Classiscam, a sophisticated scam-as-a-service business, has now entered Singapore, after more than 1.5 years migrating to Europe.
"Scammers posing as legitimate buyers approach sellers with the request to purchase goods from their listings and the ultimate aim of stealing payment data," Group-IB said in a report shared with The Hacker News.
The operators were described as a "well-coordinated and technologically advanced scammer criminal network" by the cybersecurity firm.
Classiscam is a Russia-based cybercrime operation that was originally detected in the summer of 2019 but only came to light a year later, coinciding with an uptick in activity due to an increase in online buying following the COVID-19 epidemic.
Classiscam, the pandemic's most commonly utilised fraud scheme, targets consumers who use marketplaces and services related to property rentals, hotel bookings, online bank transfers, online retail, ride-sharing, and package deliveries.
Users of major Russian ads and marketplaces were initially targeted, before spreading to Europe and the United States.
Over 90 active organisations are said to be utilising Classiscam's services to target consumers in Bulgaria, the Czech Republic, France, Kazakhstan, Kirghizia, Poland, Romania, Ukraine, the United States, and Uzbekistan.
The fraudulent operation spans 64 countries in Europe, the Commonwealth of Independent States (CIS), and the Middle East, and employs 169 brands to carry out the assaults. Criminals using Classiscam are reported to have gained at least $29.5 million in unlawful earnings between April 2020 and February 2022.
This campaign is remarkable for its dependence on Telegram bots and conversations to coordinate activities and generate phishing and scam pages.
Here's how it all works: Scammers put bait advertising on famous marketplaces and classified websites, frequently promising game consoles, laptops, and cellphones at steep prices.
When a potential victim contacts the seller (i.e., the threat actor) via the online storefront, the Classiscam operator dupes the target into continuing the conversation on a third-party messaging service like WhatsApp or Viber before sending a link to a rogue payment page to complete the transaction.
The concept includes a hierarchy of administrators, workers, and callers. While administrators are in charge of recruiting new members, automating the building of scam pages, and registering new accounts, it is the employees that make accounts on free classifieds websites and submit the false advertising.
"Workers are key participants of the Classiscam scam scheme: their goal is to attract traffic to phishing resources," the researchers said.
In turn, the phishing URLs are produced by Telegram bots that replicate the payment pages of local classified websites but are housed on lookalike domains. This necessitates the workers to submit the URL containing the bait product to the bot.
"After initial contact with the legitimate seller, the scammers generate a unique phishing link that confuses the sellers by displaying the information about the seller's offer and imitating the official classified's website and URL," the researchers said.
"Scammers claim that payment has been made and lure the victim into either making a payment for delivery or collecting the payment."
The phishing pages also offer the option of checking the victim's bank account balance in order to find the most "valuable" cards.
Furthermore, some cases involve a second attempt to deceive the victims by phoning them and requesting a refund in order to collect their money back.
These calls are made by assistant employees posing as platform tech support professionals. In this scenario, the targets are sent to a fraudulent payment page where they must input their credit card information and confirm it with an SMS passcode. Instead of a refund, the victim's card is charged the same amount again.
While the aforementioned method is an example of seller scam, in which a buyer (i.e., victim) receives a phishing payment link and is cheated of their money, buyer scams also exist.
A fraudster contacts a legal vendor as a client and sends a bot-generated fraudulent payment form imitating a marketplace, ostensibly for verification purposes. However, after the seller inputs their bank card details, an amount equal to the cost of the goods is debited from their account.
Classiscammers' complete attack infrastructure consists of 200 domains, 18 of which were constructed to deceive visitors of an undisclosed Singaporean classified website. Other sites in the network masquerade as Singaporean movers, European, Asian, and Middle Eastern classified websites, banks, markets, food and cryptocurrency businesses, and delivery services.
"As it sounds, Classiscam is far more complex to tackle than the conventional types of scams," Group-IB's Ilia Rozhnov siad. "Unlike the conventional scams, Classiscam is fully automated and could be widely distributed. Scammers could create an inexhaustible list of links on the fly."
"To complicate the detection and takedown, the home page of the rogue domains always redirects to the official website of a local classified platform."
