New hierarchy, heightened threat: Classiscam’s sustained global campaign

The world was a much different place back in 2019. Months before major events such as the COVID-19 pandemic changed the way we live and work, the Group-IB Computer Emergency Response Team (CERT-GIB), in cooperation with the company’s Digital Risk Protection unit, first identified a new, automated scam-as-a-service program that they named Classiscam. This new scam scheme was first identified in Russia in the summer of 2019, but ramped up in the spring of 2020 as the world’s population turned to online shopping to get them through months of self-isolation. Classiscam campaigns initially started out on classified sites, on which scammers placed fake advertisements and used social engineering techniques to convince users to pay for goods by transferring money to bank cards. Since then, Classiscam campaigns have become highly automated, and can be run on a host of other services, such as online marketplaces and carpooling sites.

After first conquering Russia, Classiscam looked to take on the world. Group-IB experts noticed how the scam scheme was exported first to Europe, before entering other global regions, such as the United States, the Asia-Pacific (APAC) region, and the Middle East and Africa (MEA). In total, Group-IB researchers have discovered 1,366 separate Classiscam groups that operated at any point between H1 2020 and H1 2023. Analysts from our Digital Risk Protection unit were able to infiltrate Telegram channels belonging to 393 of these groups, which had more than 38,000 participants. In this blog, Group-IB will reveal the findings of its analysis of these groups, providing new insights into the countries most targeted by Classiscam, the industries most frequently impersonated by the group, and the financial losses borne by victims. According to the estimates of our experts, these 393 Classiscam groups have been able to walk away with earnings of $64.5 million.

Key Findings

• Group-IB researchers have discovered 1,366 separate Classiscam groups that were founded on Telegram between H1 2020 and H1 2023.
• 393 of these groups launched phishing attacks on users in 79 countries across the globe, impersonating 251 unique brands.
• The total estimated earnings of these groups is $64.5 million, with the average amount lost by victims worldwide coming in at $353.
• Europe was the most heavily targeted region as Group-IB researchers discovered 384 individual Classiscam schemes (62.2% of global total).
• Internet users in Germany completed 26.5% of all transactions registered in Classiscam chats, the highest value of any country. Next on this list were Poland (21.9%), Spain (19.8%), Italy (13.0%), and Romania (5.5%).
• UK users lost the most amount of money, on average, to Classiscammers, as the average transaction value was $865. Next on this list were users in Luxembourg ($848 per transaction), Italy ($774), and Denmark ($730).
• Classiscammers impersonated classified sites, delivery services, hotel reservation sites, real estate rentals, retail, carpooling services, and bank transfer platforms on their phishing pages.
• Over time, Classiscam operations have become increasingly automated, and Group-IB researchers have seen roles within scam groups become more specialized within an expanded hierarchy.
• Classiscam phishing pages can now include a balance check, which the scammers use to assess how much they can charge to a victim’s card, and fake bank login pages that they use to harvest users’ credentials, signifying that the scheme continues to evolve.

This blog also includes a detailed analysis of how Classiscam campaigns have changed over the past four years. In 2023, would-be cybercriminals can now leverage a range of automated tools to create a new Classiscam scheme – including a phishing site — in a handful of minutes. As a result, we hope to inform internet users of the potential scams they face when browsing sites such as online marketplaces or classified services. Group-IB will continue to monitor global Classiscam campaigns, engaging with both law enforcement and affected brands to assist in efforts to take down these scams. Companies whose brand and likeness are impersonated by scammers are recommended to leverage Digital Risk Protection solutions that can actively monitor, identify, and take down phishing domains.

How Classiscam works and what’s new?

Classiscam was initially launched as a relatively straightforward scam operation. Cybercriminals created fake ads on marketplaces and classified sites, and leveraged social engineering techniques to trick users into “buying” the falsely-advertised goods or services, whether by transferring money directly to the scammers or by debiting money from the victim’s bank card.

Over time, Classiscam schemes have expanded to allow the fraudsters to pose as both buyers and sellers of items, and operations have become automated, which has lowered the barrier of entry for would-be participants. The scheme now utilizes Telegram bots and chats to coordinate operations and create phishing and scam pages in a handful of seconds, and many of the groups offer easy-to-follow instructions, and experts are on hand to help with other users’ questions. A full rundown of how the Classiscam scheme works in practice is provided in the below Figure 1.

Figure 1: How Classiscam groups operate in 2023

The success of Classiscam operations rest on the cybercriminals’ social engineering capabilities to direct potential victims to the automatically generated phishing websites. In order to do this, Classiscam “workers” try to move chat conversations to messengers, a tactic to ensure that the phishing link will not be blocked. Classiscam workers can play the role of both buyers and sellers of goods on classified sites. When the worker acts as a buyer, the scammers claim that payment for an item has been made and trick the victim into paying for delivery, or entering their card details to receive funds via a phishing page, such as those in Figure 2 (below).

Figure 3: Example of phishing form sent to victim when they attempt to receive funds from buyer during Classiscam operation

Classiscam groups previously had a pyramid hierarchy containing three distinct tiers: admins who were responsible for recruiting new members and creating scam pages; workers who communicated with victims; and callers who pretended to be tech support specialists. As of spring 2023, this pyramid has since expanded, and Classiscam groups now contain greater numbers of individuals carrying out increasingly specialized tasks.

Figure 4: Updated Classiscam hierarchy (2023)

Classiscam operations have evolved over time and different tactics, techniques, and procedures have been introduced. In some of the most recent Classiscam operations seen by Group-IB researchers, the scammers added a balance check, completed by the victim, to the phishing web pages. This step was introduced so that the scammers can assess how much money is in the victim’s bank account to understand the amount they can charge to the card.

Figure 5: Example of balance check now introduced to some Classiscam phishing pages. In this example, the victim is instructed to enter their bank balance as part of a verification check.

Phishing pages designed for potential victims in some countries have also been enhanced to include fake login pages for local banks. On these pages, the victim is prompted to enter their bank login credential and password. The scammers harvest these credentials, log in to the accounts, and transfer the money to the accounts of mules. At the time of writing, Group-IB experts found 14 such scam groups that distributed links to phishing pages that contained fake login forms for banking services. In total, Classiscammers created resources emulating the login pages of 35 banks in 15 countries. Among the targeted banks were those based in Belgium, Canada, Czech Republic, France, Germany, Poland, Singapore, and Spain.

Figure 6: Phishing page created targeting users in the Czech Republic, giving them option to pay via one of 21 banks

Figure 7: Phishing page prompting victims to enter their login credential for the bank they selected at the stage portrayed in Figure 6.

Another new vector seen in recent attacks launched by Classiscam groups is the use of information stealers, malware that can collect passwords from browser accounts and transfer them to the operator. In total, Group-IB experts identified 34 groups that switched from carrying out traditional Classiscam attacks to instead launching stealer campaigns. These scam groups copied not just the hierarchy, business model, and technical developments of Classiscam, as they also continued to use Telegram to coordinate their operations.

Crunching the numbers

As mentioned above, Group-IB researchers were aware of 1,366 distinct Classiscam groups founded between H1 2020 and H1 2023. Analysts from our Digital Risk Protection unit analyzed the structure and potential earnings of 393 of these groups, which had a total number of 38,000 participants. The bulk of these users were Workers (according to the hierarchy displayed in Figure 4), who shared phishing links created with the assistance of Telegram bots with the aim of attracting victims to these sites. According to Group-IB estimates, the average monetary value of a fraudulent Classiscam transaction was $353, and Classiscammers have been able to walk away with more than $64.5 million in earnings.

At the time of writing, Classiscam groups have attacked internet users in a total of 79 countries worldwide, impersonating 251 unique brands from various industries on their phishing sites. On their phishing pages, Classiscammers most frequently impersonated brands from the following sectors: delivery services, classified sites, hotel reservation portals, real estate rentals, retail, carpooling services, bank transfer portals, as well as pet relocation services, social networks and restaurants. As the above Figure 8 shows, seven countries were added to Classiscam’s target list in H1 2023. These were Albania, Cambodia, Iceland, Israel, Libya, Sri Lanka, Thailand.

All Classiscam Telegram groups create separate channels containing information about debited charges from the bank cards of victims who fall for the scam. Often, these posts contain information on the victim’s location, meaning that it is possible for us to study the approximate scale of Classiscam attacks by-country and by-region. By following this methodology, it was revealed that Europe was the most targeted region by Classiscam, as 384 individual schemes were found (62.2% of global total). The Middle East and Africa region ranks in second place, with 112 individual schemes (18.2% of global total), followed in third place by the Asia-Pacific region, which was hit by 80 Classiscam campaigns (13.0%). Group-IB researchers believe that these dynamics indicate that attacks on European internet users have the potential to bring in larger amounts of money compared to other global regions.

If we move onto analyzing the financial impact of Classiscam, Group-IB researchers found that internet users in Germany fell victim to Classiscam campaigns more so than any other country, as 26.5% of all Classiscam transactions worldwide seen by Group-IB were completed in Germany. Next on this list were Poland (21.9%), Spain (19.8%), Italy (13.0%), and Romania (5.5%).

In Europe, the mean monetary value of each fraudulent Classiscam transaction in H1 2023 was $395, compared to $367 in APAC and $257 in MEA. Group-IB found that internet users in the UK lost, on average, the most to Classiscammers, as the mean amount lost by victims was $865. Next on this list were users in Luxembourg ($848 per transaction), Italy ($774), and Denmark ($730).

Users in APAC and MEA were less likely to fall victim to Classiscam schemes, but when they did, users in Singapore lost $682 on average to the scam. In Australia, this figure was $515, and in Saudi Arabia (MEA), successful Classiscam schemes saw victims lose, on average, $525.

Figure 10: Leaders in average amount charged per fraudulent Classiscam transaction in H1 2023

What’s next for Classiscam? An answer to this question might lie in analyzing data related to the creation of new groups that operate according to this particular scam-as-a-service model. This dynamic is outlined in the below Figure 11.

Figure 11: Cumulative number of Classiscam groups discovered by Group-IB experts on Telegram (H1 2020 – H1 2023).

The significant drop off in the number of new Classiscam groups founded in H1 2023 may not indicate this scam operation is on the way out. In 2022, Group-IB researchers noticed a boom in the number of rental Classiscam bots on the underground market. This allowed individuals who were already engaged as Workers in other Classiscam groups to try their hand at organizing their own scam collective. However, not everyone is meant to lead. Many of these groups quickly became unprofitable and shut down, and Classiscam operations are increasingly being dominated by already-established communities with a large following. As noted in Hi-Tech Crime Trends 2022/23, we are seeing similar trends towards a centralization of the underground economy in the ransomware-as-a-service market as well.

Our methodology

Specialists from Group-IB’s Digital Risk Protection unit monitor existing and emerging cybercriminal groups on a daily basis, tracking information from various sources, from underground forums to messenger channels. Once a community is discovered, our researchers begin to infiltrate.

Researching and infiltrating such communities requires knowledge in communicating with cybercriminals, such as knowledge of slang and scheme design. To join an underground community, it is usually necessary to take a survey, which consists of basic questions about experience in the field (often asking for proof), availability of free time, and source of information about the community, etc.

Once the application to join is approved and the fraudsters’ chats and tools are accessed, Group-IB specialists study all potentially relevant information to attribute the attackers to particular scam campaigns, describe the infrastructure, and replenish our database and knowledge base.

Recommendations

Recommendations for brands:

• Traditional monitoring and blocking methods are insufficient against advanced scams. Instead, it is crucial to employ AI-driven Digital Risk Protection systems to identify and block adversary infrastructure. These systems regularly update their databases with information about adversary techniques, tactics, and new fraud schemes.
• Utilize specialized Digital Risk Protection systems that proactively detect new fake domains, fraudulent advertising, and phishing pages.
• Continuously monitor underground forums for any information regarding attempts to exploit your brand for illegal purposes.
• Analyze phishing attacks to attribute them to specific criminal groups, uncover the identities of scammers, and take legal action against them.
• If you or your company become victims of fraud, immediately contact the police and notify the technical support team of the website involved. Share any relevant correspondence with the scammers. You can also report fraud to CERT-GIB 24/7 by visiting their website or emailing response@cert-gib.com

Recommendations for users:

• Prior to entering your payment card details into any online form, verify the URL and perform a Google search to determine the creation date of the page you’re visiting. If the site is relatively new, such as a couple of months old, it is likely to be a scam or phishing page. Trust only official, genuine websites.
• Exercise caution when encountering significant discounts on electronics or a range of other goods, as they may be bait products or phishing pages created by scammers. If a deal seems too good to be true, be wary.
• When using services for renting or selling new and used goods, avoid switching to messengers. Keep all communication within the official chat service provided by the service.
• Refrain from ordering goods or engaging in deals that involve prepaid transactions. Only make payment after receiving the goods and ensuring their proper functionality.