Who are workers and how do they cheat on trading platforms?
Fraud on message boards and marketplaces has become a serious problem due to the emergence of organized crime groups. They operate on the Fraud-as-a-Service model, constantly improving their schemes to steal money and personal data from gullible users.
]There are two main types of fraud:
In both cases, the victim is redirected to a fake website that is visually identical to the real one, but with the purpose of stealing data. Below is a detailed description of the scam 2.0 scheme.
In the scam 2.0 scheme, the attackers carefully select potential victims. They are interested in ads that the seller has paid money to promote. They are also attracted by high-quality photos of the product and a willingness to communicate in messengers. Finally, the attackers look for sellers who use third-party messengers and are willing to provide a phone number. This is found out already at the stage of communication with the seller.
The main goal of the scammers is to convince the victim to follow the phishing link and enter payment information. Communication begins with standard questions about the product, its condition, reasons for sale, etc. Experienced scammers ask no more than 3 questions so as not to arouse suspicion.
Then the attacker announces interest in purchasing, but indicates that he cannot pick up the product in person and pay in cash due to being in another city (or another reason). After this, he offers to use "safe delivery".
The fraudster describes in detail the scheme of a fictitious payment, in which the victim is asked to follow a phishing link and provide details for transferring money.
The payment scheme looks roughly like this:
If the seller agrees, the scammers gain access to their payment details and empty their accounts. The cost of the goods is irrelevant: even if the seller has indicated an insignificant amount in the ad, the scammers will write off everything they can.
If the victim starts arguing and persistently refusing this payment method, the scammer disappears, as he does not want to waste time. If the seller asks to continue the correspondence on the official website of the trading platform, the scammer concludes that he knows about the fraud and is unlikely to follow the phishing link, so he also stops responding and starts looking for a new victim.
In the scam 2.0 scheme, there are two main types of phishing pages: some are copies of the trading platform page with the victim's ad, others imitate secure payment services, such as Twin.
The fake page differs from the original only in minor details. In particular, instead of the button Inserent kontaktieren ("Contact the author of the ad"), the phishing page has a button Receive 150 CHF ("Receive 150 Swiss francs").
Structure of fraudulent groups
Recently, entire groups of scammers have emerged that specialize in bulletin boards. There is a clear division of roles in criminal groups:
A gullible user who has already been deceived is called a mammoth by scammers. The amount on the bank card that the victim indicated when clicking on the phishing link is called "logs". The amount withdrawn from the victim's card is called profit.
The attackers communicate in closed chats, keep statistics, and constantly improve their methods of work.
Geographic coverage and targeting
Scams of the scam 1.0 and scam 2.0 types appeared several years ago, and both schemes can still be found on Russian-language bulletin boards. However, recently, scammers have switched to foreign countries, especially Switzerland, where the population is less familiar with such fraudulent schemes. To increase trust, they study local languages and traditions. The group also operates in Canada, Austria, France and Norway.
Detailed manuals have been developed for newbie workers: how to register, ensure anonymity, conduct dialogues with victims, bypass the protective restrictions of the sites, etc. After receiving payment data, the "vbivers" withdraw money in various ways - they issue loans, transfer to e-wallets, buy equipment, etc.
Special Telegram bots are used to automate the process. They allow you to quickly create phishing links that copy the interface of real sites, track victims' clicks on links, and receive notifications about "successful" payments. Bots are constantly updated, new statistics, tools and functions are added to them.
To avoid becoming a victim of fraud, it is important to trust only official sites, not to go to third-party resources from unreliable sources, not to enter card details until the goods are received, avoid QR codes from suspicious places.
Fraud on message boards and marketplaces has become a serious problem due to the emergence of organized crime groups. They operate on the Fraud-as-a-Service model, constantly improving their schemes to steal money and personal data from gullible users.
]There are two main types of fraud:
- Buyer scam (scam 1.0) — the fraudster pretends to be a seller and offers the buyer to receive the goods by delivery. When the buyer inquires about the terms of delivery and payment, the fraudster (in the role of the seller) asks to send the full name, address and phone number, and also to pay for the order on the website. If the victim agrees, they are sent a phishing link to pay for the goods (in a third-party messenger or in the dialogue on the site itself, if the site does not block such links). As soon as the user enters the card details on the fake site, the fraudster gains access to them and writes off all funds.
- Scam sellers (scam 2.0) is a more common scheme. The fraudster poses as a buyer and deceives the seller, persuading them to send the goods by delivery and make a so-called "safe transaction" or use a "safe payment method". As in the case of scam 1.0, the attackers send a phishing link to the seller who agrees to the deal in a third-party messenger or directly in the dialogue on the site. The page at the link requests payment card details. If the seller enters them, the attacker writes off all the money from the card.
In both cases, the victim is redirected to a fake website that is visually identical to the real one, but with the purpose of stealing data. Below is a detailed description of the scam 2.0 scheme.
In the scam 2.0 scheme, the attackers carefully select potential victims. They are interested in ads that the seller has paid money to promote. They are also attracted by high-quality photos of the product and a willingness to communicate in messengers. Finally, the attackers look for sellers who use third-party messengers and are willing to provide a phone number. This is found out already at the stage of communication with the seller.
The main goal of the scammers is to convince the victim to follow the phishing link and enter payment information. Communication begins with standard questions about the product, its condition, reasons for sale, etc. Experienced scammers ask no more than 3 questions so as not to arouse suspicion.
Then the attacker announces interest in purchasing, but indicates that he cannot pick up the product in person and pay in cash due to being in another city (or another reason). After this, he offers to use "safe delivery".
The fraudster describes in detail the scheme of a fictitious payment, in which the victim is asked to follow a phishing link and provide details for transferring money.
The payment scheme looks roughly like this:
- I'm paying for your product on [venue name].
- You will receive a link to receive money.
- You follow the link and indicate the account number to which you would like to receive money.
- As soon as you receive the money, the order processing service contacts you and assigns a convenient delivery method for you. The delivery will already be paid for. The goods will be packed and processed for you.
If the seller agrees, the scammers gain access to their payment details and empty their accounts. The cost of the goods is irrelevant: even if the seller has indicated an insignificant amount in the ad, the scammers will write off everything they can.
If the victim starts arguing and persistently refusing this payment method, the scammer disappears, as he does not want to waste time. If the seller asks to continue the correspondence on the official website of the trading platform, the scammer concludes that he knows about the fraud and is unlikely to follow the phishing link, so he also stops responding and starts looking for a new victim.
In the scam 2.0 scheme, there are two main types of phishing pages: some are copies of the trading platform page with the victim's ad, others imitate secure payment services, such as Twin.
The fake page differs from the original only in minor details. In particular, instead of the button Inserent kontaktieren ("Contact the author of the ad"), the phishing page has a button Receive 150 CHF ("Receive 150 Swiss francs").
Structure of fraudulent groups
Recently, entire groups of scammers have emerged that specialize in bulletin boards. There is a clear division of roles in criminal groups:
- Topic starters (organizers) manage all activities of the group.
- Coders are responsible for developing and maintaining technical infrastructure.
- Returners (technical support) help victims “resolve” the issues they have before their money is stolen.
- The fraudsters are directly involved in writing off money from stolen accounts.
- Workers are "field agents" who directly interact with victims. Etc.
A gullible user who has already been deceived is called a mammoth by scammers. The amount on the bank card that the victim indicated when clicking on the phishing link is called "logs". The amount withdrawn from the victim's card is called profit.
The attackers communicate in closed chats, keep statistics, and constantly improve their methods of work.
Geographic coverage and targeting
Scams of the scam 1.0 and scam 2.0 types appeared several years ago, and both schemes can still be found on Russian-language bulletin boards. However, recently, scammers have switched to foreign countries, especially Switzerland, where the population is less familiar with such fraudulent schemes. To increase trust, they study local languages and traditions. The group also operates in Canada, Austria, France and Norway.
Detailed manuals have been developed for newbie workers: how to register, ensure anonymity, conduct dialogues with victims, bypass the protective restrictions of the sites, etc. After receiving payment data, the "vbivers" withdraw money in various ways - they issue loans, transfer to e-wallets, buy equipment, etc.
Special Telegram bots are used to automate the process. They allow you to quickly create phishing links that copy the interface of real sites, track victims' clicks on links, and receive notifications about "successful" payments. Bots are constantly updated, new statistics, tools and functions are added to them.
To avoid becoming a victim of fraud, it is important to trust only official sites, not to go to third-party resources from unreliable sources, not to enter card details until the goods are received, avoid QR codes from suspicious places.
