Inside Classiscam

A deep dive into Classiscam: automated scam as a service designed to steal money and payment data
  • Evgeny Ivanov
    Head of CERT-GIB Detection and Response Unit
  • Yakov Kravtsov
    Deputy Head of Special Projects, Group-IB Digital Risk Protection team
Russian-speaking scammers have been targeting users of marketplaces and classifieds on a mass scale. Group-IB's Computer Emergency Response Team (CERT-GIB) and Digital Risk Protection specialists named the scheme "Classiscam" after first witnessing it in Russia in summer 2019. Peak activity was recorded in spring 2020: it was attributed to the Covid-19 pandemic and the resulting switch to remote working and surge in online shopping and use of courier services. In summer 2020 CERT-GIB took down 280 Classiscam phishing pages offering fake courier services, and by December that number had grown 10-fold and surpassed 3,000 pages.

The investigation, which lasted several months, resulted in the report on the Classiscammers migrating from Russia to Europe and the United States.

More than 40 criminal groups, including 20 large ones, now target users and brands in Bulgaria, the Czech Republic, France, Kazakhstan, Kirghizia, Poland, Romania, Ukraine, the United States and Uzbekistan. All criminal groups who resort to this fraud scheme are thought to make more than $6 million per year, which is likely to grow.

The story began on an April evening in 2020, when Evgeny Ivanov was on duty at CERT-GIB. He was through client requests and messages, many of which were complaints from users about a popular delivery service.
After reviewing the complaints and information shared by users, it became clear what all the resources had in common:

  • They were copies of official websites.
  • Payment pages on various fake services were identical to the real deal except for the logos.
  • Some examples of website subdomains contained more than one phishing page.
We decided to investigate the incident in more detail and came across an ad looking to recruit members in a scam. The information we found was surprising even to us, a team of analysts who thought they had seen it all. The scam seemed extremely far-reaching and the authors sounded arrogant enough to believe they could get away with it.

During the first part of our investigation, we collected details and we carefully documented everything about the scheme and its participants: trends, comments on forums, payment screenshots, feedback, and open Telegram channels. We examined admins and worker profiles on forums and uncovered connections using Group-IB's graph network analysis tool. User complaints that included correspondence with the scammers greatly helped with our investigation.

Let's look at what we found.
Part 1. Classiscam: Stages and description
In the scam's early stages, the fraudsters used a relatively straightforward method: they created bait ads on marketplaces and classifieds and used social engineering techniques to convince users to pay for goods by transferring money to bank cards. The scammers used all the typical tricks: low prices, discounts, gifts, limited time to make purchases, talking about first-come-first-serve conditions, and other similar tactics. Different groups came and went, but one thing remained constant: the scammers got their money, while the users did not get their goods.

Platform owners responded by introducing "guarantees": electronic security systems for online payments as part of which the platform would "freeze" the money transfer until the buyer received the goods. The seller would receive payment only after the buyer declared not to have any complaints. In addition, the platform security systems blocked links to phishing pages sent by the scammers.

Ultimately the fraudsters found a way to bypass the security measures. They used automated tools to generate phishing pages and fine-tuned the fraud mechanism. Let's examine in detail how the scheme works.
  • 1
    Offers that are too good to be true
    After registering new accounts or using the compromised ones on free classifieds websites, scammers post offers that are too good to be true: goods at low prices aimed at various target audiences. The merchandise "for sale" includes cameras, game consoles, laptops, smartphones, chainsaws, car sound systems, sewing machines, collectible items, fishing accessories, sports drinks, and more.
  • 2
    Contact with victims
    After users contact the fraudsters through the online platform's chat system, the fraudsters suggest switching to messengers like WhatsApp and Viber to discuss the purchase and delivery details.
  • 3
    Preparing the deal
    In the messenger, scammers ask the victim for their full name, address, and phone number, allegedly to fill in a delivery form on the courier website.
  • 4
    Payment through phishing resource
    Next, they send the user links to a phishing resource that perfectly mimics the official website of a popular courier service. The link directs to a page showing all the details provided by the victim, who is asked to verify them and then complete the payment.
  • 5
    A refund that never comes
    Some people fall victim to the scam twice — they are tricked into requesting a refund that's never made. After some time, the buyer is informed that there has been an incident at the post office. The scammers make up various stories: for example, that a post office employee was caught stealing and that the police has confiscated the goods, so the buyer needs to fill in a refund request. Of course, instead of being credited, the amount is charged from the victim's card for a second time.
  • 6
    Reverse scam
    Eventually a new variant of the scam appeared as part of which scammers played the role of buyers as opposed to sellers.

    So-called workers search for ads selling goods on free classifieds websites. The conditions that an ad must fulfill include the seller wishing to be contacted by phone and sharing their phone number, and the goods being available for delivery.

    The scammer contacts the seller through a popular third-party messenger, thereby bypassing the online platform's safe chat system, and asks the seller whether the goods are still available.

    The scammer then claims to commit to the purchase and delivery and uses an automated Telegram bot to generate a phishing page with the real name, photograph, and price of the goods.

    The phishing page is ready within minutes and can be sent to the victim-seller through the messenger, explaining that everything has been paid for and that the seller must verify all the details. Of course, in order to receive payment, the seller must then enter their bank card details.
A wide-ranging scam: property rental and ride sharing

Nowadays, fraudsters have a wide range of delivery service brands to choose from to use for their phishing scams. Nevertheless, recently they have also become interested in websites used to post ads offering cars and car parts, electronics, property rentals, and ride-sharing services.

Scammers don't care what a platform offers, be it property rental or bicycle sales. What they do care about is that the website offers the users the possibility to communicate internally and conclude "safe" deals within the site itself, which makes it possible to replace the final link with one on a fake but similar-sounding domain to complete the payment.

The same groups that created fake websites mimicking popular courier services were involved in attacks on property rental services. Attacks on hotel booking websites became more common during the summer holidays, when people were able to travel only within Russia. After the summer, scammers shifted their focus to property rental services. We cannot rule out internal competition among criminal groups that motivates them to look for opportunities to make money in new ways.
Part 2. Criminal groups
The Group-IB team uncovered several groups specializing in this type of fraud.
  • August 28, 2019
    The first recruitment post was shared on hacker forums
  • 95 topics
    about this type of fraud were found on forums and Telegram channels
  • Around $6.5 mln
    40 groups of Classiscammers made in 2020
Composition of a typical criminal group:
  • Admins (aka topic starter), group organizer, or administrator, who is responsible for the software and performance of the payment system, for providing support to users, and for distributing funds;
  • Hired "workers" or "spammers", whose job is to register one-day accounts on free classifieds websites, create bait ads based on ready-made templates, communicate with victims through platform chat systems and/or messengers, and send phishing links to victims;
  • So called "callers" or "refunders", who play the role of courier service customer support agents. After acquiring the victim's trust, they suggest arranging a refund, often using the same fake resource. As a result, the victim's card is debited a second time
While investigating forums we concluded that there are dozens of such criminal groups, all of which strive to expand their business and attract new victims.

One of the biggest criminal groups, for example, which calls itself the Dreamer Money Gang (DMG), hires workers through Telegram bots and promises training opportunities, the "best domains on the market", and quick payments without hidden interest. DMG makes around $3,000 per day.

Another criminal group's income skyrocketed in early 2020: from $10,600 (January) to $47,320 (February) to $83,825 (March) to $120,328 (April).
Ever wondered how fraudsters keep financial accounts?

All deals and transactions completed by workers are displayed in a Telegram bot: the amount, the payment number, and the worker's username.

One of the chat bots contains numerous transfers for sums ranging from $100 to $900. The money is first paid into the administrator's account, who then distributes the income among the rest of the group members.

Workers usually receive 70–80% of the transaction amount as cryptocurrency, with the administrators quickly paying money into their cryptocurrency wallets. Administrators usually keep around 20–30% of the income.

Scams involving "refunds" are carried out by so called "callers" and "refunders", who play the role of courier service customer support agents. After contacting the victim by phone or messenger, they offer to process the refund, which in reality means that the victim's card is debited a second time.

For their services, "callers" are paid either a fixed amount or a percentage of the stolen sum, usually between 5% and 20%. Workers rarely play this role as it requires specialist skills, including in-depth knowledge of social engineering techniques, a clear voice, and the ability to quickly answer even the most unexpected questions that a doubtful buyer may have.

After analyzing messages regarding payments in chat bots, Group-IB analysts realized that 20 of 40 active groups focusing on Europe and the US. They make around $60,000 per month on average, though incomes can vary greatly from group to group. Overall, the total monthly income of 40 of the most active criminal groups is estimated to amount to at least $522,731 per month.
Part 3. Automation and scaling up
Aside from resorting to fraud involving social engineering techniques, scammers must also resolve technical problems. They must: (i) register domains that sound similar to delivery company domain names and create phishing pages, (ii) prevent the 900 error from occurring on payment services, i.e., when a bank blocks an operation or card onto which the scammers are trying to transfer money, and (iii) sign up for new accounts and buy new phone numbers. In addition, scammers must recruit new workers, create new phishing resources, provide technical support, and more.

Most of the above tasks can be done using Telegram bots. Thanks to the latter, scammers no longer need to create pages to generate phishing pages, or so-called "admins". All workers need to do now is drop a link to the bait product in the chat bot, which then generates a comprehensive phishing set: links to the courier service, payment, and refund pages.

In addition, Telegram has its own 24/7 support team and there are online stores that sell everything a fraudster might need: accounts on advertising websites, phones, electronic wallets, targeted email blasts, sales of other scams, and much more — even legal services in case the scammer needs a lawyer.

Currently, more than 5,000 scammers are registered in 40 of the most active chats.

There are more than ten types of Telegram bots that create pages mimicking brands in Bulgaria, the Czech Republic, France, Poland, and Romania. For each brand and page, scammers write template scripts and instructions that help newbie workers sign up to new platforms and communicate with victims in the local language.

As a result, phishing pages have improved in quality and become easier to create, and scammers receive more and more support. All the above factors have caused fraud on classifieds websites to skyrocket, and more and more scammers want to be involved in such an easy yet lucrative activity.

Below is the example of one of the Telegram chat-bots:
Newbie workers register through Telegram bots, on underground forums, or directly through the administrator (TC). There are both open and closed group chats.

Let's have a look at closed chats. In order to become involved in a scam, it is necessary to go through a recruitment procedure through a Telegram bot as part of which the candidate is asked questions about their experience in fraud and other areas, about where they found out about the scam, and whether they have a profile on any underground forums. Reviewing profiles on underground forums is done most likely to screen candidates and their reputations and check whether they have been involved in any arbitration procedures, which scammers use to settle disputes such as an admin (TC) not paying a worker the agreed sum for a Classiscam scheme.

After workers have completed the registration process, they receive access to three chats: an information chat (details about the project, plans, instructions), a worker chat (scammers communicate with each other, share experiences, and discuss projects), and a financial chat (payment reports). It is worth noting that chats about payments are publicly available — it's likely that they are used for advertising purposes to attract new candidates.

Statistics are kept on worker payments and the highest earners are included in a publicly available list of top earners. They also receive access to a VIP chat for top workers and to VIP scripts (e.g., to work in the United States or Europe), which are not available to less fruitful scammers.

In addition, there are separate chats for callers in which they can find instructions and guidelines about how to talk to victims.
Part 4. Exporting Classiscam
Group-IB and companies who own delivery services and advertising platforms have been actively fighting against scammers, which in spring 2020 prompted criminal groups to start migrating from Russia to CIS and European countries. As a result, scammers began looking for new niche markets, as happened with the appearance of phishing websites mimicking property rental and bookmaker services. The Russian Internet space once again became a testing ground and helped scammers expand their criminal business to the international stage.

By 2020 attacks on foreign brands had already been recorded — software for generating phishing pages was available in closed communities for scammers with work experience, although these were rare, isolated cases.

In mid-February 2020, an ad for freely accessible Telegram bots began appearing on forums, promising the possibility to generate phishing forms for the Ukrainian version of OXL, a free classifieds website.
In May 2020, a Romanian version of the OXL website appeared alongside the Ukrainian one. By early August, Bulgarian and Kazakh versions of the OXL website appeared in open Telegram bots.
Scammers did not limit themselves to launching the scheme in CIS countries. In late August, a scam involving the popular French free classifieds website Leboncoin appeared in popular Telegram bots.
Soon thereafter, the Polish version of the OXL website scam appeared as well.

European brands were actively being added to Telegram bots. In late November, phishing forms appeared on the Polish e-commerce website Allegro and the Czech free classifieds website Sbazar.
It is worth noting that scams involving European and US brands are more difficult to carry out than they are in CIS countries. Russian-speaking scammers encounter language problems and difficulties in verifying accounts on websites, which requires buying stolen personal documents and phone numbers on forums and communities. Admins have trouble linking foreign currency credit and debit cards to Telegram bots. For this they have to hire experienced money mules — proxies who receive and withdraw money.

For each brand, scam enthusiasts write instructions and guidelines to help newbies sign up to foreign platforms and communicate with victims in their mother tongue.
Part 5. How to fight Classiscam?
Russian-speaking Classiscammers are migrating to Europe and the US as a way of making more money and reducing the risk of being caught. Fighting the scam requires companies that offer delivery services and own free classifieds websites to step up their efforts and use advanced digital risk protection technologies in order to quickly detect and take down criminal groups.
Recommendations for brands
  • Unlike in Russia, where delivery services, free classifieds, and property rental websites were the first to suffer at the hands of Classiscam, an overwhelming number of users and security service employees at international companies are not yet ready to counter such fraud schemes.
  • Classic monitoring and blocking techniques are no longer sufficient to counter such advanced scams. Instead, it is crucial to identify and block adversary infrastructure using AI-driven digital risk protection systems (more details at: https://www.group-ib.com/products/digital-risk-protection/), the databases of which are regularly enriched with information about adversary infrastructure, techniques, tactics, and new fraud schemes.

    - Use specialized Digital Risk Protection systems that help proactively detect new fake domains, fraudulent advertising, and phishing pages.
    - Ensure that underground forums are continuously screened for any information about attempts to use your brand for illegal purposes.
    - Analyze phishing attacks in order to attribute them to a given criminal group, uncover the identities of scammers, and bring the perpetrators to justice.
  • If you or your company have fallen victim to fraud, immediately contact the police and inform the website's technical support team about the incident, sharing any correspondence you had with the scammers. You can report any fraud to CERT-GIB 24/7 here or by sending an email to response@cert-gib.com
Recommendations for users
  • Before entering your payment card details into any form, double check the URL and Google it to see when it was created. If the site is only a couple of months old, it is highly likely to be a scam or a phishing page. Trust only official websites.
  • Large discounts on electronics may be just that: too good to be true. They are likely to indicate a bait product or phishing page created by scammers. Be careful.
  • When using services for renting or selling new and used goods, do not switch to messengers. Keep all your communication in the official chat.
  • Do not order goods or agree to deals involving a prepaid transaction. Pay only after you receive the goods and make sure that everything is working properly.