Targeted Links Used to Steal Tens of Millions in Global Scam Campaign
By impersonating 121 brands, scammers managed to defraud users in over 90 countries of an estimated $80 million per month, Singapore-based threat hunting and intelligence firm Group-IB reveals.
As part of the scheme, the fraudsters lured victims with fake surveys and giveaways supposedly from popular brands, but which were designed to help the miscreants steal victims’ personal information and credit card data.
The scammers are believed to have targeted tens of millions of individuals in a total of 91 countries, including the United States, Canada, South Korea, and Italy.
To lure their victims, the cybercriminals distributed invitations to partake in a survey, also telling their potential victims that a prize would be offered afterwards. Marketing methods employed in the campaign included advertising on both legitimate and rogue websites, contextual advertising, text and email messages, and pop-up notifications.
Lookalike domains named after legitimate ones were registered to build trust with the victims, and links were often posted on social networks.
“The new wave of the scam is particularly persistent thanks to an innovation in the scammers’ toolset — targeted links, which makes investigating and tackling such attacks increasingly challenging,” Group-IB notes.
By employing so-called traffic cloaking, the cybercriminals were able to display different content to different users, while a long chain of redirects allowed them to gather information about the victim’s session, including browser, IP address, language, location, and more.
Thus, the content on the final page is as much as possible tailored to the victim’s interests, with the customized link accessible only once, making detection much more difficult and allowing the scheme to persist longer.
Once they arrive on the final page, the victim is provided with a series of questions to respond to. The victim is also told that, in order to receive a prize, they should provide personal information such as full name, email and physical address, phone number, and credit card data, expiration date and CVV included.
Group-IB says it has identified roughly 60 scam networks operating the targeted links, with each containing more than 70 domain names on average. With over 50 domain names, one of the networks had a potential victim pool of over 10 million people.
The campaign mainly targeted Europe (36.3%), Africa (24.2%), and Asia (23.1%), but India emerged as the main source of traffic for the fraudulent links, accounting for 42.2% of it. Thailand and Indonesia accounted for 7% and 4.4% of the traffic, respectively.
The fraudsters attempted to exploit brands of leading telecommunications companies, with 20 of them located in the United States. Other impersonated brands are from Canada (9), South Korea (7), Italy (5), Serbia (5), and Singapore (5).