After reviewing the complaints and information shared by users, it became clear what all the resources had in common:
- They were copies of official websites.
- Payment pages on various fake services were identical to the real deal except for the logos.
- Some examples of website subdomains contained more than one phishing page.
We decided to investigate the incident in more detail and came across an ad looking to recruit members in a scam. The information we found was surprising even to us, a team of analysts who thought they had seen it all. The scam seemed extremely far-reaching and the authors sounded arrogant enough to believe they could get away with it.
During the first part of our investigation, we collected details and we carefully documented everything about the scheme and its participants: trends, comments on forums, payment screenshots, feedback, and open Telegram channels. We examined admins and worker profiles on forums and uncovered connections using Group-IB's graph network analysis tool
. User complaints that included correspondence with the scammers greatly helped with our investigation.
Let's look at what we found.