Group-IB, a global cybersecurity provider, has published its research into a large-scale phishing scheme in which scammers impersonate one of the Kingdom of Saudi Arabia’s leading manpower agencies (KSA). Analysts from the Group-IB Computer Emergency Response Team (CERT-GIB) and Digital Risk Protection Team at the company’s Threat Intelligence and Research Center in Dubai, UAE, examined over 1,000 rogue domains created to impersonate the manpower provider in question as part of a long-term scam campaign.
Group-IB analysts discovered how one person claimed to be offering more than 100 domain names with a logical connection to, or a variation of, the brand in question. In accordance with Group-zero-tolerance IB’s policy toward cybercrime, Group-IB analysts notified a fellow OIC-CERT member, the Saudi Computer Emergency Response Team (CERT-SA), of their findings in order to assist their regional partners in taking any relevant action to combat this scheme.
According to a Global State of Scam Report to which Group-IB contributed, more than $55 billion will be stolen from victims as a result of scams in 2021. The need to combat scammers is all the more pressing given that recent Group-IB research found that scams accounted for 57% of all financially motivated cybercrime, and the number of scams is increasing by more than 10% year on year, according to the Global Anti Scam Alliance. According to the same report, users in Saudi Arabia are the most frequently targeted by phishing scams in the Middle East.
Domain spoofing, or the impersonation of a website or email domain in order to make malicious sites or emails appear credible, has long been a tactic used by cybercriminals around the world, and new schemes appear with alarming frequency. In a separate scam campaign, Group-IB discovered over 270 domain names that imitated over a dozen postal and logistics brands across the Middle East in July.
However, the Group-IB-identified postage scam scheme has been dwarfed in size by a new large-scale domain and website spoofing campaign targeting Saudi Arabian users. Over the past 16 months, Group-IB analysts examined over 1,000 rogue domains associated with a single Saudi company – a leading manpower agency that assists businesses in hiring employees for the construction and services sectors, as well as individuals in obtaining the services of domestic workers. This scam campaign is aimed at the latter of these two groups.
The campaign, which began in April 2021, appeared to reach a climax in March 2022, when over 200 new domains spoofing the agency in question were registered with hosting providers. According to Group-IB analysts, the surge in new domain registrations in early 2022 could indicate that an increasing number of internet users have fallen victim to this scheme. Scammers frequently double down on a particular tactic once it begins to generate money for them, as seen in other examples around the world.
When the phishing campaign exploded in April 2022, Saudi financial institutions warned of a significant increase in financial fraud in the country the previous year. Analysts at Group-IB believe that the subsequent decrease in the number of new domains registered per month imitating the manpower provider has resulted from warnings to users issued by Saudi financial authorities, government institutions, and the brand itself. The creation of 32 new spoof domains in September 2022, on the other hand, demonstrates that scammers are still attempting to impersonate the company.
The driving factor for this scam scheme, according to Group-findings, IB’s is an unholy alliance between scammers and spoof domain brokers. The brokers in this alliance buy the rights to dozens of domain names that contain a typographical or phonetic variation of the attacked brand and sell them to scammers for a low price.
The URLs and the design of the scam pages created as part of this campaign are intended to convincingly imitate the manpower provider in question and trick users into entering their credentials for banking services and online government portals. The scammers can harvest both login information and two-factor authentication (2FA) codes to gain access and complete fraudulent transactions.
The scam campaign, which rests on multiple layers of social engineering, starts with the scammers placing advertisements on social media sites such as Facebook and Twitter, and the Google search engine. Group-IB analysts discovered more than 40 individual advertisements for this scheme on Facebook alone.
Figure 1: An example of a Facebook advert created by the scammers (left) that contains a link to launch a WhatsApp conversation (right) in which the cybercriminals implore victim to click URL to phishing webpage.
From there, the victims begin interacting with the scammers via SMS or WhatsApp communication, and a full breakdown of an average victim journey can be found below:
The phishing pages created by the scammers contain the official logo of the targeted brand as a means of building legitimacy in the eyes of the victims.
Figure 2: Phishing page containing the logo of the brand (blurred) to make it look legitimate.
Upon landing on the homepage of the phishing site, the victim is directed to click the large green button that has “apply” written on it. Once they do this, they are transferred to a second page where they are requested to enter their personal information.
Figure 3: Phishing page where users are asked to fill in their name, phone number, address and national ID number. After filling in the requested data, the user has to click on apply.
After entering their personal information and clicking “apply”, the victims are redirected to a page that asks them to select the nationality of the domestic worker they wish to hire.
Figure 4: After clicking apply, the victims are transferred to the next phishing page, where they are asked to choose the nationality of the domestic worker they want to request.
The next stage of the scam sees victims choose the type of domestic service they require (e.g., hourly, in-house).
Figure 5: Phishing site containing the range of domestic worker services the scammers purport to be offering to users.
Once they have completed these steps, the victim is transferred to a page on which they are asked to pay a small processing fee of 50 or 100 SAR (approximately $13 or $27). In fact, this transaction will not take place, as it is merely a ploy for the scammers to harvest credentials, but the victims are presented with the choice of making this fake transaction either via bank payment or a Saudi government portal.
Figure 6: Users are presented a choice, either via bank payment or card transaction, to pay what they believe to be a 50 or 100 SAR processing fee, although this transaction, which isn’t credited, is a ploy to steal users’ login details.
Irrespective of how the victim chooses to make the fake payment, they are sent either to a page emulating 11 regional banks or a website impersonating a Saudi government portal. The likelihood of the victim of being directed to the fake bank page or the fake portal page appeared to be random. In both cases, the victim’s login credentials and two-factor authentication (2FA) code are harvested by the scammers.
Figure 7: Phishing page on which the victim is prompted to make the fake processing payment via one of 11 leading regional banks.
Figure 8: After clicking on the image of the bank of their choice, the victim is asked to enter their login and password.
Figure 9: Phishing page mimicking a Saudi governmental portal asking for the two-factor authentication code, which the user receives once the scammers attempt to log in to the real governmental portal using the credentials harvested in the previous step.
Once the victim enters their data, the threat actors harvest the victim’s login credentials and 2FA code, which can be used to gain access to the victim’s bank or governmental portal account and begin making fraudulent transactions until the account is emptied.
Interestingly, the domain names identified by Group-IB in this scam campaign are registered with the same popular and affordable hosting providers as seen in many other phishing schemes. This underlines how fraudsters worldwide are utilizing similar tactics, such as launching domains with cheap, easy-to-register, and stable hosting providers, to target victims across the globe.
“The primary goal of this research is to raise public awareness in the Middle East of the latest phishing attacks, and to call for internet users to remain vigilant as threat actors continue to convincingly, and with increased regularity, impersonate some of the region’s largest organizations. Scammers are becoming increasingly resourceful and collaborative, and spoof domain brokers are coming to the assistance of cybercriminals. We encourage companies and organizations to monitor for signs of brand abuse, and we also urge internet users to remain vigilant so that they do not become victims of scams such as this,” Mark Alpatskiy, CERT-GIB Senior Analyst, said.
In order to prevent further phishing attacks using spoof domains, companies and organizations should monitor for signs of brand abuse across the internet, including on social media which is often used by scammers to advertise their phishing pages. Group-IB’s Digital Risk Protection solution helps firms and organizations secure their digital assets by continuously and automatically monitoring millions of online resources where brand or intellectual property may be present.
Internet users are urged to show caution and always check the URL domain of the page they are accessing and verify it to see if it is the official website before entering any personal or payment details. Another recommendation is to maintain communication with online chat services or call centers of the official company or organization.
