A new automated scam-as-a-service has been unearthed, which leverages Telegram bots in order to steal money and payment data from European victims.
The scam, which researchers call Classiscam, is being sold as a service by Russian-speaking cybercriminals, and has been used by at least 40 separate cybergangs – which altogether made at least $6.5 million using the service in 2020.
These groups have bought into full-fledged scam kits, equipping them with Telegram chatbots for automated communication with victims, as well as customized webpages that lead victims to phishing landing pages. These are all the tools needed to scam victims out of money – when in reality, the victims think they are buying online products.
“Group-IB discovered at least 40 groups leveraging Classiscam, with each of them running a separate Telegram chat-bot,” said researchers with Group-IB, in a Thursday analysis. “At least 20 of these groups focus on European countries. On average, they make around $61,000 monthly, but profits may differ from group to group. It is estimated that all 40 most active criminal groups make $522,000 per month in total.”
The Scam
First, the cybercriminals who have bought these kits publish “bait ads” on popular marketplaces and classified websites, such as French classifieds site Lebencoin or German logistics industry giant DHL. Products such as cameras, game consoles, laptops or smartphones are posted at deliberately low prices.
If a victim contacts the seller, they are asked to continue communicating through a third-party messenger app, either WhatsApp or Telegram. If these communications occur via Telegram, the ploy uses Telegram chat bots. According to Telegram, bots are Telegram accounts operated by software – not people – that will often have artificial-intelligence features.
The cybercriminals behind the ploy merely need to send a link with the bait product to the Telegram chatbot, which then generates a complete phishing kit.
Digging deeper, the phishing kit includes a link to either a fake popular courier service website, or a scam website that mimics a classified or a marketplace with a payment form, which is actually a scam page. A “refund” page meanwhile offers fake support lines for victims to call if they have realized they have been scammed; the “tech support team” is actually a member of the cybercriminal gang using the service.
“As a result, the fraudster obtains payment data or withdraws money through a fake merchant website,” said researchers. “Another scenario involves a scammer contacting a legitimate seller under the guise of a customer and sending a fake payment form mimicking a marketplace and obtained via Telegram bot, so that the seller could reportedly receive the money from the scammer.”
The Service
The hierarchy of the gangs behind the scam works in a pyramid, said researchers – admins at the top are responsible for recruiting members and creating scam pages and new accounts. Below them, workers communicate with victims and send them phishing URLs, while others pose as tech-support specialists who talk to victims about their “refunds.”
“Scammers are making their first attempts in Europe, [and] an average theft costs users about $120,” said researchers. “The scam was localized for the markets of Eastern and Western Europe.”
Researchers said “the scheme is simple and straightforward, which makes it all the more popular.” The use of Telegram bots plays into its growing popularity, they said. Telegram recently saw a surge in new users after WhatsApp came under criticism for its privacy policies.
Researchers said that more than 5,000 scammers were registered in 40 most popular Telegram chats by the end of 2020, showing that the ploy continues to grow on the Telegram platform.
Threatpost has reached out to Telegram for comment.
Supply-Chain Security: A 10-Point Audit Webinar: Is your company’s software supply-chain prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts – part of a limited-engagement and LIVE Threatpost webinar. CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: Register Now and reserve a spot for this exclusive Threatpost Supply-Chain Security webinar – Jan. 20, 2 p.m. ET.