© 2023 CyberNews - Latest tech news,
product reviews, and analyses.

If you purchase via links on our site, we may receive affiliate commissions.

Scammers lure Signal users into a trap with fake cash prizes

Scammers are attacking Signal users with an urgent request to accept a cash prize to harvest credit card information.

"Your number is one of the top Signal users. You are eligible for a prize of up to $10,000," reads a message on my Signal desktop app.

It allegedly comes from Signal Support. This particular message was sent from a Russian number: +7 961 557-18-15.

A message on Signal from scammers, written in Russian
A message allegedly came from Signal Support

It is a typical social engineering attack. Scammers add a sense of urgency, giving their victims limited time to make a decision.

"You need to claim this prize in the next 24 hours," the message reads. Attackers then provided me with a bogus link to claim the prize.

"A prize is guaranteed for every user - forward to victories!" it said.

I've never heard of a lottery where everyone's a winner, and that is one of the many clues indicating that this is a scam. Moreover, the added sense of urgency is a common tactic that scammers use to defraud victims.

blonde women with a smartphone

Threat actors are trying to disrupt your OODA loop - a model for decision-making that stands for “observing, orienting, deciding, and acting” - compelling you to take action without thinking your decision through first. You will never hear scammers say, “reply whenever it's convenient to you” or “at your earliest convenience.”

After reporting this particular scam message to the real Signal Support, I asked Cybernews researchers to figure out what these scammers are after.

The malicious link in the message apparently leads to a carding website. Carding refers to the unauthorized use of stolen credit card information. It might include buying prepaid gift cards to cover up the tracks of criminals, exploiting personal data, or money laundering.

The website said I would immediately receive around 270,000 Russian rubles (approximately $3,500) in my account. It also noted that 10% of the prize money would be deducted as a commission fee, leaving me with just over 240,000 Russian rubles as soon as I enter my credit card details. The message also said I would be receiving money from Русское лото (Russian Loto).

Carding website
Carding website designed to steal credit card information

What’s your data worth on the black market?

All the signs point to a possible carding scam. The carding market encompasses two segments: selling card data in text format (card number, expiration date, cardholder’s name, address, and CVV) and card dumps (information taken from the card’s magnetic stripe).

According to cybersecurity company Group-IB, carding is a $1.4 billion market. However, it decreased by 26% in the first half of 2021, compared to the first half of 2020. Researchers explained the slump by the lower number of dumps offered for sale. In January 2021, the notorious carding platform Joker's Stash shut down, which resulted in the number of offers shrinking from 70 million records to 58 million and the average price of a bank card dump falling from $21.88 to $13.84.

However, the number of bank card text data records put up for sale soared from 28 million records to 38 million over the review period. Researchers explained this by the higher number of phishing websites mimicking famous brands. The average price for text data climbed from $12.78 to $15.2.

Credit cards’ text data is usually collected via phishing websites and banking Trojans, as well as breaking the e-commerce websites and using JS sniffers - malware designed to steal financial data from sites.

Card dumps are usually obtained with skimming devices or by using Trojans for PCs with connected Point-of-Sale terminals.

“Carding will become less appealing for threat actors,” Group-IB forecast. “Given that many card shops were closed, we expect the number of bank cards put up for sale to go down with time. This will mostly affect the selling of dumps.”

Recently, there have been alarming changes in the carding sphere. A year after Joker’s Stash closed, another long-standing carding platform UniCC announced its retirement. In February 2022, more carding websites ceased to exist: Trump’s Dumps, Ferum, Sky-Fraud, and the RDP shop UAS. Cybersecurity company Digital Shadows linked the closure of popular carding platforms to the recent arrests of cybercriminals.

More from CyberNews:

If privacy is your crown jewel, why do you exchange it for shiny objects then?

Less than 50% of BYO digital devices properly secured at work, study says

Workers exploit account access to harm former employers

The first time police snooped inside digital storage

US armed forces must root out unknown threats to win cyberwar, says ex serviceman

Subscribe to our newsletter


prefix 11 months ago
Hi, just writing to add to what is mentioned in the article.

It seems that the attack may be targeted towards Lithuanian phone numbers. There aren't any reports that I could find in other countries about this spam message. And since this website has Lithuanian writers it was the first one that I could find publishing this story.

The attack seems to have started recently and may be related to the current geopolitical tensions in the region.

To add: there seems to have been one report from a user twelve days ago. The user did not provide enough information to determine whether it was the same scam message but seemed worried and also suspected targeted attack. The message was sent from Russian phone number with name "Signal Support".
Leave a Reply

Your email address will not be published. Required fields are marked