Russian threat group targets online vendors in Singapore

A cyber-gang that targets legitimate sellers on internet advertising forums to harvest their payment credentials and drain their accounts has expanded its illicit operations into Singapore.

The revelation comes from IB-Group, which has been tracking Classiscam since first spotting it in 2020 and is itself based in the Asian city-state.

“Classiscam fraudsters, as its name suggests, target users of one of the leading classified platforms in Singapore,” said IB-Group’s cybercriminal investigation wing. “Scammers posing as legitimate buyers approach sellers with the request to purchase goods from their listings and the ultimate aim of stealing payment data.”

Thought to have originated in Russia before expanding to Europe and the US – and now, apparently, Asia – Classiscam is big business, and is believed by IB-Group to have netted nearly $30 million in illicit revenue at the time of writing.

This is shared between the ringleaders, who take a 20-30% cut of proceeds, and their contracted scammers, who make this payment in return for access to the Classiscam toolkit of services, which includes fake web pages designed to impersonate legitimate purchasers and technical assistance when banks attempt to block suspicious credit card payments.

Since it began monitoring the cybercriminal collective, IB-Group has spotted around 380 groups operating under the Classiscam umbrella on Telegram, a popular messaging forum with malicious hackers, cyber partisans, and other online actors more likely to fall foul of the law.

It estimates that Classiscam has around 38,000 fraudsters on its books, a sevenfold increase since 2020, although only around a quarter of the total groups detected appear to still be active.

Pyramidal hierarchy

“The hierarchy of the Classiscam groups operates in a pyramid formation,” said IB-Group. “A team of administrators is on top of the chain and responsible for recruiting new members, automating the creation of scam pages, registering new accounts, and providing assistance when the bank blocks the recipient’s card or the transaction.”

It added that the fraud scheme relies heavily on bots to provide these automated facilities, while using online chat functions to coordinate campaigns. The latest of these, targeting Singapore, is thought to have commenced in March.

And contrary to what one might think, the outfit is targeting online sellers, and not buyers, to illicitly obtain their banking details.

“Scammers generate a unique phishing link that confuses the sellers by displaying information about the seller’s offer and imitating the official classified’s website and URL,” said IB-Group. “Scammers claim that payment has been made and lure the victim into either making a payment for delivery or collecting the payment.”

This is a cunning ploy to get legitimate sellers to part with their credit card details to facilitate a payment or action a delivery that is destined never to arrive – instead the Classiscam threat actors harvest their details using the phishing page.

The victim is then directed to another bogus site that asks them to verify the information they have just provided with a specially generated OTP code that can be checked against their other personal identifying information, such as an email address or mobile number.

According to IB-Group, this second stage of the con gives the scammers the complete package of information they need to drain a victim’s account.

“Once the victim submits the OTP code on the fake website, the scammers can transfer money to their accounts,” it said. “Additionally, the scammers attempt to check the victim’s bank account balance, to identify the most valuable cards.”

Organized, agile… and going global

IB-Group says Classiscam has around 200 domains in its nefarious cybercriminal empire, about a tenth of which have been set up to target Singaporean classified domains in recent months, the latest one being in July.

Ilia Rozhnov, head of digital risk management at IB-Group, added that the user interface system underpinning this network of fake sites makes it hard to track: “To complicate detection and takedown, the homepage of the rogue domains always redirects to the official website of a local classified platform. Content on the fraudulent domains is available only by direct links, which are the subsections of these websites.”

He added: “Classiscam is far more complex to tackle than the conventional types of scams. [It is] fully automated, and could be widely distributed.” IB-Group had to use AI-driven data tracking technology to zero in on the threat group, which has the potential to “create inexhaustible [malicious] links on the fly.”

The cybersecurity firm urges online buyers and sellers always to check the URL of any purported classified domain, to ensure it is genuine before parting with any payment details.

“When communicating with the other party for sale of goods or services, engage with online chat designed by official websites,” it added. “Finally, individuals should be wary of too-good-to-be-true offers.”