The ‘New’ SaaS - Makes its Poison Debut - X-Industry

A Russian-speaking "Scam-as-a-Service" (SaaS) operation called, "Classiscam" is expanding globally, with 40 interconnected gangs in about a dozen countries using fake product advertisements to launch phishing schemes, the security firm Group-IB reports. This “SaaS” is adding to the long list of hacker services for anyone to buy with some spare Bitcoin.

The fraud actors are posting fake online classified advertisements for products to trick interested buyers into visiting phishing pages, where their personal and payment data is harvested, according to Group-IB. Although the operation started in Russia two years ago, by early 2020 it had expanded to include 40 subgroups that have focused on targets in the US and Europe, a new research report says.

Brands spoofed by the cybercriminal gang include French marketplace Leboncoin, the Polish online brand Allegro, the Czech website Sbazar and Romania's FAN Courier site. The report also notes the group has expanded its operations in the US and Bulgaria by mimicking FedEx and DHL Express. "More than 20 large groups are leveraging the scheme, and currently operate in Bulgaria, the Czech Republic, France, Poland, Romania, the US and post-Soviet Union countries, while 20 more groups work in Russia," according to researchers. "These 40 groups altogether made at least $6.5 million in 2020."

Criminal hacking groups scaled up its operations in 2020 in response to the boom in online shopping during the COVID-19 pandemic. A scheme typically starts with fake advertisements placed on popular online marketplaces and classified AD websites for products, such as cameras, game consoles, laptops and smartphones, offered at low prices, according to the report. When the buyer contacts the seller, they are lured into continuing the conversation through a third-party messenger, such as WhatsApp. To be more persuasive, the crooks use local phone numbers when speaking with their victims. Such services can routinely be obtained in the underground.

When the interested customers ask the fraud actors, who are disguised as the sellers, to send the shipping details, the victims are directed to phishing landing pages that mimic courier service websites or marketplaces with a payment form, the report notes. "As a result, the fraudster obtains payment data or withdraws money through a fake merchant website," according to its analysts. It is estimated that each of the 40 groups make a total profit of $522,000 per month.

The hackers have set up several Telegram chatbots for automated management and expansion of the scheme. These bots are designed to provide scammers with ready-to-use pages mimicking popular classified advertising, marketplace and phishing URLs.

"Classiscam chatbots, where fake pages are generated and profits are reported, are not completely autonomous. They require ongoing technical support and moderation," says the head of the digital risk protection department at Group-IB Europe. "The admins are on top of the Classiscam pyramid. They fund and moderate the chats, recruit new members, register new accounts and allocate the profits among group members. Sometimes they hire third-party developers to create the chatbots. They also buy new domains. … In most cases they use content delivery network infrastructure from popular providers to hide their real hosting."[1]

Researchers identified 10 Telegram bots being used by hackers to generate scam pages for brands from Bulgaria, the Czech Republic, France, Poland and Romania. "For each brand and country, scammers write scripts that help newbie workers log into foreign sites and communicate with victims in the local language," the report notes. By the end of 2020 the chatbots had more than 5,000 scammers registered to use its services. Each of the 40 criminal groups have put in place three role-players to help push its operation along. Admins, or "topic starters," recruit new members, create scam pages, register new accounts and provide assistance when a bank blocks the recipient's card or the transaction. "Workers" communicate with victims and send them the phishing URLs. Then "callers" pose as tech support specialists.[2] "Based on payment statistics, the most successful workers move to the top of the list and become influential members of the project," the report notes. "By doing so, they gain access to VIP options in the chats and can work on European marketplaces, which offer a higher income and involve less risks for Russian-speaking scammers."

Always keep in mind - “Caveat Emptor,” or “Let the buyer beware,” if the offer appears to be too good to be true, it is probably a scam. Do not become a victim.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com

Weekly Cyber Intelligence Briefings: https://attendee.gotowebinar.com/register/3702558539639477516