Empty Box

Group-IB unveils three groups of fraudsters behind delivery scams in Singapore
Ilia Rozhnov
Head of Digital Risk Protection team in the Asia Pacific, Group-IB
Last year was marked by a spark increase in scammers' activity. In most of the incidents, scammers impersonated well-known local or international consumer brands, which is probably one of the oldest social engineering techniques used by the scam actors worldwide to establish trust with their victims.

One notable example is the so-called delivery scam impersonating local postal brands and aiming to steal victims' personal and payment records. Since August 2021, more than 93 victims had fallen prey to such scams, with losses amounting to at least $140,000, according to the Singapore Police Force. Group-IB Digital Risk Protection unit observed that in many delivery scams fraudsters posed as SingPost, the country's leading postal operator.

The frequency of such scams and the losses incurred by Singaporeans, prompted Group-IB to take a deeper look into delivery scams mimicking SingPost. Using its own Digital Risk Protection and Threat Intelligence systems Group-IB research team analysed different schemes involving the illicit use of SingPost trademark and identified three major scam groups utilising distinct scripts, distribution channels, and infrastructure for their fraudulent operations. The total number of websites masked as SingPost detected by Group-IB over the last year is close to 150.
Shafique Dawood, Head of Business Development at Group-IB APAC: "In view of the rise of fraudulent activity globally Group-IB continues to work closely with the Singapore Police Force as part of the Alliance of Public PrivAte Cybercrime sTakeholders (APPACT) to effectively brief all members on the latest type of scams active in Singapore and beyond."
With this blog post Group-IB Digital Risk Protection Team in Singapore aims to raise public awareness about different types of delivery scams and provide recommendations on how not to fall prey to fraud involving the impersonation of postal brands.
Tip of the iceberg
Group-IB analysed multiple media alerts about delivery scams in Singapore. Then, the DRP researchers identified the websites involved in such schemes. The comparison revealed that very few delivery scam incidents become known publicly. Group-IB's team detected more than 140 websites between 01.01.2021 and 31.01.2022 involved in the delivery scams. All these websites were designed to deceive Singaporeans.
To explore the puzzle further, the Digital Risk Protection experts reconstructed the victim path for every website involved. As a result, Group-IB team was able to identify three groups of websites based on the different scam patterns. Thanks to the patented Network Graph Analysis system three different groups of scammers with distinct infrastructures running these websites were established. Let's get to know them better.
Big three. Analysis of scammer groups exploiting delivery theme in Singapore
Group 1

The first group's network at its peak included at least 15 websites impersonating SingPost, none of which remain active now. Their first known scam website was registered in the beginning of 2020.
Group 1 Infrastructure Graph
Group 1 relies on good old Smishing in the first stage. The SMS disguised as a delivery notice encourages the victim to follow a shortened URL. After multiple redirects the victim ends up on a fake SingPost website. The website asks the user to leave a phone number and pay a small fee to receive the delivery:
To make their rogue websites look more credible, fraudsters demonstrate a scam alert that says, "Phishing websites impersonating SingPost are using fake delivery notices and text messages to extract personal data".

Finally, the victim is redirected to a fake payment gateway. A legitimate payment gateway is a third-party website, owned by a bank or financial service, which allows taking card payments online. Fake payment gateways belong to scammers. They are made to look like legitimate ones and are designed to process fraudulent transactions. In addition to submitting their payment and personal records to the scammers the victims are subscribed to monthly SGD 40-60 payments that usually remain unnoticed by traditional anti-fraud solutions. Have a look at the scheme:
Group-IB detected more than 500 similar fake payment pages related services with 100 being active at the time of writing. Some of these payment sites may be related to other scams or just waiting to be activated.
Group 2

Group 2 has been active between September 2020 and June 2021. In total, their infrastructure included 80+ websites impersonating SingPost with none active at the time of writing.

Just like Group 1, Group 2 uses scam SMS messages. Group-IB researchers detected the SMS for the first time in early 2021. The message was disguised as a delivery notice from SingPost. The users were encouraged to follow the link in order to "sign the goods".
Clicking on the link downloads a trojanized Android application disguised as a Google Chrome browser. The malware then asks the user to allow installation, and requests permissions to access SMS, contacts, local storage and phone calls history. Once the user grants permissions, this malware installs itself and collects information about the device, such as smartphone model, software version, Wi-Fi and cellular network status, and preferred language and sends it all to the cybercriminals' command and control server. The Trojan's main functionality is to intercept SMS, steal user contacts, and to send SMS spam. As such malware operators can get access to the OTPs, for example, or use the collected information to launch further targeted access against the victim or people from their contact list for monetary gain.

Group-IB researchers assess with high confidence that the Trojan was initially designed to target South Korean users, because part of its code is used to find out which South Korean operator the SIM card belongs to.

While the number of SMS recipients and victims remains unknown, using its network graph analysis tool, Group-IB researchers established that the domain in question is part of complex cybercriminal infrastructure that hosts a total of 107 websites. Out of 107, 85 are look-alike domains impersonating SingPost. Other malicious websites' names closely resemble popular postal service brands from the USA, Sweden, Germany, Finland, and Denmark which gives Group-IB researchers reasonable ground to believe that the campaign was not limited to Singapore. All the domains were registered between December 25, 2020, and March 1, 2021 and share the same naming pattern. Let's turn to Group-IB's graph:
Group 3

Group 3 has been active since September 2021. Their assets include more than 90 fake websites impersonating SingPost. However, unlike other groups, they figured out a way to bypass OTP verification. Group 3 sets up new websites from time to time, but they go on and off every 1-2 days. Currently, only 1 website is active.
According to the Police report, nearly 400 people fell prey to the scheme employed by Group 3 in the first two weeks of November. The average money loss is believed to be more than SGD 2,000 per case.

Even though we were not able to retrieve any examples, we assume that the group starts their campaigns with SMS leading the victims to the fake branded website that asks the visitors to pay a fee to receive their parcel. The fees typically range from 2.24 to 2.99 SGD.

The bogus website then shows a phishing form that asks the user to enter their personal and bank card details:
Not all payment systems or banks allow transactions without SMS verification. To bypass this step, Group 3 improved phishing sites to request SMS.

To bypass 2FA authentication a real time phishing technique is used. It includes Man-in-The middle technique: data entered on a phishing website by a victim gets manually or automatically inserted on the real website by the fraudster, which allows them to request an SMS OTP to confirm the fraudulent transaction.
With this the scammers have all the necessary information to withdraw money from victims' accounts.

Group-IB experts analysed fake websites that belong to Group 3. The template of scam websites used by the group suggest that they are also targeting some other European and American brands from various industries in addition to SingPost.
Users are advised to stay vigilant when clicking on the links from emails or SMS regardless of who the sender is. The scammers have technical means to spoof the legitimate sender's number and email addresses. They even might know the victim's real name and other personal data and use it to establish trust. Such information is traded actively in the underground. To avoid falling prey to such scams, users should only use official websites to track their parcels, where they can also find the contact details of customer support teams. It's important to verify the legitimacy and authenticity of the information using official sources.

Under no circumstances users should allow installations from third party sources. It is safer to follow the security warnings demonstrated by the device and download the applications from the trusted sources. To seek online scam-related advice or report scams and phishing go to scamalert.sg or call the police.

The impersonated brands are the ones who also tend to suffer from such campaigns. Unhappy customers act fast: even after one negative experience many users are likely to stop buying from a brand whose name has been involved in a scam or a malicious campaign.

Cybercriminals exploit the lack of decent monitoring and blocking efforts to create fake sites that misuse legitimate brand names. Companies need to be swift in taking actions against such complex threats. Detection at early stages is the key to minimising the digital risks to the affected brands and to safeguarding the potential victims. Mapping and attributing newly registered domains can help to reveal patterns to improve the quality and scope of detection. Effective monitoring and blockage should involve an automated machine-learning digital risk protection system fuelled by regular updates to its knowledge base about cybercriminals' infrastructure, tactics, tools.
Identify and mitigate digital risks to your brand
with Group-IB Digital Risk Protection