Social engineering, fake couriers and services.
Source: Group-IB Digital Risk Protection and CERT-GIB, the text is slightly modified to match the format of our forum.
Beginning
The reason for the beginning of this research was our, so to speak, entomological interest in the activity of scammers working under a new scheme with fake courier delivery of goods ordered via the Internet: "what is it that you bastards came up with?"
The first mass use of the "Courier" or "Mammoth" scheme in Russia ("mammoth" in the slang of scammers is called "victim") was recorded by CERT-GIB and Group-IB Digital Risk Protection specialists in the summer of 2019 after complaints from deceived users. However, the peak of fraudulent activity occurred in 2021 due to the pandemic, the transition to remote banking and an increase in demand by 30%-40% for online purchases and, accordingly, courier delivery services.
As a result, the investigation, which lasted several months, resulted in two reports: the first - with a detailed description of the new scheme, the hierarchy and shadow accounting of participants in criminal groups, and the second - on the migration of scammers to the CIS, Europe and the United States.
Currently, at least 20 large groups are working against users and brands from Romania, Bulgaria, France, Poland, the Czech Republic, the United States, Ukraine, Uzbekistan, Kyrgyzstan and Kazakhstan, and there are about 40 of them in total.
The annual earnings of all criminal groups using this fraud scheme are estimated at more than $6.2 million, and the damage from the "courier scheme" can only grow.
This story began on an April evening in 2021, when Evgeny Ivanov was on duty at CERT-GIB-the Group-IB Information Security Incident Response Center - and analyzed applications: user complaints about the popular courier service.
And here's another complaint, the twin sister of the first one:
The third complaint was also dropped. It turned out to be a whole fraudulent family!
All these fake resources had similar characteristics:
Once a woman called us on the round-the-clock CERT-GIB line, from whom the same bastards stole the last money. What is lose $1000 - $3000. for the average person? There was also a larger amount of damage-under $5000. What the hell are these devils doing?
In the first part of our research, we collected and documented in detail all the information about the schemes and its participants: threads, comments on forums, screenshots of payments and reviews, and open channels in Telegram. We studied the profiles of "admins" and "workers" on the forums, and built connections using the Group-IB network graph. In addition, we were greatly helped by complaints from users who provided materials of correspondence with scammers.
So, let's move on to what we found out.
Part 1. Stages and description of the fraudulent scheme "Courier".
Even at the dawn of the scam, Internet scammers acted rather clumsily: they created a fake ad on message boards and used social engineering methods to force the user to make a purchase - transfer money to a bank card. Standard techniques were used: low product prices, discounts or gifts, limited time for purchases, talking about a queue of people who want to buy, and so on. Groups were created and died, but one thing remained unchanged: scammers received money, and users did not receive their products.
Site owners responded by creating "ecrow service" - an electronic security system for online purchases-on their sites, when the site "froze" the transfer until the buyer received the goods, and only after there were no complaints, the money was transferred to the seller. In addition, the site protection systems themselves blocked links to phishing sites sent by scammers.
In the end, the scammers found a way to bypass the protection, use automated tools to generate phishing, and bring the deception mechanism itself to almost perfection. Let's take a closer look at how the scheme works.
1. Creating a "bait lot"
Malefactors, registering new or using hacked accounts on Internet services of free ads, place "bait lots" - ads for the sale at low prices of goods designed for different target audiences: cameras, game consoles, laptops, smartphones, chainsaws, sound systems for cars, sewing machines, collectibles, fishing goods, sports drinks, etc.
2. Contact with the victim
After users of the services get in touch with intruders using an internal chat on the Internet platform itself, they are invited to go to Whatsapp or Viber messengers for further discussion of the purchase and delivery issue.
3. Preparing for the transaction
Already in messenger chats, attackers request the victim's full name, address, and phone number, ostensibly to fill out a delivery form on the courier service's resources.
4. Payment on a phishing resource
Then users are provided with links to phishing resources that completely copy the official pages of popular courier services. The link will show the victim's previously specified data, which they are supposed to verify and then pay for in the same place.
5. A refund that doesn't exist
Some of the victims are repeatedly deceived - "bred for a refund". Some time after payment for the goods, the buyer is informed that an emergency has occurred at the post office. The legend can be any, for example, a post office employee is allegedly caught stealing, and the ordered goods were confiscated by the police, so to compensate for the transferred amount, you need to issue a "refund". It is clear that in practice, if the same amount is repeatedly debited from the card.
6. Reverse scheme
Later, an updated version of the fraudulent scheme appeared, in which fraudsters act as buyers, not sellers.
"Worker" searches for ads for the sale of any goods on all the same free bulletin boards. Mandatory condition for the ad - the seller allowed to contact you by mobile phone, selecting the option show your phone number to everyone, and the product is available for purchase with delivery.
The fraudster gets in touch with the seller immediately through the chats of popular third-party messengers, thereby bypassing the secure chats of online platforms for free ads, and shows a desire to purchase the displayed product, clarifies the relevance of the seller's offer.
Further, the fraudster claims that he will immediately make a "purchase with delivery", while generating a new phishing page using an automated telegram bot, using the real name, photo and price of the lot.
In a minute, the phishing page is ready and you can send it to the victim seller in the messenger chat, explaining that you have already paid for everything, and offering to check and get money. To receive funds, of course, you will need to enter your bank card details.
Variety of scams: renting real estate and finding travel companions
Today, there is an extensive selection of courier service brands that fraudsters use to create phishing pages. However, recently they are also interested in sites with ads for the sale of cars and auto parts, electronics stores, real estate rental resources and passenger transportation services.
The fraudster doesn't care whether the site is engaged in renting real estate or selling bicycles.It is important for him that the service resource has the ability to communicate internally among users and "secure" transactions within the site itself, which allows you to replace the final link in a consonant domain for transferring funds.
Only in November 2020, there were about ten fake sites that mimic the popular real estate database. The attackers used standard schemes to deceive users of online message boards, offering to make an advance payment, which in the case of rental housing can be quite high. The number of fraudulent domains containing the names of well-known services in various consumer segments more than doubled in the second half of the year.
The attacks on apartment rental services involve the same groups that created fake sites for popular courier services. In the summer, there was an increase in attacks on hotel booking sites, when during the holiday season people were able to travel only within Russia, then the scammers switched to apartment rental services. We should not exclude internal competition among criminal groups, which motivates them to look for opportunities to earn money in new areas.
Part 2. Criminal groups
The Group-IB team discovered numerous disparate groups that specialize in this type of fraud.
August 28, 2020:
Now:
The composition of a typical criminal group:
In the course of studying the forums, we came to the conclusion that the number of such groups is estimated in dozens. Absolutely all criminal groups are interested in scaling up their business and attracting fresh forces.
For example, one of the largest criminal groups, calling itself the Dreamer Money Gang (DMG), hires workers through a telegram bot and promises training, "the best domains on the market" and fast payments without hidden interest. DMG's daily turnover exceeds 200,000 rubles.
The revenue of another criminal group grew rapidly in early 2021: $ 20000 (January), $ 100000 (February), $ 300000 (March), $ 500000 (April).
Here's how fraudulent accounting works::
All transactions and transactions of" workers "are displayed in the telegram bot: the amount, payment number and nickname of the "worker".
In one of the chatbots, there are numerous transfers for amounts ranging from $ 150 to $ 2500 - First, the money falls to the accounts of the "admin", then he distributes the income to the rest of the group members.
As a rule, "workers" receive 70-80% of the transaction amount in cryptocurrency - "admins" promptly transfer money to their crypto wallets. Admins keep 20-30% of the revenue for themselves.
The scheme with "return" is worked out by the so-called "callers" or "returners", who act as" operators" of the support service of courier services. After contacting the victim by phone or in instant messengers, they offer to issue a refund, while funds are re-debited from the victims card.
The "ringer" can receive both a fixed amount and a percentage of the stolen money-from 5% to 20%. It is extremely rare for the workers themselves to act as a "ringer", since "ringers" are narrow - profile specialists who have a well-trained social engineering skill, a clear delivered voice and a willingness to answer the most unexpected questions of doubting customers on the spot.
After analyzing messages about payments in chatbots, Group-IB analysts found out that 20 out of 40 active groups are focused on foreign countries. On average, they earn $ 60,752 a month, but the income of different groups is not uniform. In general, the total monthly earnings of the 40 most active active criminal groups are estimated at at least $ 522,731 per month.
Part 3: Automating and Scaling your Business
In addition, Telegram has its own full-fledged 24/7 support service, and there are stores that sell everything necessary for fraud: accounts on the right bulletin board, phone numbers, e-wallets, targeted e-mail newsletters, sales of other scam projects, and so on, up to offering the services of lawyers who will protect the fraudster in court if necessary.
Currently, more than 5,000 unique scammer users are registered in the 40 most active chats.
There are more than 10 types of telegram bots that create pages for foreign brands in France, Bulgaria, Romania, Poland, and the Czech Republic. For each brand and country, scammers write instructions-scripts that help novice "workers" log in to foreign sites and conduct a dialogue with the victim in the local language.
As a result, the quality and convenience of creating phishing pages, as well as the support service for scammers, have grown quite significantly. All this caused an unprecedented increase in fraud on message boards and a huge number of people who want to engage in such a profitable and simple business.
Registration of a novice worker is carried out through a Telegram bot, through underground forums, or directly through the Admin (vehicle). There are open and closed group chats.
Consider closed ones. To get into a fraudulent project, you need to go through the "hiring" procedure through a telegram bot, where the candidate is asked questions related to the experience of fraudulent activities in other projects, where he learned about the project, whether there are profiles on underground forums.
After a worker has already passed the registration procedure, they get access to three chats: an information chat (help about the project, plans, and manuals), a worker chat (scammers communicate with each other, share their experience, and discuss projects), and a financial chat (a report on payments). It is noteworthy that chat rooms with payouts are publicly available, and it is possible that they are used for advertising purposes to attract new candidates.
Statistics are kept on worker payouts, and the best ones are added to the public list of top payouts. They get access to the VIP chat of "tops", get access to VIP scripts, for example, to work in the USA or Europe, while other scammers do not have access to this chat.
In addition, there is a separate chat of callers, which contains manuals on how to talk to victims.
Part 4. Migration to the West
Active counteraction to fraudsters on the part of Group-IB, as well as companies that own courier services and bulletin boards, spurred the online migration of fraudulent groups from Russia to the CIS and European countries that began in the spring. Also, the attackers began to search for new niches, as, for example, happened with the appearance of phishing sites for popular rental sites and bookmakers. The Russian Internet zone has once again become a test site, allowing attackers to scale criminal business to the international arena.
Example of a phishing resource using the OLX brand (Ukraine)
In April, offers for a new type of scam began to appear: Kufar, a Belarusian site for free ads.
A little later, CDEK (Belarus) and Belpochta brands were added.
In May 2020, the Romanian version of the site was added to the Ukrainian OLX scam. Already in early August, a scam of the Bulgarian and Kazakh versions of OLX appeared in open telegram bots.
Scammers did not stop at working out the scheme in the CIS countries. So at the end of August, a scam of the French site of free ads - Leboncoin-appeared in popular telegram bots.
This was followed in October by a scam of the Polish version of the free classifieds site OLX.
The addition of Western brands to telegram bots is very active. At the end of November, phishing forms appeared for the Polish e-commerce platform Allegro and the Czech free classifieds site Sbazar.
It is worth noting that the scam of European brands is more difficult than in the CIS:
Scammers face language problems, difficulties in verifying accounts on websites, which forces them to buy stolen personal documents and phone numbers through forums and communities. For "admins" there is a problem with linking currency credit cards to telegram bots. This is solved by using experienced drops (front persons for receiving and withdrawing money).
Under each brand, enthusiastic scammers write scam instructions that help newcomers log in to foreign sites and conduct a dialogue with the victim.
The appearance of new foreign brands is actively discussed in fraudulent communities. The following scam brands are expected to be added soon: izi.ua, prom.ua, FedEx DHL Express (USA/BG), CDEK KZ/USA
Part 5. How to deal with the "Mammoth"?
Analysts warn that the scheme developed in Russia quickly scales to European and American sites, where Russian-speaking scammers go to increase capitalization and reduce the risk of being caught. The fight against the scheme requires further consolidation of the efforts of companies promoting goods delivery services, free bulletin boards, and the use of advanced digital risk protection technologies to quickly detect and eliminate criminal groups.
Recommendations for brands
Recommendations for users
Thanks for your attention!
Source: Group-IB Digital Risk Protection and CERT-GIB, the text is slightly modified to match the format of our forum.
Beginning
The reason for the beginning of this research was our, so to speak, entomological interest in the activity of scammers working under a new scheme with fake courier delivery of goods ordered via the Internet: "what is it that you bastards came up with?"
The first mass use of the "Courier" or "Mammoth" scheme in Russia ("mammoth" in the slang of scammers is called "victim") was recorded by CERT-GIB and Group-IB Digital Risk Protection specialists in the summer of 2019 after complaints from deceived users. However, the peak of fraudulent activity occurred in 2021 due to the pandemic, the transition to remote banking and an increase in demand by 30%-40% for online purchases and, accordingly, courier delivery services.
As a result, the investigation, which lasted several months, resulted in two reports: the first - with a detailed description of the new scheme, the hierarchy and shadow accounting of participants in criminal groups, and the second - on the migration of scammers to the CIS, Europe and the United States.
Currently, at least 20 large groups are working against users and brands from Romania, Bulgaria, France, Poland, the Czech Republic, the United States, Ukraine, Uzbekistan, Kyrgyzstan and Kazakhstan, and there are about 40 of them in total.
The annual earnings of all criminal groups using this fraud scheme are estimated at more than $6.2 million, and the damage from the "courier scheme" can only grow.
This story began on an April evening in 2021, when Evgeny Ivanov was on duty at CERT-GIB-the Group-IB Information Security Incident Response Center - and analyzed applications: user complaints about the popular courier service.
And here's another complaint, the twin sister of the first one:
The third complaint was also dropped. It turned out to be a whole fraudulent family!
All these fake resources had similar characteristics:
- They were copies of official pages (not self-written crap, but code-level copies with all the dynamic elements).
- The payment pages of different fake services were identical, except for the logos.
- We found examples of resources where several phishing pages were located on subdomains at once.
Once a woman called us on the round-the-clock CERT-GIB line, from whom the same bastards stole the last money. What is lose $1000 - $3000. for the average person? There was also a larger amount of damage-under $5000. What the hell are these devils doing?
In the first part of our research, we collected and documented in detail all the information about the schemes and its participants: threads, comments on forums, screenshots of payments and reviews, and open channels in Telegram. We studied the profiles of "admins" and "workers" on the forums, and built connections using the Group-IB network graph. In addition, we were greatly helped by complaints from users who provided materials of correspondence with scammers.
So, let's move on to what we found out.
Part 1. Stages and description of the fraudulent scheme "Courier".
Even at the dawn of the scam, Internet scammers acted rather clumsily: they created a fake ad on message boards and used social engineering methods to force the user to make a purchase - transfer money to a bank card. Standard techniques were used: low product prices, discounts or gifts, limited time for purchases, talking about a queue of people who want to buy, and so on. Groups were created and died, but one thing remained unchanged: scammers received money, and users did not receive their products.
Site owners responded by creating "ecrow service" - an electronic security system for online purchases-on their sites, when the site "froze" the transfer until the buyer received the goods, and only after there were no complaints, the money was transferred to the seller. In addition, the site protection systems themselves blocked links to phishing sites sent by scammers.
In the end, the scammers found a way to bypass the protection, use automated tools to generate phishing, and bring the deception mechanism itself to almost perfection. Let's take a closer look at how the scheme works.
1. Creating a "bait lot"
Malefactors, registering new or using hacked accounts on Internet services of free ads, place "bait lots" - ads for the sale at low prices of goods designed for different target audiences: cameras, game consoles, laptops, smartphones, chainsaws, sound systems for cars, sewing machines, collectibles, fishing goods, sports drinks, etc.
2. Contact with the victim
After users of the services get in touch with intruders using an internal chat on the Internet platform itself, they are invited to go to Whatsapp or Viber messengers for further discussion of the purchase and delivery issue.
3. Preparing for the transaction
Already in messenger chats, attackers request the victim's full name, address, and phone number, ostensibly to fill out a delivery form on the courier service's resources.
4. Payment on a phishing resource
Then users are provided with links to phishing resources that completely copy the official pages of popular courier services. The link will show the victim's previously specified data, which they are supposed to verify and then pay for in the same place.
5. A refund that doesn't exist
Some of the victims are repeatedly deceived - "bred for a refund". Some time after payment for the goods, the buyer is informed that an emergency has occurred at the post office. The legend can be any, for example, a post office employee is allegedly caught stealing, and the ordered goods were confiscated by the police, so to compensate for the transferred amount, you need to issue a "refund". It is clear that in practice, if the same amount is repeatedly debited from the card.
6. Reverse scheme
Later, an updated version of the fraudulent scheme appeared, in which fraudsters act as buyers, not sellers.
"Worker" searches for ads for the sale of any goods on all the same free bulletin boards. Mandatory condition for the ad - the seller allowed to contact you by mobile phone, selecting the option show your phone number to everyone, and the product is available for purchase with delivery.
The fraudster gets in touch with the seller immediately through the chats of popular third-party messengers, thereby bypassing the secure chats of online platforms for free ads, and shows a desire to purchase the displayed product, clarifies the relevance of the seller's offer.
Further, the fraudster claims that he will immediately make a "purchase with delivery", while generating a new phishing page using an automated telegram bot, using the real name, photo and price of the lot.
In a minute, the phishing page is ready and you can send it to the victim seller in the messenger chat, explaining that you have already paid for everything, and offering to check and get money. To receive funds, of course, you will need to enter your bank card details.
Variety of scams: renting real estate and finding travel companions
Today, there is an extensive selection of courier service brands that fraudsters use to create phishing pages. However, recently they are also interested in sites with ads for the sale of cars and auto parts, electronics stores, real estate rental resources and passenger transportation services.
The fraudster doesn't care whether the site is engaged in renting real estate or selling bicycles.It is important for him that the service resource has the ability to communicate internally among users and "secure" transactions within the site itself, which allows you to replace the final link in a consonant domain for transferring funds.
Only in November 2020, there were about ten fake sites that mimic the popular real estate database. The attackers used standard schemes to deceive users of online message boards, offering to make an advance payment, which in the case of rental housing can be quite high. The number of fraudulent domains containing the names of well-known services in various consumer segments more than doubled in the second half of the year.
The attacks on apartment rental services involve the same groups that created fake sites for popular courier services. In the summer, there was an increase in attacks on hotel booking sites, when during the holiday season people were able to travel only within Russia, then the scammers switched to apartment rental services. We should not exclude internal competition among criminal groups, which motivates them to look for opportunities to earn money in new areas.
Part 2. Criminal groups
The Group-IB team discovered numerous disparate groups that specialize in this type of fraud.
August 28, 2020:
- The first post about recruitment on hacker forums is published
- Later, 95 topics devoted to this type of fraud were found on forums and Telegram channels
Now:
- $ 10000 - Reaches the daily turnover of one fraudulent group of several active people.
The composition of a typical criminal group:
- Vehicle (Topic Starter) group organizer, "admin". Responsible for the software and functionality of the payment system, user support, and distribution of funds;
- Employees ("workers", "spammers") whose tasks include registering "one-day accounts" on free ad services, creating "decoy ads" based on prepared templates, communicating with victims via chats on ad platforms and / or instant messengers, and delivering phishing links to victims;
- So-called "callers" or "returners" who act as "support service operators" of courier services. Getting into the confidence of citizens, they offer victims to issue a refund, often providing essentially the same resource. At the same time, funds are repeatedly debited from the victims ' card.
In the course of studying the forums, we came to the conclusion that the number of such groups is estimated in dozens. Absolutely all criminal groups are interested in scaling up their business and attracting fresh forces.
For example, one of the largest criminal groups, calling itself the Dreamer Money Gang (DMG), hires workers through a telegram bot and promises training, "the best domains on the market" and fast payments without hidden interest. DMG's daily turnover exceeds 200,000 rubles.
The revenue of another criminal group grew rapidly in early 2021: $ 20000 (January), $ 100000 (February), $ 300000 (March), $ 500000 (April).
Here's how fraudulent accounting works::
All transactions and transactions of" workers "are displayed in the telegram bot: the amount, payment number and nickname of the "worker".
In one of the chatbots, there are numerous transfers for amounts ranging from $ 150 to $ 2500 - First, the money falls to the accounts of the "admin", then he distributes the income to the rest of the group members.
As a rule, "workers" receive 70-80% of the transaction amount in cryptocurrency - "admins" promptly transfer money to their crypto wallets. Admins keep 20-30% of the revenue for themselves.
The scheme with "return" is worked out by the so-called "callers" or "returners", who act as" operators" of the support service of courier services. After contacting the victim by phone or in instant messengers, they offer to issue a refund, while funds are re-debited from the victims card.
The "ringer" can receive both a fixed amount and a percentage of the stolen money-from 5% to 20%. It is extremely rare for the workers themselves to act as a "ringer", since "ringers" are narrow - profile specialists who have a well-trained social engineering skill, a clear delivered voice and a willingness to answer the most unexpected questions of doubting customers on the spot.
After analyzing messages about payments in chatbots, Group-IB analysts found out that 20 out of 40 active groups are focused on foreign countries. On average, they earn $ 60,752 a month, but the income of different groups is not uniform. In general, the total monthly earnings of the 40 most active active criminal groups are estimated at at least $ 522,731 per month.
Part 3: Automating and Scaling your Business
Most of these problems were solved by Telegram bots. With their appearance, the fraudster no longer needs to create pages for generating phishing pages, the so-called "admin panels". Now it is enough for the worker to drop a link to the desired bait product in the chat bot, after which the bot itself generates a complete phishing kit for it: links to the pages of courier services, payment and refund.
In addition, Telegram has its own full-fledged 24/7 support service, and there are stores that sell everything necessary for fraud: accounts on the right bulletin board, phone numbers, e-wallets, targeted e-mail newsletters, sales of other scam projects, and so on, up to offering the services of lawyers who will protect the fraudster in court if necessary.
Currently, more than 5,000 unique scammer users are registered in the 40 most active chats.
There are more than 10 types of telegram bots that create pages for foreign brands in France, Bulgaria, Romania, Poland, and the Czech Republic. For each brand and country, scammers write instructions-scripts that help novice "workers" log in to foreign sites and conduct a dialogue with the victim in the local language.
As a result, the quality and convenience of creating phishing pages, as well as the support service for scammers, have grown quite significantly. All this caused an unprecedented increase in fraud on message boards and a huge number of people who want to engage in such a profitable and simple business.
Registration of a novice worker is carried out through a Telegram bot, through underground forums, or directly through the Admin (vehicle). There are open and closed group chats.
Consider closed ones. To get into a fraudulent project, you need to go through the "hiring" procedure through a telegram bot, where the candidate is asked questions related to the experience of fraudulent activities in other projects, where he learned about the project, whether there are profiles on underground forums.
After a worker has already passed the registration procedure, they get access to three chats: an information chat (help about the project, plans, and manuals), a worker chat (scammers communicate with each other, share their experience, and discuss projects), and a financial chat (a report on payments). It is noteworthy that chat rooms with payouts are publicly available, and it is possible that they are used for advertising purposes to attract new candidates.
Statistics are kept on worker payouts, and the best ones are added to the public list of top payouts. They get access to the VIP chat of "tops", get access to VIP scripts, for example, to work in the USA or Europe, while other scammers do not have access to this chat.
In addition, there is a separate chat of callers, which contains manuals on how to talk to victims.
Part 4. Migration to the West
Active counteraction to fraudsters on the part of Group-IB, as well as companies that own courier services and bulletin boards, spurred the online migration of fraudulent groups from Russia to the CIS and European countries that began in the spring. Also, the attackers began to search for new niches, as, for example, happened with the appearance of phishing sites for popular rental sites and bookmakers. The Russian Internet zone has once again become a test site, allowing attackers to scale criminal business to the international arena.
In mid-February, advertising for telegram bots with free access to use begins to appear on forums, where you can generate phishing forms for the Ukrainian version of the OLX free ads site.
Example of a phishing resource using the OLX brand (Ukraine)
In April, offers for a new type of scam began to appear: Kufar, a Belarusian site for free ads.
A little later, CDEK (Belarus) and Belpochta brands were added.
In May 2020, the Romanian version of the site was added to the Ukrainian OLX scam. Already in early August, a scam of the Bulgarian and Kazakh versions of OLX appeared in open telegram bots.
Scammers did not stop at working out the scheme in the CIS countries. So at the end of August, a scam of the French site of free ads - Leboncoin-appeared in popular telegram bots.
This was followed in October by a scam of the Polish version of the free classifieds site OLX.
The addition of Western brands to telegram bots is very active. At the end of November, phishing forms appeared for the Polish e-commerce platform Allegro and the Czech free classifieds site Sbazar.
It is worth noting that the scam of European brands is more difficult than in the CIS:
Scammers face language problems, difficulties in verifying accounts on websites, which forces them to buy stolen personal documents and phone numbers through forums and communities. For "admins" there is a problem with linking currency credit cards to telegram bots. This is solved by using experienced drops (front persons for receiving and withdrawing money).
Under each brand, enthusiastic scammers write scam instructions that help newcomers log in to foreign sites and conduct a dialogue with the victim.
The appearance of new foreign brands is actively discussed in fraudulent communities. The following scam brands are expected to be added soon: izi.ua, prom.ua, FedEx DHL Express (USA/BG), CDEK KZ/USA
Part 5. How to deal with the "Mammoth"?
Analysts warn that the scheme developed in Russia quickly scales to European and American sites, where Russian-speaking scammers go to increase capitalization and reduce the risk of being caught. The fight against the scheme requires further consolidation of the efforts of companies promoting goods delivery services, free bulletin boards, and the use of advanced digital risk protection technologies to quickly detect and eliminate criminal groups.
Recommendations for brands
- Unlike in Russia, where courier services, free bulletin boards, and real estate rental resources were the first to take the Mammoth hit, the vast majority of users and security personnel of international companies are not yet ready to counteract this type of fraud.
- To prevent such "advanced scam schemes", classical monitoring and blocking is no longer enough - it is necessary to identify and block the infrastructure of criminal groups using an automated system for identifying and eliminating digital risks based on artificial intelligence, the knowledge base of which is regularly fed with data on infrastructure, tactics, tools and new fraud schemes.
- Use specialized Digital Risk Protection systems that proactively detect the appearance of fake domains, fraudulent advertising, and phishing.
- Ensure continuous monitoring of underground forums for the appearance of facts related to attempts to use the brand for illegal purposes.
- Conduct analysis of phishing attacks in order to attribute the criminal group, reveal the participants and bring them to justice.
Recommendations for users
- Trust only official sites. Before you enter your bank card details in any form, study the site address, Google it, and check when it was created. If the site is a couple of months old - it is very likely fraudulent.
- Big discounts on equipment are one of the signs that the "bait lot" on free ad sites was created by fraudsters. Be careful.
- Using the services of services that sell new and used goods, do not go to instant messengers, conduct all correspondence only in the service's chat.
- Do not order the product in advance - pay only when you have received the product and made sure that it is working properly.
- Before entering your bank card details in any form, study the site address, Google it, and check when it was created. If the site is a couple of months old – it is very likely fraudulent. Trust only official sites. For example, the site - cdek.ru, and other addresses - (cdek.nu, cdek.in, cdek.at, cdek-box.ru, cdek-dostavka.info) directly indicate forgeries.
Thanks for your attention!
Last edited:
