Group-IB analysed multiple media alerts about delivery scams in Singapore. Then, the DRP researchers identified the websites involved in such schemes. The comparison revealed that very few delivery scam incidents become known publicly. Group-IB's team detected more than 140 websites between 01.01.2021 and 31.01.2022 involved in the delivery scams. All these websites were designed to deceive Singaporeans.

To explore the puzzle further, the Digital Risk Protection experts reconstructed the victim path for every website involved. As a result, Group-IB team was able to identify three groups of websites based on the different scam patterns. Thanks to the patented Network Graph Analysis system three different groups of scammers with distinct infrastructures running these websites were established. Let's get to know them better.

Group 1

The first group's network at its peak included at least 15 websites impersonating SingPost, none of which remain active now. Their first known scam website was registered in the beginning of 2020.

Group 1 relies on good old Smishing in the first stage. The SMS disguised as a delivery notice encourages the victim to follow a shortened URL. After multiple redirects the victim ends up on a fake SingPost website. The website asks the user to leave a phone number and pay a small fee to receive the delivery:

To make their rogue websites look more credible, fraudsters demonstrate a scam alert that says, "Phishing websites impersonating SingPost are using fake delivery notices and text messages to extract personal data".

Finally, the victim is redirected to a fake payment gateway. A legitimate payment gateway is a third-party website, owned by a bank or financial service, which allows taking card payments online. Fake payment gateways belong to scammers. They are made to look like legitimate ones and are designed to process fraudulent transactions. In addition to submitting their payment and personal records to the scammers the victims are subscribed to monthly SGD 40-60 payments that usually remain unnoticed by traditional anti-fraud solutions. Have a look at the scheme:

Group-IB detected more than 500 similar fake payment pages related services with 100 being active at the time of writing. Some of these payment sites may be related to other scams or just waiting to be activated.

Group 2

Group 2 has been active between September 2020 and June 2021. In total, their infrastructure included 80+ websites impersonating SingPost with none active at the time of writing.

Just like Group 1, Group 2 uses scam SMS messages. Group-IB researchers detected the SMS for the first time in early 2021. The message was disguised as a delivery notice from SingPost. The users were encouraged to follow the link in order to "sign the goods".

Clicking on the link downloads a trojanized Android application disguised as a Google Chrome browser. The malware then asks the user to allow installation, and requests permissions to access SMS, contacts, local storage and phone calls history. Once the user grants permissions, this malware installs itself and collects information about the device, such as smartphone model, software version, Wi-Fi and cellular network status, and preferred language and sends it all to the cybercriminals' command and control server. The Trojan's main functionality is to intercept SMS, steal user contacts, and to send SMS spam. As such malware operators can get access to the OTPs, for example, or use the collected information to launch further targeted access against the victim or people from their contact list for monetary gain.

Group-IB researchers assess with high confidence that the Trojan was initially designed to target South Korean users, because part of its code is used to find out which South Korean operator the SIM card belongs to.

While the number of SMS recipients and victims remains unknown, using its network graph analysis tool, Group-IB researchers established that the domain in question is part of complex cybercriminal infrastructure that hosts a total of 107 websites. Out of 107, 85 are look-alike domains impersonating SingPost. Other malicious websites' names closely resemble popular postal service brands from the USA, Sweden, Germany, Finland, and Denmark which gives Group-IB researchers reasonable ground to believe that the campaign was not limited to Singapore. All the domains were registered between December 25, 2020, and March 1, 2021 and share the same naming pattern. Let's turn to Group-IB's graph:

Group 3

Group 3 has been active since September 2021. Their assets include more than 90 fake websites impersonating SingPost. However, unlike other groups, they figured out a way to bypass OTP verification. Group 3 sets up new websites from time to time, but they go on and off every 1-2 days. Currently, only 1 website is active.

According to the Police report, nearly 400 people fell prey to the scheme employed by Group 3 in the first two weeks of November. The average money loss is believed to be more than SGD 2,000 per case.

Even though we were not able to retrieve any examples, we assume that the group starts their campaigns with SMS leading the victims to the fake branded website that asks the visitors to pay a fee to receive their parcel. The fees typically range from 2.24 to 2.99 SGD.

The bogus website then shows a phishing form that asks the user to enter their personal and bank card details:

Not all payment systems or banks allow transactions without SMS verification. To bypass this step, Group 3 improved phishing sites to request SMS.

To bypass 2FA authentication a real time phishing technique is used. It includes Man-in-The middle technique: data entered on a phishing website by a victim gets manually or automatically inserted on the real website by the fraudster, which allows them to request an SMS OTP to confirm the fraudulent transaction.

With this the scammers have all the necessary information to withdraw money from victims' accounts.

Group-IB experts analysed fake websites that belong to Group 3. The template of scam websites used by the group suggest that they are also targeting some other European and American brands from various industries in addition to SingPost.

Users are advised to stay vigilant when clicking on the links from emails or SMS regardless of who the sender is. The scammers have technical means to spoof the legitimate sender's number and email addresses. They even might know the victim's real name and other personal data and use it to establish trust. Such information is traded actively in the underground. To avoid falling prey to such scams, users should only use official websites to track their parcels, where they can also find the contact details of customer support teams. It's important to verify the legitimacy and authenticity of the information using official sources.

Under no circumstances users should allow installations from third party sources. It is safer to follow the security warnings demonstrated by the device and download the applications from the trusted sources. To seek online scam-related advice or report scams and phishing go to scamalert.sg or call the police.

The impersonated brands are the ones who also tend to suffer from such campaigns. Unhappy customers act fast: even after one negative experience many users are likely to stop buying from a brand whose name has been involved in a scam or a malicious campaign.

Cybercriminals exploit the lack of decent monitoring and blocking efforts to create fake sites that misuse legitimate brand names. Companies need to be swift in taking actions against such complex threats. Detection at early stages is the key to minimising the digital risks to the affected brands and to safeguarding the potential victims. Mapping and attributing newly registered domains can help to reveal patterns to improve the quality and scope of detection. Effective monitoring and blockage should involve an automated machine-learning digital risk protection system fuelled by regular updates to its knowledge base about cybercriminals' infrastructure, tactics, tools.