A team of security researchers recently discovered that Russian-speaking scammers have started targeting European marketplaces and classifieds users via Telegram bots to steal money and payment data.
The scheme, named Classiscam by researchers at Group-IB, uses Telegram bots to generate ready-to-use pages duplicating popular delivery services, marketplaces, and classifieds. The researchers found that there are around 40 groups that are perpetrating this scam and are operating from the Czech Republic, France, Bulgaria, Romania, Poland, the US, and Russia, earning $6.5 million in 2020 alone.
These groups are using Telegram chatbots to communicate with victims and mimicking the webpages of leading brands like Allegro, Leboncoin, FAN Courier, OLX, and Sbazar and others, before luring victims into visiting the phishing pages. Group-IB said it has notified the affected companies to take precautions against this new scam.
Analysts at Group-IB confirmed that these scammers, who started with exploiting delivery brands, have now started targeting the users of European classifieds and marketplaces, thereby increasing their profits and reducing the risk of getting caught.
“On average, they make around US $61,000 monthly, but profits may differ from group to group. It is estimated that all 40 most active criminal groups make US $522,000 per month in total,” the research stated.
Group-IB Computer Emergency Response Team (CERT-GIB) first identified the Classiscam in Russia in the summer of 2019, however, their activity rose significantly in the spring of 2020 when a massive switch to remote working and online shopping increased.
“In the summer of 2020 we took down 280 scam pages as part of the Classiscam scheme, and by December that number grew 10-fold and reached up to 3,000 pages. We see that Classiscammers are now actively migrating from Russia to Europe and other countries. It’s not the first time when Russia serves as a testing ground for cybercriminals with global ambitions,” said Yaroslav Kargalev, the deputy head of Group-IB Computer Emergency Response Team (CERT-GIB).
The scam initially started with scammers publishing ‘bait ads’ on marketplaces and classified websites offering items like game consoles, cameras, smartphones, laptops, and similar items for sale at an unbelievable low price. Once buyers contacted these scammers, they were then re-directed to continue the conversation on platform like WhatsApp and Telegram to close the deal.
If the conversation took place via Telegram, these criminals used chat bots which are Telegram accounts operated by software with artificial-intelligence features and generate a complete phishing kit.
These phishing kits include links to fake popular courier service websites and scam websites that mimic a classified or a marketplace along with a payment form. Furthermore, a “refund” page is also available to offers fake support lines for victims to call if they have realised the scam. To make it further legit, many scammers are also using local phone numbers to speak to these victims.
“On average, they make around US $61,000 monthly, but profits may differ from group to group. It is estimated that all 40 most active criminal groups make US $522,000 per month in total,” researchers added.
“So far, the scam’s expansion in Europe is hindered by language barriers and difficulties with cashing our stolen money abroad. Once the scammers overcome these barriers, Classiscam will spread in the West. The downside of popularity is competition among scammers, who sometimes frame each other without knowing it,” said Dmitry Tiunkin, Deputy Director of Anti-Piracy and Brand Protection at Group-IB.