The Classiscam has been identified by Group-IB, targeting western countries.
A massive scam launched on Telegram through a network of bot accounts has scammed victims worldwide out of $6.5 million in the last year, according to global threat hunting and adversary-centric cyber intelligence company Group-IB.
More than 40 groups worldwide, half of whom are in Russia, are operating the scam, which is targeting users of European marketplaces and classified advert websites and accounts. The scheme utilises Telegram bots that generate ready-to-use web pages that look incredibly similar to some of the most widely used classified and marketplace websites and apps, as well as occasionally echoing delivery services.
The platforms that have been recreated in order to launch the scam, which has been dubbed “Classiscam” by Group-IB, include Leboncoin, Allegro, OLX, FAN Courier and Sbazar.
A scam with roots in Russia
The Classiscam plot itself isn’t new; it’s been extant in Russia for a long time. “In the summer of 2020 we took down 280 scam pages as part of the Classiscam scheme, and by December that number grew 10-fold and reached up to 3,000 pages,” says Yaroslav Kargalev, the deputy head of Group-IB’s Computer Emergency Response Team.
“We see that Classiscammers are now actively migrating from Russia to Europe and other countries. It’s not the first time when Russia serves as a testing ground for cybercriminals with global ambitions.”
It has been conning people out of cash in Russia since at least the summer of 2019, when it was first spotted by Kargalev and his colleagues at Group-IB. At the coronavirus pandemic pushed people to shop online, activity for the scam spiked as people fell prey to the scam in greater numbers.
The scams, when successful, net criminals an average of around $120 per user conned, according to analysis by Group-IB. That may seem like small-fry, but it’s a significant chunk of people’s income in some countries. The scam has been spotted in Bulgaria, the Czech Republic, France, Poland, Romania, the US, and post-Soviet countries, according to Group-IB.
How the scam works
“As part of the scheme, scammers publish bait ads on popular marketplaces and classified websites. The ads usually offer cameras, game consoles, laptops, smartphones, and similar items for sale at deliberately low prices,” Group-IB explain.
“The buyer contacts the seller, who lures the former into continuing the talk through a third party messenger, such as WhatsApp. It’s noteworthy that scammers pose as both buyers and sellers. To be more persuasive, the scammers use local phone numbers when speaking with their victims. Such services are offered in the underground.”
The current companies targeted are based in France, Poland, Czechia and Romania. With that said, monitoring of conversations on underground forums and in chat rooms indicates that the scammers plan to broaden out the brands they spoof in the scam to include DHL Express in the United States, as well as FedEx worldwide.
Those spoofed companies are used in the part of the scam that captures people’s information. The scammers contact their victims, asking them to provide delivery information through a URL that links to a fake website for the marketplace in question, or the courier they want to mimic. That includes payment details, which allows the scammers to secret away cash from bank accounts.
The reason why the scam hasn’t been more successful to date is simple: language.
“So far, the scam’s expansion in Europe is hindered by language barriers and difficulties with cashing out stolen money abroad.”says Dmitriy Tiunkin, Head of Group-IB Digital Risk Protection Department, Europe.
“Once the scammers overcome these barriers, Classiscam will spread in the West. The downside of popularity is competition among scammers, who sometimes frame each other without knowing it.”