Connect with us

Hi, what are you looking for?



Telegram-Based Automated Scam Service Helps Fraudsters Make Millions

More than 40 scammer groups are actively engaged in schemes leveraging a scam-as-a-service offering that provides users the tools and resources needed to conduct fraud, according to threat hunting and intelligence company Group-IB.

More than 40 scammer groups are actively engaged in schemes leveraging a scam-as-a-service offering that provides users the tools and resources needed to conduct fraud, according to threat hunting and intelligence company Group-IB.

The automated scam service has been named Classiscam by Group-IB and it’s meant to help cybercriminals steal money and payment data from unsuspecting victims, through the use of fake pages mimicking those of legitimate classifieds, marketplaces and delivery services.

The Classiscam scheme is powered by Telegram chatbots, which generate a complete phishing kit, including courier URL, payment, and refund information. The chatbots also offer shops, where users can purchase accounts to marketplaces, manuals, e-wallets, mailings, and even lawyers.

Simple and straightforward, the scheme has gained a lot of popularity, with over 5,000 scammers registered in the 40 most popular Telegram chats by the end of 2020.

More than 20 threat actors are believed to be leveraging the scheme in Russia, with over 20 other groups operating in the United States, Bulgaria, Romania, the Czech Republic, France, Poland, and multiple post-Soviet countries.

Classiscam emerged in Russia in 2019, but peak activity was recorded last year, amid the switch to telework due to the Coronavirus pandemic. In 2020, the threat groups made in excess of $6.5 million, or approximately $520,000 per month, at an average of $61,000 per month/per group (although the proceeds may differ from one group to another).

Some of the popular international classifieds and marketplaces abused by these scammers include Allegro, OLX, Sbazar and Leboncoin.

Advertisement. Scroll to continue reading.

The scheme also exploits delivery brands, including DHL and Romanian delivery service FAN Courier, and security researchers have spotted underground forum chats suggesting that new brands will soon be used, such as FedEx and DHL Express in the US and Bulgaria.

The scheme starts with bait ads published on popular classified websites and marketplaces, offering various items at deliberately low prices. The threat actors, which pose both as sellers and buyers, use local phone numbers and lure victims into discussing deals over a third-party messaging app.

Victims are then asked for their contact information for delivery, and are provided with a link that takes them either to a fake courier service website or a scam page with a payment form. Thus, the scammers harvest payment data or withdraw money through fake merchant websites. In other instances, the scammers pose as buyers and send fake payment forms mimicking a popular marketplace.

“Although many marketplaces and classifieds that sell new and used goods have an active policy of protecting users from fraudsters by posting warnings on their resources, victims continue to give away their data,” Group-IB notes.

The scammer groups have a pyramidal hierarchy, with topic starters placed on top. These individuals are responsible for recruitments, creating scam pages and registering accounts, as well as for providing assistance when transactions are blocked.

The topic starters’ get a share of 20-30% of the stolen funds, while the workers, which engage with the victim and send the URLs to scam pages, get the rest. Successful workers move to the top, getting access to VIP options and to more lucrative markets.

Related: Scammers Seize on US Election, But It’s Not Votes They Want

Related: BEC Scammers Exploit Flaw to Spoof Domains of Rackspace Customers

Related: XSS Vulnerability Exploited in Tech Support Scam

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...