Kopeechka[.]store, a new service, is offering to help cybercriminals dramatically reduce the costs associated with large-scale spam and account creation campaigns, by paying people to sell their email account credentials and letting customers temporarily rent access to a large pool of established accounts at major providers. The service is unidirectional email confirmation-as-a-service that promises to “save your time and money for successfully registering multiple accounts.” Customers of this service don’t get full access to the email inboxes they are renting, but they can configure their botnet or spam machine to make API calls to the Kopeechka service, which responds with a working email address at an email provider of their choosing.
Once the supplied email address is entered into the new account registration page at a website or service, customers tell Kopeechka which service or website they’re expecting an account confirmation link from, and the company will then forward any new messages matching that description to their Kopeechka account panel. Kopeechka can rent the same email address to multiple customers, at least until that email address has been used to register accounts at most of the major online services. Kopeechka has multiple affiliate programs, including one that pays app developers for embedding Kopeechka’s API in their software.
The company also rewards people who choose to sell Kopeechka usernames and passwords for working email addresses. Kopeechka means “penny” in Russian, and the company charges a tiny fraction of a penny for access to account confirmation links. The service works out to about a fraction of a penny per confirmation message, with pricing fluctuating slightly based on the email provider chosen.
The company’s service has already been seen in action in May when KrebsOnSecurity interviewed a Russian spammer named “Quotpw.” Quotpw was mass-registering accounts on the social media network Mastodon to conduct a series of huge spam campaigns advertising scam cryptocurrency investment platforms. Much of the story came from Renaud Chaput, a freelance programmer working on modernizing and scaling the Mastodon project infrastructure. Chaput’s team was forced to temporarily halt all new registrations for these communities in May after the number of new registrations from Quotpw’s spam campaign started to overwhelm their systems.
After that story ran, Chaput said he discovered that the computer code powering Quotpw’s spam botnet contained an API call to Kopeechka’s service. “It allows them to pool many bot-created or compromised emails at various providers and offer them to cybercriminals,” Chaput said. “This is what they used to create thousands of valid Hotmail (and other) addresses when spamming on Mastodon. If you look at the code, it’s really well done with a nice API that forwards you the confirmation link that you can then fake click with your botnet.”
It’s doubtful anyone will make serious money selling email accounts to Kopeechka, unless that person already runs a botnet and has access to ridiculous numbers of email credentials. The service offers scammers a new way to wring extra income from resources that are already plentiful for them.
Trend Micro just published a report saying Quotpw was spamming to earn money for a Russian-language affiliate program called “Impulse Team,” which pays people to promote fake cryptocurrency scams. The crypto scam affiliate programs under the banner of the Impulse Scam Crypto Project are all essentially “advanced fee” scams that tell people they have earned a cryptocurrency investment credit. Upon registering at the site, visitors are told they need to make a minimum deposit on the service to collect the award. However, those who make the initial investment never hear from the site again, and their money is gone.
Interestingly, Trend Micro says the scammers behind the Impulse Team also appear to be operating a fake reputation service called Scam-Doc[.]com, a website that mimics the legitimate Scamdoc.com for measuring the trustworthiness and authenticity of various sites. The phony reputation site routinely gave high trust ratings to cryptocurrency scam and casino websites. “We can only suppose that either the same cybercriminals run operations involving both or that several different cybercriminals share the scam-doc[.]com site,” the Trend researchers wrote.
According to the FBI, financial losses from cryptocurrency investment scams dwarfed losses for all other types of cybercrime in 2022, rising from $907 million in 2021 to $2.57 billion last year.