A Russia-based scam-as-a-service operation known as Classiscam has been exposed by cybersecurity firm Group-IB. The scheme utilized counterfeit classified advertisements and social engineering tactics to deceive individuals into purchasing non-existent products or services. Victims were tricked into transferring money directly to the malicious actors or their bank cards.
Over the span of four years, Classiscam evolved from a straightforward scam to a highly sophisticated network that operated globally. It involved at least 393 groups and 38,000 participants across 79 countries, engaging in phishing campaigns. These groups impersonated 251 different brands, resulting in a total of $64.5 million in illicit gains, according to a report released by Group-IB.
Between 2020 and the beginning of this year, Group-IB identified 1,366 separate Classiscam groups. The average loss suffered by victims of this scam was $353.
As time went on, Classiscam schemes expanded to allow fraudsters to pose as both buyers and sellers, with many operations becoming automated. This automation lowered the barrier for entry, making it easier for inexperienced participants to get involved.
Furthermore, these operations have adopted a more corporate and hierarchical structure. They now utilize Telegram bots and chats for coordination, facilitating the swift creation of phishing and scam pages. Moreover, many of these groups offer instructions and assistance to other users, emphasizing a collaborative environment.
The scope of Classiscam schemes has broadened beyond classified ad sites and now targets online marketplaces and classified services as well. Scammers impersonate various entities, including classified and reservation websites, delivery services, real estate rentals, retail businesses, carpooling services, and bank transfer platforms. Phishing pages often include features for checking victims’ account balances and harvesting credentials through fake login pages, indicating an ongoing evolution.
Similar to ransomware-as-a-service (RaaS) and other service-based criminal operations, Classiscam allows hackers to multiply potential attacks without extensive technical expertise. They simply need to invest in the necessary tools.
Victor Acin, the Manager at Outpost24, explains the nature of the cybercrime ecosystem, comparing Classiscam to credential-stealing groups like Traffers. These organized groups of cybercriminals specialize in credential theft and typically operate on Telegram, recruiting affiliates and equipping them with the required tools and knowledge to deploy malware, mainly stealers. This highlights how criminals leverage successful business models to increase their profitability.
Importantly, this research sheds light on the increasing popularity of third-party services and providers in the cybercriminal world. These tools enable less specialized hackers to leverage powerful tools and infrastructure for malicious activities across various attack methods such as phishing, DDoS, or malware.
In conclusion, the Classiscam operation, discovered by Group-IB, illustrates the evolution of a Russia-based scam-as-a-service scheme. Over time, it has become more sophisticated, involving a large number of participants and targeting various industries. The adoption of automation and a hierarchical structure has made it more accessible to new participants. Moreover, the use of third-party services highlights the growing trend of leveraging powerful tools for illicit activities in the cybercrime ecosystem.