A global scam campaign targeting customers in over 90 countries, including the UAE, Oman, and Qatar, has been discovered by Group-IB. The scammers utilize a tried-and-true technique to steal customers’ personal and financial data by posing as prominent businesses and conducting bogus surveys and giveaways. The total number of big-name organizations impersonated in the operation exceeds 120. Because of a new technique in the scammers’ toolkit — targeted links — the new wave of the scam is more tenacious, making detecting and combating such attacks more difficult.
According to Group-Digital IB’s Risk Protection team, a single scam network’s potential victim pool is estimated to be around 10 million people, with potential harm totaling around $80 million every month.
“Just a couple of years ago, online scams were focused on scale: by indiscriminately targeting users, fraudsters tried to ensure that at least someone would take the bite,” comments Ashraf Koheil, Director of Business Development, Middle East & Africa at Group-IB.
He added, “Over time, as scam awareness was growing, fewer and fewer people fell prey to such scheme, which made it much more difficult for cybercriminals to make money. They started to explore new ways that would meet their financial ambitions. This triggered the scamdemic and the diversity of various fraudulent schemes that we observe today. The variety of scams observed globally today in described in detail in our annual Hi-Tech Crime Trends 2021/2022 report ‘Scams and Phishing’.”
Fraudsters lure their victims in by sending out invitations to participate in a survey in exchange for a prize. Each of these offers includes a link to the survey’s website. The threat actors exploit all lawful digital marketing methods for “lead generation,” including contextual advertising, advertising on legal and rogue websites, SMS, mailouts, and pop-up notifications. Scammers register domain names that are similar to the legitimate ones in order to gain faith from their victims. They were also seen updating links to the calendar and making social media postings on a less frequent basis. After visiting the targeted link, the user enters a process known as traffic cloaking, which allows cybercriminals to serve different information to various users based on user attributes.
However, the download time for this destination”branded survey” page is extremely long. This is because the victims are sent via a series of pages, during which the scammers collect information about their session, such as their nation, time zone, language, IP address, browser, and so on. The final page’s content will be selected by what has been learnt about the user and will be tailored as much as possible to their potential interests. The final scam link is unique to each user and can only be opened once. This makes it more difficult to spot such links, which unavoidably prolongs the scam’s life cycle and makes takedown and investigations more difficult.
At the end of the process, the user is requested to answer questions in order to win a reward from a well-known company, as well as fill out a form that requests personal information that is reportedly required to acquire the prize. Full name, email, postal address, phone number, and bank card information, including expiration date and CVV, are normally required.
An example of a scam page targeting English-speaking users
Fraudsters can use the stolen information to buy things online, create fraudulent user accounts on any online service, or sell personal information on the dark web. In addition to disclosing their personal information, users may be requested to pay a tax or a test payment in order to get the reward.
This form of fraud has been detected in 91 countries, according to Group-IB DRP experts, with fraudsters using at least 121 brands as bait. The scam’s target geographies are Europe (36.3 percent), Africa (24.2 percent), and Asia, based on the nation of origin of the brands impacted (23.1 percent ). Cybercriminals abused nine brands in the Middle East alone, including those from Bahrain, Qatar, Oman, Kuwait, and the United Arab Emirates. Cybercriminals worldwide prefer to target the brands of major telecommunications firms, which receive special “love” in this scheme and account for more than half of all brands exploited, followed by ecommerce and retail.
At least 60 different scam networks that operate targeted connections have been identified by Group-IB analysts. Each of them has an average of over 70 domain names. Over 50 domain names were contained in one of the greatest networks in terms of traffic attracted. According to the amount of visitors, scammers have a potential victim pool of 10 million people on this network alone. Based on the number of sites detected, their minimum conversion, and an average money loss on a scam website, Group-IB analysts estimate the damage at $80 million per month. The Group-IB team was able to determine where the visits came from for each unique website that offers bogus information. India (42.2 percent), Thailand (7 percent), and Indonesia (4.4 percent) are among the top traffic sources for targeted links operators.
