threats,Cybercrime,Information SecurityDISC @ 9:24 am

These scams can take many different forms, including:

  • A fake gift sent by an online “friend” is delayed by customs charges. This is a common ruse used by romance scammers, who sucker you into an online friendship, for example by stealing other people’s profile data from online data sites, courting you online, and then “sending” you a “gift”, often jewellery or something they know you would appreciate if it were real. The scammer then pretends to be the courier company handling the “delivery”, correctly identifying the item, its value and its made-up shipping code. Finally, there’s a customs or tax payment to make before the item can be released in your country (something that often happens with genuine deliveries via geniune courier companies). Some unfortunate victims pay out this fee, in cash, in good faith. In this sort of scam, the crooks are directly after your money.
  • A fake order will be delivered once you have confirmed the purchase. These fake orders range from low-value subscriptions that have auto-renewed, all the way to expensive new mobile phones or gaming consoles that will ship imminently. Given that it’s easier to guess what you haven’t just bought than what you have, these crooks are banking that you will click the link or phone the “customer support” number they’ve helpfully provided in order to cancel or dispute the charge. Once they have you on the hook, skilled social scammers in a call centre operated by the crooks offer to “help” you to cancel the bogus order or subscription (something that can be annoyingly hard for legitimate goods and services). In this sort of scam, the crooks are after as much personal information as they can persuade you to hand over, notably including full credit card data, phone number and home address.
  • A fake delivery failed and the item was returned to the depot. These fake delivery notices typically offer to help you reschedule the missed delivery (something that is occasionally necessary for legitimate deliveries of geniune online orders), but before you can choose a new date you usually need to login to a fake “courier company” website, hand over credit card data, or both. The credit card transactions are almost always for very small amounts, such as $1 or $2.99, and some crooks helpfully advise that your card “won’t be charged until the delivery is complete”, as a way of making you feel more comfortable about committing to the payment. In this sort of scam, the crooks won’t bill you $2.99 now, but they will almost certainly sell your credit card details on to someone else to rack up charges later on.

KISS – Keep It Simple and Straightforward

Tags: Cyber Scam, Scam Me If You Can, scammers


Aug 16 2021

Copyright scammers turn to phone numbers instead of web links

Category: Smart Phone,Social networkDISC @ 9:41 am

Copyright scams aren’t new – we’ve written about them many times in recent years.

These scammers often target your Facebook or Instagram account, fraudulently claiming that someone has registered a complaint about content that you’ve posted, such as a photo, and telling you that you need to resolve the issue in order to avoid getting locked out of your account.

The problem with copyright infringement notices is that if they’re genuine, they can’t just be ignored, because social media sites are obliged to try to resolve meaningful copyright complaints when they’re received.

To discourage bogus complaints and reduce harrassment – and if you are a content producer or influencer yourself, with an active blog, video or social media account, you will probably have had many well-meaning but ill-informed complaints in your time – sites such as Facebook, Instagram, Twitter and the like don’t put the complainant directly in touch with you.

The process usually goes something like this:

  • The complainant makes their claim to the service provider concerned. The service provider expects them to give full contact details, in order to discourage anonymous harasssment.
  • If the claim seems to hold water, the service alerts you, without giving your details to the complainant, and invites you to defend or to accept the complaint. (Obviously bogus claims, such as complaints about an images or video content in an article that is all text, shouldn’t go any further.)
  • If the claim is incorrect, you can repudiate it, for example by stating that you took a photo yourself or by showing a licence you acquired for a music clip.
  • If you don’t wish to contest the claim, you are usually expected to remove the allegedly infringing material promptly, and report that you have done so.

In either case, assuming that the service provider considers the case resolved, it’s then closed without the complainant getting to contact you directly, and without you needing to deal directly with the complainant in return.

Scam Me If You Can: Simple Strategies to Outsmart Today’s Rip-off Artists

Tags: Copyright scammers, Phone scams, Scam Me If You Can


Aug 03 2021

BazarCaller – the malware gang that talks you into infecting yourself

Category: Malware,Security Awareness,SpywareDISC @ 10:29 am

You’re almost certainly familiar with vishing, a phone-based scam in which cybercriminals leave messages on your voicemail in the hope that you’ll call them back later to find out what’s going on.

In fact, if you have a long-standing phone number, like we do, you may well get more of these scam calls (perhaps even many more of them) than genuine calls, so you’ll know the sort of angle they take, which often goes along these lines:

[Synthetic voice] Your Amazon Prime subscription will auto-renew. Your card will be billed for [several tens of dollars]. To cancel your subscription or to discuss this renewal, press 1 now.

Sometimes, they’ll read out the number to call them back on, to re-iterate not only that it matches the number that shows up in your call history, but also that it’s a local number, right there in your own town or country.

The crooks do this to “prove” that caller is local too, rather than sitting overseas in some scammy boiler-room call centre, far from the reach of law enforcement and the regulators in your part of the world.

BazarCaller – the malware gang that talks you into infecting yourself

Scam Me If You Can

Tags: BazarCaller, Scam Me If You Can, Spam


Jun 10 2021

Global Scamdemic: Scams Become Number One Online Crime

Category: CybercrimeDISC @ 8:25 pm

Threat hunting and adversarial cyber intelligence company Group-IB published a comprehensive analysis of fraud cases on a global scale.

Group-IB,  a global threat hunting and adversarial cyber intelligence company specializing in the investigation and prevention of high-tech cybercrime, has published a comprehensive analysis of fraud cases on a global scale. 

Group-IB,  a global threat hunting and adversarial cyber intelligence company specializing in the investigation and prevention of high-tech cybercrime, has published a comprehensive analysis of fraud cases on a global scale. 

Overall, fraud accounts for  73% of  all online attacks:  56% are scams  (fraud that results in the victim voluntarily disclosing sensitive data) and  17% are  phishing attacks  (theft of bank card details). Using patented  Digital Risk Protection (DRP) technologies, the experts at Group-IB discovered over  70 groups of fraudsters that are only used in one of the fraudulent schemes, Classiscam, of which 36 are aimed at Europe. Classiscam threat actors alone were found to defraud users by $ 7.75 million in one year   .

On June 10th, during the Digital Risk Summit 2021  online conference ( Amsterdam ), Group-IB presented its research on various fraudulent machinations, obtained thanks to neural networks and ML-based scorings of the  Group-IB Digital Risk Protection System. Group-IB also unveiled Scam Intelligence, a fraud-tracking technology that paved the way for DRP, the company’s proprietary solution. In one year, the system has helped save  â‚¬ 363 million for companies in Asia Pacific, Europe and the Middle East by preventing potential damage.

The number of scam and phishing violations detected by Group-IB in Europe in 2020 increased by 39% compared to the previous year. DRP’s research into threat actors’ fraud activity around the world helped categorize fraud schemes, uncovering over 100 basic schemes and their modifications. For example, a scheme of fake branded social media accounts (typical of the financial sector)  affected over 500 fake accounts per bank on average in 2020  . Insurance companies around the world are now suffering from phishing. Over the past year, an average of over 100 phishing websites were created  per insurer.

In 2020, a multi-stage scam called Rabbit Hole targeted companies’ brands, primarily retail and online services. Users received a link from friends, via social media or in messengers with the request to take part in a competition, a promotional offer or a survey. On average, users visited  40,000 fraudulent websites every day. Rabbit Hole has attacked the customers of at least  100 brands worldwide. The threat actors target the theft of personal and bank card details.

Classiscam has been the most widespread fraud in the world during the pandemic. The scheme is aimed at people using marketplaces and services related to property rentals, hotel bookings, online bank transfers, online retail stores, ridesharing and deliveries. The scheme aims to extort money as payment for non-existent goods. At least  44 countries, including Austria, France, Italy, the Netherlands and Great Britain, are affected by Classiscam. According to Group IB, a total of  93 brands were misused as part of Classiscam. As of early 2021, there were more than  12,500 threat actors made money with fake delivery services. The total number of websites involved in the scheme reached  10,000. A Classiscam -Bedrohungsgruppe makes up to  97,000 euros  per month.

“Last year the world was searched by the scamdemicheim, which represents the influx of online scams on an unprecedented scale: if your business is successful and well-known, it’s only a matter of time before scammers keep an eye out”, explains  Dmitry Tiunkin , Group-IB DRB Head, Europe. “Digital risks to brands such as online fraud, the illegal sale of products and services, and intellectual property infringement are the most widespread crimes on the Internet. Group-IB’s DRP system gives analysts a tool to uncover the entire infrastructure of fraudsters and learn about different categories of fraud attempts that could target their organizations. Group-IB DRP helps our clients identify the person behind the wrongdoing, gather as much information about them as possible, and bring them to justice.”

Tags: Global Scamdemic, Scam Me If You Can