Global scam operation ‘Classiscam’ expanded to Singapore

One of the world’s top cybersecurity companies, Group-IB, has discovered that Singapore has become the new home of Classiscam, a sophisticated scam-as-a-service operation.

Group-IB, one of the global leaders in cybersecurity, has uncovered that Classiscam – a sophisticated scam-as-a-service operation – has expanded to Singapore. Active since March 2022 locally, Classiscam fraudsters, as its name suggests, target users of one of the leading classified platforms in Singapore. 

Scammers posing as legitimate buyers approach sellers with the request to purchase goods from their listings and the ultimate aim of stealing payment data. Ever since Classiscam’s appearance in Singapore, Group-IB Digital Risk Protection (DRP) team has detected a total of 18 domains intended to target buyers on the local classified website, however, according to the team, this number is believed to be significantly higher.

In line with its mission of fighting against cybercrime, Group-IB immediately shared its findings about Classiscam with the members of the Singapore Police Force’s Alliance of Public-Private Cybercrime Stakeholders (APPACT) and the local classified website in question. The main goal of this research is to raise public awareness about the latest scamming methods and reduce the number of victims. 

What is Classiscam? 

Classiscam, initially discovered by Group-IB researchers in 2020, is a fully automated scam-as-a-service affiliate program designed to steal payment and personal data from the users of popular classifieds and marketplaces. The scheme, unveiled by Group-IB experts, relies heavily on Telegram bots and chats to coordinate operations and create phishing and scam pages in seconds. Having originally appeared in Russia, the scheme migrated to Europe, the US and has now infiltrated the Asia Pacific. In the past three years, the Group-IB Digital Risk Protection team successfully blocked close to 5,000 resources that were part of Classiscammers’ infrastructure.

The hierarchy of the Classiscam groups operates in a pyramid formation. A team of administrators is on top of the chain and responsible for recruiting new members, automating the creation of scam pages, registering new accounts, and providing assistance when the bank blocks the recipient’s card or the transaction. The administrator’s share is about 20-30 percent of the stolen sum. “Workers” receive 70-80 percent of the stolen sum for communicating with victims and sending them phishing URLs. All details of deals made by workers (including the sum, payment number, and username) are displayed in a Telegram bot.

The group targeting Singapore is just one of many. Since 2019, Group-IB Digital Risk Protection team has identified and categorized 380 different groups operating under the Classiscam model in Telegram, with 90 active groups at the time of this announcement. Currently, more than 38,000 scammers are registered in these groups, which is seven times more than in 2020. According to Group-IB’s estimates, globally, the damage from the Classiscam operations can be as high as $29,500,000. More details about the scheme are available in the Group-IB report “DEMYSTIFYING CLASSISCAM”.

Singapore – now on the Classiscammers’ list

As first reported by Singapore media in May, scammers posing as legitimate buyers, approach sellers on a popular classified site with the request to purchase listed goods. After analyzing the scammers’ modus operandi and network infrastructure, Group-IB researchers immediately identified a familiar pattern and realized they were not dealing with one-off scammers, but with a well-coordinated and technologically advanced scammer criminal network. 

Using its extensive scam intelligence on the Classiscam operation and its patented Graph Network Analysis tool, Group-IB Digital Risk Protection team revealed that the scammers designed a phishing tool that generates fake websites that mimic the official platform of a local classified website used for selling and buying goods. These fake links are generated using web panels or Telegram bots.  

Graphical user interface, application

Description automatically generated
Fake page generator used by scammers. The screenshot above is translated from Russian to English. The original page is designed for Russian-speaking scammers.

After initial contact with the legitimate seller, the scammers generate a unique phishing link that confuses the sellers by displaying the information about the seller’s offer and imitating the official classified’s website and URL. Scammers claim that payment has been made and lure the victim into either making a payment for delivery or collecting the payment.

Graphical user interface, application

Description automatically generated
Phishing page designed to scam the sellers 

After clicking “Receive funds”, the seller, the victim, in this case, would be redirected to a phishing page where their payment card credentials are retrieved. 

Graphical user interface, website

Description automatically generated
Phishing page mimicking a local classified website that requests victim’s payment details

After the scammers receive credit card details from the victim, they request OTP verification from the bank. This again is a fake OTP page. Once the victim submits the OTP code on the fake website, the scammers can transfer money to their accounts.

Graphical user interface, text, application, email

Description automatically generated
Phishing page mimicking a local classified website that requests OTP 

Additionally, the scammers attempt to check the victim’s bank account balance, to identify the most “valuable” cards as shown on the phishing page below. 

Graphical user interface, application

Description automatically generated
Phishing page mimicking local classified website designed to check the account balance 

No one can hide from the Graph  

Using its patented Graph Network Analysis tool, Group-IB experts were able to reveal the group of interconnected websites operated by this group of Classiscammers. 

The network infrastructure of Classiscam operators targeting Singapore. Source: Group-IB Graph Network Analysis tool

The whole group’s network included more than 200 domains, 18 of which were created to deceive the users of a Singaporean classified website, including 2 active as of July 19th, 2022. The latest domain intended to target Singaporeans was created in the second week of July. 

“They do not live long by design,” says Ilia Rozhnov, head of the Digital Risk Protection team at Group-IB’s Global HQ in Singapore. “To complicate the detection and takedown, the home page of the rogue domains always redirects to the official website of a local classified platform. Content on the fraudulent domains is available only by direct links, which are the subsections of these websites.” 

Other websites in the network impersonate Singaporean moving companies, European, Asian, and Middle Eastern classified websites, banks, marketplaces, food and crypto brands, and delivery companies, which proves Classiscam’s global operations. 

“As it sounds, Classiscam is far more complex to tackle than the conventional types of scams,” says Rozhnov. “Unlike the conventional scams, Classiscam is fully automated and could be widely distributed. Scammers could create an inexhaustible list of links on the fly. In the past three years, we have successfully blocked close to 5,000 resources that were part of Classiscam infrastructure. It was only possible because we were able to identify and eliminate adversary infrastructures which produce resources to support Classiscams with the help of AI-driven digital risk protection, enriched with data on adversary infrastructure, techniques, tactics, and new fraud schemes.” 

Brands that scammers impersonate are strongly encouraged to keep themselves updated with new scamming techniques and schemes. With a specialized Digital Risk Detection system, they can actively monitor and identify phishing domains and fake advertisements.

Fraudsters targeting classifieds and marketplaces can be identified and ultimately stopped using advanced fraud protection mechanisms. For instance, Classiscammers use anonymization tools, such as antidetection browsers to create a unique fingerprint to spoof conventional anti-fraud systems. Group-IB Fraud Protection recognizes the use of such techniques. By correlating this data with other indicators, such as emails and phone numbers that could have been involved in historic fraudulent operations, the number of chat requests it generates per hour, its device parameters, etc., Fraud Protection can identify advanced social engineering schemes.

To avoid falling prey, steps can be taken to tackle the increase in online scamming. Users should always check the domain of the URL to verify if it’s the official website before sharing any personal and payment details. Another recommendation is when communicating with the other party for sale of goods or services, to engage with online chat designed by official websites. Finally, like with conventional scams, individuals should be wary of too-good-to-be-true offers.