Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Telegram-Based Automated Scam Service Helps Fraudsters Make Millions

More than 40 scammer groups are actively engaged in schemes leveraging a scam-as-a-service offering that provides users the tools and resources needed to conduct fraud, according to threat hunting and intelligence company Group-IB.

More than 40 scammer groups are actively engaged in schemes leveraging a scam-as-a-service offering that provides users the tools and resources needed to conduct fraud, according to threat hunting and intelligence company Group-IB.

The automated scam service has been named Classiscam by Group-IB and it’s meant to help cybercriminals steal money and payment data from unsuspecting victims, through the use of fake pages mimicking those of legitimate classifieds, marketplaces and delivery services.

The Classiscam scheme is powered by Telegram chatbots, which generate a complete phishing kit, including courier URL, payment, and refund information. The chatbots also offer shops, where users can purchase accounts to marketplaces, manuals, e-wallets, mailings, and even lawyers.

Simple and straightforward, the scheme has gained a lot of popularity, with over 5,000 scammers registered in the 40 most popular Telegram chats by the end of 2020.

More than 20 threat actors are believed to be leveraging the scheme in Russia, with over 20 other groups operating in the United States, Bulgaria, Romania, the Czech Republic, France, Poland, and multiple post-Soviet countries.

Classiscam emerged in Russia in 2019, but peak activity was recorded last year, amid the switch to telework due to the Coronavirus pandemic. In 2020, the threat groups made in excess of $6.5 million, or approximately $520,000 per month, at an average of $61,000 per month/per group (although the proceeds may differ from one group to another).

Some of the popular international classifieds and marketplaces abused by these scammers include Allegro, OLX, Sbazar and Leboncoin.

The scheme also exploits delivery brands, including DHL and Romanian delivery service FAN Courier, and security researchers have spotted underground forum chats suggesting that new brands will soon be used, such as FedEx and DHL Express in the US and Bulgaria.

Advertisement. Scroll to continue reading.

The scheme starts with bait ads published on popular classified websites and marketplaces, offering various items at deliberately low prices. The threat actors, which pose both as sellers and buyers, use local phone numbers and lure victims into discussing deals over a third-party messaging app.

Victims are then asked for their contact information for delivery, and are provided with a link that takes them either to a fake courier service website or a scam page with a payment form. Thus, the scammers harvest payment data or withdraw money through fake merchant websites. In other instances, the scammers pose as buyers and send fake payment forms mimicking a popular marketplace.

“Although many marketplaces and classifieds that sell new and used goods have an active policy of protecting users from fraudsters by posting warnings on their resources, victims continue to give away their data,” Group-IB notes.

The scammer groups have a pyramidal hierarchy, with topic starters placed on top. These individuals are responsible for recruitments, creating scam pages and registering accounts, as well as for providing assistance when transactions are blocked.

The topic starters’ get a share of 20-30% of the stolen funds, while the workers, which engage with the victim and send the URLs to scam pages, get the rest. Successful workers move to the top, getting access to VIP options and to more lucrative markets.

Related: Scammers Seize on US Election, But It’s Not Votes They Want

Related: BEC Scammers Exploit Flaw to Spoof Domains of Rackspace Customers

Related: XSS Vulnerability Exploited in Tech Support Scam

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.