Scammers are attacking Signal users with an urgent request to accept a cash prize to harvest credit card information.
"Your number is one of the top Signal users. You are eligible for a prize of up to $10,000," reads a message on my Signal desktop app.
It allegedly comes from Signal Support. This particular message was sent from a Russian number: +7 961 557-18-15.
It is a typical social engineering attack. Scammers add a sense of urgency, giving their victims limited time to make a decision.
"You need to claim this prize in the next 24 hours," the message reads. Attackers then provided me with a bogus link to claim the prize.
"A prize is guaranteed for every user - forward to victories!" it said.
I've never heard of a lottery where everyone's a winner, and that is one of the many clues indicating that this is a scam. Moreover, the added sense of urgency is a common tactic that scammers use to defraud victims.
Threat actors are trying to disrupt your OODA loop - a model for decision-making that stands for “observing, orienting, deciding, and acting” - compelling you to take action without thinking your decision through first. You will never hear scammers say, “reply whenever it's convenient to you” or “at your earliest convenience.”
After reporting this particular scam message to the real Signal Support, I asked Cybernews researchers to figure out what these scammers are after.
The malicious link in the message apparently leads to a carding website. Carding refers to the unauthorized use of stolen credit card information. It might include buying prepaid gift cards to cover up the tracks of criminals, exploiting personal data, or money laundering.
The website said I would immediately receive around 270,000 Russian rubles (approximately $3,500) in my account. It also noted that 10% of the prize money would be deducted as a commission fee, leaving me with just over 240,000 Russian rubles as soon as I enter my credit card details. The message also said I would be receiving money from Русское лото (Russian Loto).
What’s your data worth on the black market?
All the signs point to a possible carding scam. The carding market encompasses two segments: selling card data in text format (card number, expiration date, cardholder’s name, address, and CVV) and card dumps (information taken from the card’s magnetic stripe).
According to cybersecurity company Group-IB, carding is a $1.4 billion market. However, it decreased by 26% in the first half of 2021, compared to the first half of 2020. Researchers explained the slump by the lower number of dumps offered for sale. In January 2021, the notorious carding platform Joker's Stash shut down, which resulted in the number of offers shrinking from 70 million records to 58 million and the average price of a bank card dump falling from $21.88 to $13.84.
However, the number of bank card text data records put up for sale soared from 28 million records to 38 million over the review period. Researchers explained this by the higher number of phishing websites mimicking famous brands. The average price for text data climbed from $12.78 to $15.2.
Credit cards’ text data is usually collected via phishing websites and banking Trojans, as well as breaking the e-commerce websites and using JS sniffers - malware designed to steal financial data from sites.
Card dumps are usually obtained with skimming devices or by using Trojans for PCs with connected Point-of-Sale terminals.
“Carding will become less appealing for threat actors,” Group-IB forecast. “Given that many card shops were closed, we expect the number of bank cards put up for sale to go down with time. This will mostly affect the selling of dumps.”
Recently, there have been linked the closure of popular carding platforms to the recent arrests of cybercriminals.in the carding sphere. A year after Joker’s Stash closed, another long-standing carding platform UniCC announced its retirement. In February 2022, more carding websites ceased to exist: Trump’s Dumps, Ferum, Sky-Fraud, and the RDP shop UAS. Cybersecurity company Digital Shadows
More from CyberNews:
Subscribe to our newsletter