From Simple Beginnings, ‘Classiscam’ Fraud Campaigns Go Global
Cybersecurity firm Group-IB in 2019 uncovered a Russia-based scam-as-a-service that used fake classified ads and social engineering methods to convince people to buy goods or services that didn’t actually exist and by paying transferring money directly to the bad actors or transferring money to their bank cards.
But what started out as a relatively simple and straightforward scheme – dubbed Classiscam – has over the last four years become much more sophisticated and global in its reach, being used by at least 393 groups with about 38,000 participants running phishing campaigns in 79 countries, impersonating 251 brands, and earning them $64.5 million, Group-IB wrote in a report released today.
The vendor discovered 1,366 separate Classiscam groups that were founded between 2020 and the beginning of this year, and the average cost to victims of the scam was $353.
“Over time, Classiscam schemes have expanded to allow the fraudsters to pose as both buyers and sellers of items, and operations have become automated, which has lowered the barrier of entry for would-be participants,” Group-IB researchers wrote.
The vendor added that Classiscam operations are now taking on a more corporate and hierarchical.
“The scheme now utilizes Telegram bots and chats to coordinate operations an create phishing and scam pages in a handful of seconds, and many of the groups offer easy-to-follow instructions, and experts are on hand to help with other users’ questions,” they wrote.
More Targets, More Victims
The attackers have extended the targets of Classiscam schemes beyond classified ad sites to online marketplaces and classified services, with the scammers on their phishing pages impersonating everything from classified and reservation sites to delivery services, real estate rentals, retail operations, carpooling services, and bank transfer platforms.
The phishing pages also may include a way for the scammers to check the balance in targets’ accounts to determine how much they can charge to a victim’s card and fake back login pages to harvest credentials, a sign that the scheme is continuing to evolve, the researchers wrote.
The scam-as-a-service setup is similar to ransomware-as-a-service (RaaS) and other such operations, with hackers using the available automated tools and a phishing site to quickly ramp up and launch attacks. As with other as-a-service setups, Classiscam rapidly multiplies the number of potential attacks because hackers don’t have to be as technically adept to run them.
They don’t have to write code, create malware, or develop the phishing sites. They simply have to put up the money to access the necessary tools.
A Worldwide Threat
The reach of Classiscam also has changed, moving out of Russia to include victims around the world, with Europeans being the most heavily targeted. 284 individual Classiscam schemes – or 62.2% of the ones Group-IB found – were aimed at Europe. Germany was the most targeted country, followed by Poland, Spain, Italy, and Romania.
The key to Classiscam operations was the ability of the scammers to use social engineering to get victims to access the phishing sites. They try to move chat conversations to messengers to ensure the phishing link isn’t blocked.
“Classiscam workers can play the role of both buyers and sellers of goods on classified sites,” the researchers wrote. “When the worker acts as a buyer, the scammers claim that payment for an item has been made and trick the victim into paying for deliver, or entering their card details to receive funds via a phishing page.”
A More Complex Hierarchy
The so-called “workers” are part of what has been an evolving hierarchy in Classicam groups. Earlier group had a pyramid configuration, with administrators at the top who recruited new members and created scam pages, workers who communicated with potential victims, and callers, who pretended to be tech support specialists.
Since earlier this year, the pyramid has grown to include more people carrying out increasingly specialized tasks, including developers for creating and renting out the tools, mules – frontmen for receiving bank transfers – supporter for writing off funds, and legal support for offering legal assistance.
Bombers launch spam attacks through texts and phone calls and workers – as many as 3,000 in some operations – drive traffic to phishing resources.
The fake login pages for local banks are used on some phishing sites and designed to convince victims to input their bank login and password. Scammers grab the information, log into the accounts, and transfer the money to accounts run by mules.
Group-IB found 14 Classiscam groups whose pages included the fake bank login forms.
Thirty-four groups also are using info-stealing malware to collect passwords from browser rather than running typical Classiscam campaings.
“These scam groups copied not just the hierarchy, business model, and technical developments of Classicscam … they also continued to use Telegram to coordinate their operations,” the researchers wrote.
Classiscam Becoming More Centralized
Looking ahead, the Group-IB researchers said the Classiscam service might be evolving into a more centralized environment, similar to what’s happening in the RaaS market. The number of Classiscam groups founded on Telegram grew by the hundreds every six months between the first half of 2020 to the second half of 2022, from two to 1,298.
However, in the first half of this year, the growth trend slowed, reaching 1,366. However, the sharp drop off doesn’t necessarily indicate the beginning of the end for Classiscam. Researchers last year saw a sharp jump in the number of rental Classiscam bots on the underground market.
“This allowed individuals who were already engaged as Workers in other Classiscam groups to try their hand at organizing their own scam collective,” they wrote, pointing to the centralization trend. “However, not everyone is meant to lead. Many of these groups quickly became unprofitable and shut down, and Classiscam operations are increasingly being dominated by already-established communities with a large following.”
