Hired hand: Scammers mimic Saudi manpower provider

Group-IB uncovers one thousand (and one) fake domains part of a scam campaign targeting users in KSA

Mark Alpatsky

CERT-GIB Senior analyst

Sharef Hlal

Head of Digital Risk Protection Analytics Team, MEA region

Scams can cause serious financial and reputational damage to businesses and organizations. More than $55 billion was stolen from victims in 2021 as a result of scams, according to a Global State of Scam Report that Group-IB contributed to. Brand impersonation is a common tactic used by cybercriminals, and these scams are a threat that can no longer be ignored by business leaders.
The need to combat scammers is all the more pertinent given that recent Group-IB research found that scams accounted for 57% of all financially motivated cybercrime, and, according to the Global Anti Scam Alliance, the number of scams is growing by more than 10% year on year. The same report also revealed that users in Saudi Arabia are targeted by the most phishing scams in the Middle East.

Countering such prolific scam activity can be challenging for any organization. Group-IB’s scam detection, response and takedown capabilities are designed to eliminate scams at the source, quickly stopping scam activity for good. Most recently, Group-IB uncovered a wide-scale scam campaign that saw malicious actors imitate a leading manpower provider in the Kingdom of Saudi Arabia. In total, Group-IB identified more than 1,000 rogue domains created by the scammers as part of this scheme.

In line with Group-IB’s zero-tolerance policy to cybercrime, the Group-IB Computer Emergency Response Team (CERT-GIB) notified its fellow OIC-CERT member Saudi CERT (CERT-SA) of its findings to assist with subsequent steps to mitigate this scam campaign.

Key Findings

  • 1
    Group-IB analysts uncovered more than 1,000 fake domains mimicking a leading manpower organization in Saudi Arabia.
  • 2
    Campaign was first observed in April 2021 and peaked in activity this past spring.
  • 3
    The malicious actors utilized multi-step social engineering techniques to steal users’ credentials for banks and online governmental service portals
  • 4
    Scammers’ portfolio includes fake websites and social media pages that contain links to WhatsApp conversations.
  • 5
    During WhatsApp conversations, the scammers sent phishing website links to users, who are then tricked into entering their bank account credentials or government service portal logins when asked to make a fake processing payment for sourcing domestic workers.
  • 6
    The scammers created scam pages emulating 11 leading regional banks to steal victims’ bank account details.
  • 7
    One of the spoof websites contained a video message from a broker, who claims to have more than 100 domains impersonating the brand in question for sale at the cost of $10 each.
  • 8
    Vast majority of domains in this campaign are created with affordable, easy-to-register hosting providers.

Detecting the scammer’s infrastructure

Domain spoofing, known as the faking of a website or email domain to make malicious sites or emails look credible, is a weapon that has long been in the arsenal of cybercriminals, especially those targeting users in the Middle East. Earlier this year, analysts at Group-IB discovered more than 270 domains mimicking the names of leading postal and logistics firms across the MENA region, and new schemes are appearing with alarming regularity.

However, the postage scam campaign identified by Group-IB has been dwarfed in size by a new domain and website spoofing scheme comprising more than 1,000 rogue domains. The campaign, which Group-IB researchers believe was launched in April 2021, sees scammers impersonate a leading manpower provider in the Kingdom of Saudi Arabia to steal users’ credentials for banking services and online government portals.

The manpower provider offers businesses assistance in hiring employees for the construction and services sector, and individuals can also source domestic workers through the agency. The latter of these two groups is the target of this scam campaign.

How the scheme works

  • Scammer places advertisements on social media services such as Facebook and Twitter, as well as on the Google search engine. Group-IB detected over 40 advertisements for this campaign on Facebook alone.
  • Victim sees an advertisement for sourcing domestic workers, which they believe to be legitimate due to it looking as if it is being promoted by a leading manpower provider. Victims may also receive an SMS or message in WhatsApp from the scammer with an offer to hire domestic workers from a reputable manpower provider.

  • Victim follows a link from their WhatsApp conversation with the scammer to a phishing page, which contains the official logo of the company to appear legitimate.
  • Victim is prompted to enter their personal information, including their name, phone number, address, and national ID number, and also select the nationality of the domestic worker they wish to hire and the type of domestic service they require (e.g., hourly, residential).

  • Victim is redirected to a new page on which they are asked to pay a small processing fee of 50 or 100 SAR (approximately $13 or $27) to begin the process of sourcing a domestic worker.

    In fact, this transaction doesn’t take place. Instead, it is a ploy by the cybercriminals to gain access to the victim’s bank account in order to complete fraudulent transactions well in excess of this amount.
Figure 3: Users are presented a choice to pay, either via bank payment or card transaction, what they believe to be a 50 or 100 SAR processing payment, although this transaction, which isn’t credited, is a ploy to steal users’ login details or bank credentials
  • Irrespective of how the victim chooses to make the fake payment, they are sent either to a page emulating 11 regional banks or a website impersonating a Saudi government portal. The process of directing the victim to the fake bank page or the fake portal page appeared to be random. In both cases, the victim’s login credentials and two-factor authentication (2FA) code are harvested by the scammers.

  • Scammer receives all the data; this is often via Telegram, email, or a custom-built dashboard.


  • Scammer enters the victim's bank account and makes transactions until the account is empty.
Interestingly, the domain names identified by Group-IB in this scam campaign are registered with the same popular and affordable hosting providers as seen in many other phishing schemes. This underlines how scammers worldwide are utilizing similar tactics, such as launching domains with cheap, easy-to-register, and stable hosting providers, to target victims across the globe.

The peak of this campaign was observed in March of this year, when more than 200 new domain names were registered or hosted. While the number of victims of this scam campaign is unknown, Group-IB analysts believe that the surge in new domains registered in winter 2021 could be a sign that a growing number of internet users had fallen victim to this scheme. As seen in other examples around the world, scammers often double down on a certain tactic once it starts to generate them money.

Over recent months, this campaign appears to have tapered off, as from March onwards, the number of new spoof domain names created monthly has dropped, and in September, 32 new fake domains were registered. Group-IB assumes that the decrease is related to several warning messages about this scam campaign published in April 2022 by financial bodies in Saudi Arabia.

Uncovering the scammer’s infrastructure

The infrastructure of all detected phishing domain names was identified by the Threat Intelligence capabilities of Group-IB's Unified Risk Platform (URP). An example of how the scam campaign's resources are interconnected is provided in the below screenshot from Group-IB's Graph Network Analysis Tool, a patented technology across URP's modules.
Figure 5: Group-IB Graph Network Analysis Tool screenshot detailing infrastructure of all known fraudulent domain names
Every little green dot in this image is either a domain name, SSL certificate, or IP address from this campaign that we have recognized as used for phishing or fraud. This infrastructure is clustered into groups depending on the attribution and services (registrars and hosting providers), represented by the yellow dots in the image, that the scammers used.

Scammers often prepare multiple social media accounts and phishing pages so that they can quickly replace any that are blocked by authorities. By identifying all of the infrastructure, as shown above, the entire scheme can be disrupted in a manner that is not easily circumvented.

Many scammers also rely on others, especially those with specialist skills such as setting up fraudulent domains, to help create their scams. During Group-IB’s analysis, our researchers found a video of a man offering to sell more than 100 domain names containing various typographical or phonetic variations of the name of the manpower agency for just $10.
Figure 6: A screenshot of the selling resource
You know, I feel like it makes more sense, wherever possible, to register something that's openly available, and maybe you can add a word to this phrase, and that will be only 10 bucks.
The individual says in a four-minute video that is contained on one of the fake domains he appears to use as a selling resource in this campaign.
While monitoring the selling resource, Group-IB analysts saw that the list of domain names impersonating the brand is updated on a weekly basis and included, at the time of writing, at least 11 domain names aimed at imitating the brand in question. Group-IB analysts suspect that a further 75 of the 100 domains are being prepared for use in future scams.

As opposed to blocking individual violations, monitoring and eliminating the entire networks scammers set up is critical, as they try to jump from one domain to another quickly. As a result, monitoring the key players in the creation of phishing scams can help proactively prevent scammers from emulating your brand.


Malicious actors expect organizations to monitor for scams and have phishing pages taken down, so they prepare hundreds of replacements that they keep in reserve and launch whenever required.

Brand protection strategies that focus solely on the visible infrastructure struggle to prevent these persistent scams from taking place. Instead, companies and organizations are recommended to leverage holistic solutions, such as Group-IB’s Digital Risk Protection, which can continuously and automatically monitor millions of online resources, including images, redirect chains, traffic sources, and HTML files to keep your brand safe.

How to avoid falling victim to phishing attacks

Recommendations for users
  1. Be cautious while following links that allegedly lead to the website of a specific company, a celebrity or a state agency and only trust links from official resources, such as verified accounts on social media or messengers.
  2. Enter confidential data and bank card details only on trusted websites, and be sure to double check the URL of the site you are entering your sensitive data on.
  3. When visiting links relating to offers by companies shared in messaging apps or on social media, check the domain names. Scammers usually use domain names that look similar to existing brand names as part of their efforts to trick users into entering sensitive data.
Recommendations for rightsholders
  1. Monitor for signs of brand abuse across the internet, including on social media, which is often used by scammers to advertise their phishing pages.
  2. To prevent the illegal use of your intellectual property assets, use Digital Risk Protection (DRP) solutions that help promptly detect threats to a specific brand in the online space and then send them for blocking.
  3. Leverage DRP solutions, which can identify key players in scams and monitor their activity for signs of resource preparation that could indicate that an attack is being developed, and also Issue takedowns proactively to stop new scams before they begin.
  4. Banks can integrate Fraud Protection solutions, to prevent stolen credentials from being used to drain victims’ bank accounts.
As a world leader in scam prevention, Group-IB has extensive experience protecting organizations’ brands. Our Digital Risk Protection solution is best-in-breed, combining AI-powered technologies with highly trained analysts to detect and respond to scams. Group-IB’s three-phase takedown process ensures the swift removal of any scam you may encounter. To learn more contact one of our experts.
Digital Risk Protection
Defend your digital assets with best-in-breed, AI-powered brand protection solution

If you found this article helpful, share it with your friends!