In a new report, Group-IB stated that Classiscam campaigns began on classified sites, where scammers posted fake ads and used social engineering techniques to convince users to pay for goods through bank card transfers.
Over time, Classiscam campaigns have become highly automated and can be conducted on various other platforms such as online marketplaces and carpooling sites.
The majority of victims are located in Europe (62.2%), followed by the Middle East and Africa (18.2%) and the Asia-Pacific (13%). The countries with the highest number of fraudulent transactions in Classiscam chats are Germany, Poland, Spain, Italy, and Romania.
Classiscam, discovered in 2019, refers to an operation consisting of 1,366 separate groups on Telegram. Initially targeting Russia, it has now spread to 79 countries and impersonated 251 brands.
The Classiscam attacks gained traction during the COVID-19 pandemic in 2020 due to the surge in online shopping.
Group-IB identified Classiscam as the same as Telekopye, a phishing kit detailed by Slovak cybersecurity company ESET. Telekopye is used by cyber criminals to create fake pages using pre-made templates.
Cybercriminals employ various methods to implement the scheme, including tricking users into “buying” falsely-advertised goods or services through social engineering and directing them to automatically generated phishing websites.
To prevent links from getting blocked, conversations are often moved to instant messaging apps. The phishing pages are created using Telegram bots.
Certain campaigns targeting specific countries include fake login pages for local banks. Scammers harvest the entered credentials and transfer the stolen money to their own accounts.
Classiscam operators can act as both buyers and sellers. As buyers, they deceive the victim (the seller) into paying for delivery or providing card details for a verification check through a phishing page after claiming that payment has been made.
The backend infrastructure supporting the scam involves workers, bombers, supporters, money mules, developers, and administrators who oversee recruitment and daily operations.
According to Group-IB, Classiscam operations have evolved over time and introduced different tactics, techniques, and procedures. Recently, scammers added a balance check on phishing web pages to assess the victim’s bank account balance and determine the potential amount they can charge to the card.
Some groups have transitioned from traditional Classiscam attacks to conducting stealer campaigns, using malware to collect passwords from browser accounts and transfer the data. Group-IB identified 32 such groups.
Discover how Identity Threat Detection and Response (ITDR) identifies and mitigates threats with the help of SSPM. Learn how to secure your corporate SaaS applications and protect your data, even after a breach.
Supercharge Your Skills
As stealer families become more sophisticated and accessible, they not only facilitate financially motivated cybercrime but also serve as a stepping stone for ransomware, espionage, and other post-compromise objectives.
A recent United Nations report highlighted that organized criminal groups are coercing more than 200,000 people in Southeast Asia, mainly in Cambodia and Myanmar, to participate in romance-investment scams, crypto fraud, and illegal gambling. The scams generate billions of dollars every year and involve forced labor, sexual violence, torture, cruel punishments, and arbitrary detention.
The majority of victims are men, although women and adolescents are also targeted. Many victims are well-educated and computer-literate.
