A group of cybercriminals have set up a Telegram-based network to organize the production of fake classifieds mimicking several such sites across Europe. In a new report published by cybersecurity company Group IB, researchers describe how this network, dubbed Classiscam, works.
Classiscam operators were first detected in the summer of 2019. At the time, most of their activity focused on the Russian-speaking web. But according to Group IB, 2020 has enabled the group to diversify its activities and target European countries, including French users.
The operation of the scams generated by this network is based first of all on the publication of false classifieds on dedicated sites. The victim who is interested in the ad is then invited to chat on a third-party messaging application, such as WhatsApp, then the operator sends them a link to a fake ad, resuming the display of the original ad but hosted on an address controlled by attackers. The goal is to trick the victim into entering their personal data and credit card information on the malicious page in order to retrieve them.
Attackers mimic the legitimate domain name to some extent, but in most cases, differences in domain name extension can allow a vigilant person to spot a possible scam. “A careful user may notice the bogus page by looking at the URL and comparing it to the legitimate page. We recommend that all users check the URL and google it to see when it was created before submitting login details or payment details, ”said Dmitriy Tiunkin, Europe Director for Group IB.
Fake ads on demand
The originality of Classiscam comes from its modus operandi, which brings together a total of 40 different groups operating on as many private groups, based on Telegram, and bringing together a total of 5,000 individuals, according to Group IB. Each private group provides access to a dozen bots developed by members of the network, which allow crooks to easily make and host bogus pages mimicking the interface of popular classifieds or e-commerce sites.
Group IB details in its report the distribution of roles within this ecosystem, with the “admins”, who are responsible for developing new bots and generating new fake ads, the “workers” who are responsible for interacting directly with victims and redirect them to the fake ads. The last members, the “callers”, are responsible for playing the role of false telephone support, in order to reassure any victims on the telephone.
Most of the victims are focused on Russia, but Group IB estimates that more than half of the groups target victims in different countries of the European Union. Among the examples put forward by Group IB, we see in particular fake LeBonCoin ads. Dmitriy Tiunkin said he tried to contact the various companies targeted by the false ads but received no response from them. At the time of posting this article, LeBonCoin had not answered our questions on this matter.