Case Study

Hispasec has detected over 800,000 cases of online fraud affecting more than 200 companies

The Threat Intelligence team at Hispasec Sistemas has recently discovered a scam infrastructure being distributed via social engineering techniques. This scam, named ‘Anniversary’, is capable of detecting and adapting to the language and currency of the country from which the fraudulent site is being accessed. The main target is to obtain the online users’ personal data such as phone numbers, address or credit card details.
alt text
Fraudulent anniversary promotion
The fraud campaign detected tries to simulate a special promotion as a result of an alleged anniversary of the company that is being impersonated. As it can be observed in the image below, the first step of the campaign is its distribution via different social media channels (Step 1). The campaign intends to deceive the victims offering gift cards that they can obtain once they fill up a survey (step 2). Once the victim has completed the second step, the fraudulent site shows a game allegedly random during which the victim must choose the correct box, using as a pretext a company anniversary or some other special event, as previously explained (step 3). After the game is completed, the user is asked to share the promotion with their friends via WhatsApp to receive the gift (step 4, and return to step 1).
alt text
This is how the attacker uses the victims as a means to distribute the scam campaign among their contacts. In addition to this, when the victim shares the promotion with their contacts, a new URL with a different scam-related domain is shared too, this making it more difficult to mitigate the campaign due to the usage of multiple domain names. The next step (step 5) of this scam campaign consists in randomly redirecting the victim through a variety of URLs containing different types of fraud and malicious promotions.
The fraudulent sites use the same design as the official websites that the attacker is trying impersonate, even imitating the official mobile applications of the affected company (given the case they exist). By using the corporate colors and brand image of the company, the scam campaign is successfully obfuscated.
We have identified that the main distribution vector in the Anniversary campaign is WhatsApp. However, the possibility that other distribution means are being used cannot be ruled out, such as, for example, posts on other social media networks or additional spam campaigns. This means that the campaign is mainly targeting mobile users, taking advantage of the trust relationship among the victims.
Second phase of the fraud
The second phase of this scam campaign begins after being shared on social networks. At this point, the victim is randomly redirected to a new, also randomly selected website, as it will be explained in a later section of this post. Numerous different fraud strategies requesting new actions from the victims in order to get the promised gift have been detected.
If a desktop computer is detected (step 5.1), the victim will be redirected, among different options, to a site where he or she will be requested to download a Google Chrome extension. This extension simulates a common Ad Blocker with different extra functions (that turn out to be malicious). For example, the user might end up downloading additional scripts from this site without being previously notified. Besides, this extension is capable of accessing the victim’s local data, sending it to the attacker afterwards. It is also capable of executing other processes in the background that store the collected information and modify the data received by the browser. In conclusion, the attacker knows what the user sends and decides what they can see.
In regards to mobile devices (step 5.2), the use of different social engineering strategies in order to collect the victims’ private information has been confirmed, for example: postal code, phone number or even credit card details. In some of the sites that the victim could be redirected to, transport companies are impersonated in order to get the victim’s physical address. In some other sites, the attacker asks for the user’s credit card details to charge them between €1 to €3, allegedly to confirm the victim's identity. Lastly, the attacker might also ask for the victim’s phone number to subscribe them to a Premium service which, in some cases, has involved a charge of up to €80 per month.
Register domains
The attackers are using different TLDs such as .cn, .cyou, .shop, .top, .work to register the different fraudulent domain names. They are using services such as a DNSPod registrar (IANA: 1697) or Alibaba Cloud (IANA: 3775). Regarding the web hosting service, most of the fraudulent sites are hosted by Google Cloud servers and have Cloudflare reverse proxy service implemented with the intention of protecting the fraudulent infrastructure. Currently, over 800.000 fraudulent sites have been identified under this type of scam.
Considering the current market prices for the purchase of domain names and web hosting services, It is estimated that the cost of the investment to set up the analysed scam infrastructure could be between one million and one and a half million euros per year. Nonetheless, the technical team of Hispasec continues collecting information and finding new domains. That is why the real repercussions are still to be determined.
Affected companies and scope of the scam campaign
Although the real companies do not support, or are they related to this scam campaign, it is worth mentioning that all the detected fraudulent domain names are offering fake promotions on behalf of over 200 companies, such as Audi, Mastercard, Coca Cola, Facebook, Instagram, Netflix or Amazon, among many others. This is why the number of persons that might fall victim to the Anniversary scam campaign is very high, since the fraudulent sites adapt themselves to the language and official coin of the targeted country and because they affect many different companies from very diverse economic sectors.
Do you have doubts?
In case of doubt, you can request more information through the following form.