More than 40 scammer groups are actively engaged in schemes leveraging a scam-as-a-service offering that provides users the tools and resources needed to conduct fraud, according to threat hunting and intelligence company Group-IB.
The automated scam service has been named Classiscam by Group-IB and it’s meant to help cybercriminals steal money and payment data from unsuspecting victims, through the use of fake pages mimicking those of legitimate classifieds, marketplaces and delivery services.
The Classiscam scheme is powered by Telegram chatbots, which generate a complete phishing kit, including courier URL, payment, and refund information. The chatbots also offer shops, where users can purchase accounts to marketplaces, manuals, e-wallets, mailings, and even lawyers.
Simple and straightforward, the scheme has gained a lot of popularity, with over 5,000 scammers registered in the 40 most popular Telegram chats by the end of 2020.
More than 20 threat actors are believed to be leveraging the scheme in Russia, with over 20 other groups operating in the United States, Bulgaria, Romania, the Czech Republic, France, Poland, and multiple post-Soviet countries.
Classiscam emerged in Russia in 2019, but peak activity was recorded last year, amid the switch to telework due to the Coronavirus pandemic. In 2020, the threat groups made in excess of $6.5 million, or approximately $520,000 per month, at an average of $61,000 per month/per group (although the proceeds may differ from one group to another).
Some of the popular international classifieds and marketplaces abused by these scammers include Allegro, OLX, Sbazar and Leboncoin.
The scheme also exploits delivery brands, including DHL and Romanian delivery service FAN Courier, and security researchers have spotted underground forum chats suggesting that new brands will soon be used, such as FedEx and DHL Express in the US and Bulgaria.
The scheme starts with bait ads published on popular classified websites and marketplaces, offering various items at deliberately low prices. The threat actors, which pose both as sellers and buyers, use local phone numbers and lure victims into discussing deals over a third-party messaging app.
Victims are then asked for their contact information for delivery, and are provided with a link that takes them either to a fake courier service website or a scam page with a payment form. Thus, the scammers harvest payment data or withdraw money through fake merchant websites. In other instances, the scammers pose as buyers and send fake payment forms mimicking a popular marketplace.
“Although many marketplaces and classifieds that sell new and used goods have an active policy of protecting users from fraudsters by posting warnings on their resources, victims continue to give away their data,” Group-IB notes.
The scammer groups have a pyramidal hierarchy, with topic starters placed on top. These individuals are responsible for recruitments, creating scam pages and registering accounts, as well as for providing assistance when transactions are blocked.
The topic starters’ get a share of 20-30% of the stolen funds, while the workers, which engage with the victim and send the URLs to scam pages, get the rest. Successful workers move to the top, getting access to VIP options and to more lucrative markets.
Related: Scammers Seize on US Election, But It’s Not Votes They Want
Related: BEC Scammers Exploit Flaw to Spoof Domains of Rackspace Customers