Inside Classiscam

After reviewing the complaints and information shared by users, it became clear what all the resources had in common:

• They were copies of official websites.
• Payment pages on various fake services were identical to the real deal except for the logos.
• Some examples of website subdomains contained more than one phishing page.

We decided to investigate the incident in more detail and came across an ad looking to recruit members in a scam. The information we found was surprising even to us, a team of analysts who thought they had seen it all. The scam seemed extremely far-reaching and the authors sounded arrogant enough to believe they could get away with it.

During the first part of our investigation, we collected details and we carefully documented everything about the scheme and its participants: trends, comments on forums, payment screenshots, feedback, and open Telegram channels. We examined admins and worker profiles on forums and uncovered connections using Group-IB's graph network analysis tool. User complaints that included correspondence with the scammers greatly helped with our investigation.

Let's look at what we found.

In the scam's early stages, the fraudsters used a relatively straightforward method: they created bait ads on marketplaces and classifieds and used social engineering techniques to convince users to pay for goods by transferring money to bank cards. The scammers used all the typical tricks: low prices, discounts, gifts, limited time to make purchases, talking about first-come-first-serve conditions, and other similar tactics. Different groups came and went, but one thing remained constant: the scammers got their money, while the users did not get their goods.

Platform owners responded by introducing "guarantees": electronic security systems for online payments as part of which the platform would "freeze" the money transfer until the buyer received the goods. The seller would receive payment only after the buyer declared not to have any complaints. In addition, the platform security systems blocked links to phishing pages sent by the scammers.

Ultimately the fraudsters found a way to bypass the security measures. They used automated tools to generate phishing pages and fine-tuned the fraud mechanism. Let's examine in detail how the scheme works.

A wide-ranging scam: property rental and ride sharing

Nowadays, fraudsters have a wide range of delivery service brands to choose from to use for their phishing scams. Nevertheless, recently they have also become interested in websites used to post ads offering cars and car parts, electronics, property rentals, and ride-sharing services.

Scammers don't care what a platform offers, be it property rental or bicycle sales. What they do care about is that the website offers the users the possibility to communicate internally and conclude "safe" deals within the site itself, which makes it possible to replace the final link with one on a fake but similar-sounding domain to complete the payment.

The same groups that created fake websites mimicking popular courier services were involved in attacks on property rental services. Attacks on hotel booking websites became more common during the summer holidays, when people were able to travel only within Russia. After the summer, scammers shifted their focus to property rental services. We cannot rule out internal competition among criminal groups that motivates them to look for opportunities to make money in new ways.

While investigating forums we concluded that there are dozens of such criminal groups, all of which strive to expand their business and attract new victims.

One of the biggest criminal groups, for example, which calls itself the Dreamer Money Gang (DMG), hires workers through Telegram bots and promises training opportunities, the "best domains on the market", and quick payments without hidden interest. DMG makes around $3,000 per day.

Another criminal group's income skyrocketed in early 2020: from $10,600 (January) to $47,320 (February) to $83,825 (March) to $120,328 (April).

Ever wondered how fraudsters keep financial accounts?

All deals and transactions completed by workers are displayed in a Telegram bot: the amount, the payment number, and the worker's username.

One of the chat bots contains numerous transfers for sums ranging from $100 to $900. The money is first paid into the administrator's account, who then distributes the income among the rest of the group members.

Workers usually receive 70–80% of the transaction amount as cryptocurrency, with the administrators quickly paying money into their cryptocurrency wallets. Administrators usually keep around 20–30% of the income.

Scams involving "refunds" are carried out by so called "callers" and "refunders", who play the role of courier service customer support agents. After contacting the victim by phone or messenger, they offer to process the refund, which in reality means that the victim's card is debited a second time.

For their services, "callers" are paid either a fixed amount or a percentage of the stolen sum, usually between 5% and 20%. Workers rarely play this role as it requires specialist skills, including in-depth knowledge of social engineering techniques, a clear voice, and the ability to quickly answer even the most unexpected questions that a doubtful buyer may have.

After analyzing messages regarding payments in chat bots, Group-IB analysts realized that 20 of 40 active groups focusing on Europe and the US. They make around $60,000 per month on average, though incomes can vary greatly from group to group. Overall, the total monthly income of 40 of the most active criminal groups is estimated to amount to at least $522,731 per month.

Aside from resorting to fraud involving social engineering techniques, scammers must also resolve technical problems. They must: (i) register domains that sound similar to delivery company domain names and create phishing pages, (ii) prevent the 900 error from occurring on payment services, i.e., when a bank blocks an operation or card onto which the scammers are trying to transfer money, and (iii) sign up for new accounts and buy new phone numbers. In addition, scammers must recruit new workers, create new phishing resources, provide technical support, and more.

Most of the above tasks can be done using Telegram bots. Thanks to the latter, scammers no longer need to create pages to generate phishing pages, or so-called "admins". All workers need to do now is drop a link to the bait product in the chat bot, which then generates a comprehensive phishing set: links to the courier service, payment, and refund pages.

In addition, Telegram has its own 24/7 support team and there are online stores that sell everything a fraudster might need: accounts on advertising websites, phones, electronic wallets, targeted email blasts, sales of other scams, and much more — even legal services in case the scammer needs a lawyer.

Currently, more than 5,000 scammers are registered in 40 of the most active chats.

There are more than ten types of Telegram bots that create pages mimicking brands in Bulgaria, the Czech Republic, France, Poland, and Romania. For each brand and page, scammers write template scripts and instructions that help newbie workers sign up to new platforms and communicate with victims in the local language.

As a result, phishing pages have improved in quality and become easier to create, and scammers receive more and more support. All the above factors have caused fraud on classifieds websites to skyrocket, and more and more scammers want to be involved in such an easy yet lucrative activity.

Below is the example of one of the Telegram chat-bots:

Newbie workers register through Telegram bots, on underground forums, or directly through the administrator (TC). There are both open and closed group chats.

Let's have a look at closed chats. In order to become involved in a scam, it is necessary to go through a recruitment procedure through a Telegram bot as part of which the candidate is asked questions about their experience in fraud and other areas, about where they found out about the scam, and whether they have a profile on any underground forums. Reviewing profiles on underground forums is done most likely to screen candidates and their reputations and check whether they have been involved in any arbitration procedures, which scammers use to settle disputes such as an admin (TC) not paying a worker the agreed sum for a Classiscam scheme.

After workers have completed the registration process, they receive access to three chats: an information chat (details about the project, plans, instructions), a worker chat (scammers communicate with each other, share experiences, and discuss projects), and a financial chat (payment reports). It is worth noting that chats about payments are publicly available — it's likely that they are used for advertising purposes to attract new candidates.

Statistics are kept on worker payments and the highest earners are included in a publicly available list of top earners. They also receive access to a VIP chat for top workers and to VIP scripts (e.g., to work in the United States or Europe), which are not available to less fruitful scammers.

In addition, there are separate chats for callers in which they can find instructions and guidelines about how to talk to victims.

Group-IB and companies who own delivery services and advertising platforms have been actively fighting against scammers, which in spring 2020 prompted criminal groups to start migrating from Russia to CIS and European countries. As a result, scammers began looking for new niche markets, as happened with the appearance of phishing websites mimicking property rental and bookmaker services. The Russian Internet space once again became a testing ground and helped scammers expand their criminal business to the international stage.

By 2020 attacks on foreign brands had already been recorded — software for generating phishing pages was available in closed communities for scammers with work experience, although these were rare, isolated cases.

In mid-February 2020, an ad for freely accessible Telegram bots began appearing on forums, promising the possibility to generate phishing forms for the Ukrainian version of OXL, a free classifieds website.

In May 2020, a Romanian version of the OXL website appeared alongside the Ukrainian one. By early August, Bulgarian and Kazakh versions of the OXL website appeared in open Telegram bots.

Scammers did not limit themselves to launching the scheme in CIS countries. In late August, a scam involving the popular French free classifieds website Leboncoin appeared in popular Telegram bots.

Soon thereafter, the Polish version of the OXL website scam appeared as well.

European brands were actively being added to Telegram bots. In late November, phishing forms appeared on the Polish e-commerce website Allegro and the Czech free classifieds website Sbazar.

It is worth noting that scams involving European and US brands are more difficult to carry out than they are in CIS countries. Russian-speaking scammers encounter language problems and difficulties in verifying accounts on websites, which requires buying stolen personal documents and phone numbers on forums and communities. Admins have trouble linking foreign currency credit and debit cards to Telegram bots. For this they have to hire experienced money mules — proxies who receive and withdraw money.

For each brand, scam enthusiasts write instructions and guidelines to help newbies sign up to foreign platforms and communicate with victims in their mother tongue.

Russian-speaking Classiscammers are migrating to Europe and the US as a way of making more money and reducing the risk of being caught. Fighting the scam requires companies that offer delivery services and own free classifieds websites to step up their efforts and use advanced digital risk protection technologies in order to quickly detect and take down criminal groups.