Security Experts:

Connect with us

Hi, what are you looking for?



Targeted Links Used to Steal Tens of Millions in Global Scam Campaign

By impersonating 121 brands, scammers managed to defraud users in over 90 countries of an estimated $80 million per month, Singapore-based threat hunting and intelligence firm Group-IB reveals.

By impersonating 121 brands, scammers managed to defraud users in over 90 countries of an estimated $80 million per month, Singapore-based threat hunting and intelligence firm Group-IB reveals.

As part of the scheme, the fraudsters lured victims with fake surveys and giveaways supposedly from popular brands, but which were designed to help the miscreants steal victims’ personal information and credit card data.

The scammers are believed to have targeted tens of millions of individuals in a total of 91 countries, including the United States, Canada, South Korea, and Italy.

To lure their victims, the cybercriminals distributed invitations to partake in a survey, also telling their potential victims that a prize would be offered afterwards. Marketing methods employed in the campaign included advertising on both legitimate and rogue websites, contextual advertising, text and email messages, and pop-up notifications.

Lookalike domains named after legitimate ones were registered to build trust with the victims, and links were often posted on social networks.

[ READ: Cookie Theft Malware Used to Hijack YouTube Accounts ]

“The new wave of the scam is particularly persistent thanks to an innovation in the scammers’ toolset — targeted links, which makes investigating and tackling such attacks increasingly challenging,” Group-IB notes.

By employing so-called traffic cloaking, the cybercriminals were able to display different content to different users, while a long chain of redirects allowed them to gather information about the victim’s session, including browser, IP address, language, location, and more.

Thus, the content on the final page is as much as possible tailored to the victim’s interests, with the customized link accessible only once, making detection much more difficult and allowing the scheme to persist longer.

Once they arrive on the final page, the victim is provided with a series of questions to respond to. The victim is also told that, in order to receive a prize, they should provide personal information such as full name, email and physical address, phone number, and credit card data, expiration date and CVV included.

Group-IB says it has identified roughly 60 scam networks operating the targeted links, with each containing more than 70 domain names on average. With over 50 domain names, one of the networks had a potential victim pool of over 10 million people.

The campaign mainly targeted Europe (36.3%), Africa (24.2%), and Asia (23.1%), but India emerged as the main source of traffic for the fraudulent links, accounting for 42.2% of it. Thailand and Indonesia accounted for 7% and 4.4% of the traffic, respectively.

The fraudsters attempted to exploit brands of leading telecommunications companies, with 20 of them located in the United States. Other impersonated brands are from Canada (9), South Korea (7), Italy (5), Serbia (5), and Singapore (5).

Related: Indian PM’s Twitter Hacked Again by Crypto Scammers

Related: Cybercriminals Finding Ways to Bypass ‘3D Secure’ Fraud Prevention System

Related: Computer Malware Fraudster Gets 2 Years in Prison

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


Cybercriminals earned significantly less from ransomware attacks in 2022 compared to 2021 as victims are increasingly refusing to pay ransom demands.