From Rags to Riches: The illusion of quick wealth in investment scams

Introduction

Throughout history, there have been numerous tales of individuals obtaining quick and easy money, dating back as far as humanity can recall. However, with the passing of time and as societies progressed, people began to recognise the negative consequences that money-seeking behavior can bring. Philosophers called it economic materialism. Religious societies referred to it as mammonism. Journalists coined this term money lust, while behavioral scientists have identified such tendencies as greed. Frequently, these patterns result in individuals being deceived by others who exploit their vulnerability for personal gain. Moreover, many individuals nowadays believe that relying solely on their salary leaves them financially insecure. They desire an additional source of income, whether to keep stored away for a rainy day, or to splurge on their desires.

Both the ambitious and the prudent could potentially fall victim to a recent large-scale investment scam investigated by members of Group-IB’s Digital Risk Protection (DRP) team based in the Middle East and Africa (MEA) region. The tactics used in this new scam scheme are particularly notable, given that they have appeared with alarming regularity in other campaigns, indicating that they are becoming the go-to choice of scammers worldwide. Group-IB’s Computer Emergency Response Team (CERT-GIB) previously shed light on a similar scam scheme targeting Europe in a blog published last year. However, what truly distinguishes this new scam campaign is its unparalleled global reach, extending across the entire globe, with more than half of the scam sites targeting users in the Middle East. Our blog aims to provide the most up-to-date information on this evolving scam scheme, offering insights into its latest tactics and strategies, along with actionable recommendations for users and companies whose brand and likeness have been appropriated by cybercriminals.

We have decided to publish this study due to the historic rise in the number of retail investors, motivated by both the COVID-19 pandemic and the proliferation of new trading applications that have made the process of buying and selling shares easier than ever. Many of us either know a keen stock trader or are one ourselves, and discussions on this topic now appear regularly on social media platforms. As a result, the number of investment scams is also rising. The scam campaign that is the subject of this blog uses one of the most visible platforms to advertise its fake get-rich-quick investment scheme. The scammers place Facebook advertisements linking to one of almost 900 scam pages, meaning that as a user scrolls through their news feed or searches for results from a soccer game, they may have their attention grabbed by a colorful advertisement that promises them an effortless way to invest in a well-known multinational company with a strong market record. However, the victim, should they transfer money to the scammers, will get no return on their so-called “investment”.

Group-IB’s DRP team has been monitoring this scheme since the summer of 2022, and most of the scam pages contained as links in the scammers’ Facebook posts are still active. There is evidence to suggest that the scammers registered a small proportion of the domains on which they host the scam pages as early as 2020. Additionally, new Facebook advertisements linking to these pages are appearing every day. Our team promptly blocked all fraudulent advertisements and website pages that appropriated the brand name or likeness of Group-IB clients. We recommend this blog to all retail traders as well as IT specialists from public companies. We note that the fraudulent use of a company’s brand name and likeness can potentially violate the law and cause reputational damages.

Key findings

• Group-IB’s Digital Risk Protection uncovered almost 900 scam pages offering potential victims the false promise of achieving significant financial gains by investing in large, reputable companies.
• A total of 35 well-known brands from 13 countries were imitated by the scammers behind this campaign.
• The most targeted region is the Middle East and Africa (MEA), as 60% of the scam pages created in this campaign to date impersonated companies from the region.
• The scammers’ core aim is financial gain, achieved by convincing the victim to voluntarily make a payment to enroll in the fake investment scheme.
• Group-IB estimates the financial losses from this scam campaign over a four-month period (March-June 2023) to be $280,000.
• Companies in the finance and insurance sector were the most targeted by the scammers, who impersonated organizations from this industry on 29% of their scam sites. Transport (25%) and trading (8.6%) were also highly targeted.
• Group-IB researchers believe that this campaign burst into life in July 2022, although a small number of domains that were leveraged in this scam were registered in 2020.
• The peak in site registration for this scam scheme was noted in December 2022, when 308 web pages were launched.
• The scam is still ongoing at the time of writing, as old pages are still active, and the scammers are placing Facebook advertisements linking to these pages on a daily basis.

Aiming high

At the time of writing, Group-IB researchers discovered that the scammers have impersonated a total of 35 brands throughout the campaign on more than 900 scam pages. This figure includes a number of prestigious, well-recognized companies in 13 countries. The logos of the companies that have been imitated by the scammers are likely recognizable by the vast majority of people in their respective regions, given the highly visible profile of the brands in question.

Group-IB researchers divided this scam scheme into two distinct branches. For further convenience, we will refer to the first branch as the “one-domain website” branch, while the second will be called “lps/lpa subdomains”. The domains involved in this scheme are actually divided. The first branch comprises domains with an additional mask, while the second includes a subdomain labelled “lps.” The main differentiating factor between these two branches lies in the composition of their masks.

Figure 1. How the scammers constructed their domains

The first “one-domain branch” is divided into two types:

1. If scam content is distributed via a single mask, then the URL marker contains a mask of 2-7 randomly assembled characters.
2. One-domain branches can also contain 2 masks, denoted by the marker “form,” “lp2,” and “lp-form.”

On the other hand, the lps/lpa subdomain branch follows a specific structure that our team was able to decipher.

1. The website must include the lps/lpa subdomain.
2. The brand code (both alphabetic and numeric) is a code that displays content specific to a particular brand. In order to load the content, both parts must be correct.
3. The page variant is a mask component responsible for launching different scam templates for the same brand. Scammers often utilize this setting to conceal content from brute-force methods, using random numbers to hide content.
4. The region section indicates which region the domain operates for. For example, there are resources for Arabic brands (ar) or Spanish ones (es).
5. The individual domain code serves as the launch code for the page. Each domain has a unique code. While the brand code and page variant can be changed, the individual domain code always remains the same for a particular domain.
6. In this branch, there are two types of links:
   • A branch with a full structure, as shown in the example above.
   • Short structure where the brand code is shorter and does not include the page variant. Moreover, the region code for Arabic brands is either “ar” or “fo.”

All domains have identical HTML, CSS, and JavaScript codes, indicating that they were created using the same template. The domains that don’t share the same code have an identical hash, suggesting that they are being pulled from the same server. Group-IB researchers were able to identify the connection between the two branches of the scam campaign by leveraging the company’s proprietary and patented Graph Network Analysis tool, a feature of Group-IB’s Digital Risk Protection solution. The domains displayed in the upper half of Figure 2 (below) are domains derived from the second branch (the ones with “lps” subdomain). The branches in the lower half of Figure 2 represent domains and other connections stemming from the one-word domains (first branch). As an example, we have provided a screenshot from our Graph Network Analysis tool below, indicating several of these domains (indicated by yellow dots). Consequently, we have been able to identify a link between the two scam branches, comprising at least one domain and an IP address, indicating that they both belong to the same scam campaign.

Figure 2. Screenshot of scam infrastructure. Source: Group-IB Graph Network Analysis Tool

Scam in action

Human beings’ brains are wired in such a way that they will always gravitate towards things they are used to. They have evolved to prefer such choices as they bring a sense of safety and confidence. Consequently, scammers in this scheme exploit the reputations of renowned corporate giants, companies that are not only well-known within specific regions but also recognised worldwide. For example, some ads and websites promote the opportunity to invest in one of the largest, most globally renowned oil companies. The oil company, originating from the MEA region, is usually associated with wealth and prosperity, making the advertisement more appealing and eye-catching. Additionally, a significant portion of the targeted companies are government-owned, potentially enhancing their credibility in the eyes of the user. These tactics and techniques are a ploy to capitalize on peoples’ propensity to trust what’s in front of them, as well as an attempt to exploit people’s vanity and vulnerability. Scientists granted a more elegant and sophisticated name to this phenomenon: social engineering.

The Arabic words “investing”, “investor”, and “investment” originate from a root word that can also be translated as “bearing fruit”, implying the outcome or the result itself. On Arabic-language advertisements and scam sites created for this campaign, the scammers entice individuals with claims that they could earn millions by investing a mere $200. Arabic-language scam advertisements also attempt to impersonate reputable media sources by including the name of a popular newspaper, journal, or magazine in the domain cited in the link. They may also use the words “news”, “media”, “investment”, and “digital”, either in English or in Arabic. Posts targeting other regions also promote the “ease” of obtaining money. Pay close attention to phrases such as “trade safely,” “join without effort,” “just use your mobile phone,” “profits without conditions or restrictions,” and “the best investment opportunity.”

Figure 3. Example of a scam site featuring a legitimate company’s logo (blurred) offering users the opportunity to invest in a prominent MEA company.

If an individual clicks on the link contained in a scam advert on Facebook, they are redirected to a site that contains a form asking for their personal information, such as email address and phone number. Once the user has completed the form, they will begin receiving daily emails at the address they provided. These emails come from a company that claims to be a trading firm and implore the user to sign up for a renowned investment portal. Group-IB has been tracking this trading platform since 2021, and our researchers believe that the scammers running this campaign may be using this portal as a front, or they may have partnered with its owners to drive traffic. The trading platform claims to offer users a “welcome bonus” upon signing up, one-on-one investment counselling and coaching sessions, and “high-accuracy” trading recommendations. Group-IB researchers examined user reviews of the investment portal, and found that almost all are negative. Users frequently complain that representatives of the portal stop communicating once they transfer money. Users are also blocked on messaging platforms once they request a refund. As a result, it seems highly likely that if you upload funds to this portal, you will not be able to withdraw them. Instead, you will be pushed to invest even more money to allegedly reduce the risk of losing your investment.

After a user enters their personal information, the first email they receive contains the login credentials for a trading account on the aforementioned portal. The credentials will include the account number, login information, password, and server name. Additionally, the email will contain a green button with the text “Start Now,” which the user is encouraged to click to make a deposit.

Figure 4. Screenshot of initial email sent to user.

Some of these emails may request the user’s credit card information and a minimum deposit of $250 (although as of June 2023, the website of the trading portal said that the minimum deposit was just $50). For those who prefer not to use their bank card, some websites offer the option of using e-wallets as an alternative payment method. Other emails may push a user to invest in a particular well-known company. One example that Group-IB’s DRP unit received in February advised users to invest “in advance” in certain companies. The promise is that users will receive a good return on investment after these companies release their annual earnings at the end of the fiscal year.

Figure 5. Example of email urging potential victims to invest.

If, after a while, the user does not place a deposit, they can expect to receive a call from a person claiming to be a customer service representative who speaks with a lot of enthusiasm about the benefits of this particular investment scheme. For several minutes non-stop, the user is informed about the profitability of the investment and pressured to take immediate action. The representative emphasizes that in just ten days, the share price will double, making it a “wise” decision to register on the platform during this period. The user is asked for information about their bank card, desired investment amount, and place of residence. They are promised a follow-up call after providing their credentials. Here comes the most interesting part: immediately after the call, the user receives an email with a form where they are required to upload their ID and passport.

These actions carry significant risks and can lead to various harmful consequences. Here are just a few examples:

• The user’s identity can be stolen and used to open credit accounts or take out loans.
• The user can unwittingly become involved in criminal activities without their knowledge, as scammers can utilize their stolen identity to carry out various illicit acts.

Scam ROIalty

Thirty-five companies from around the globe were impersonated in this extensive and far-reaching scam. The illicit operation targeted multiple industries, focusing mostly on the financial and insurance sectors as its prime objective, accounting for 29.2% of targeted brands. We assert that this is explained by the industry’s seamless integration with investment opportunities, making it quite an attractive target for fraudsters. Other highly targeted sectors were transportation (25.1%), trading companies (8.6%), oil and gas, and construction (5% respectively). Furthermore, scammers also created web pages (10.5%) that offered investment services without explicitly referring to any particular brand.

Figure 6. Statistical overview of global investment scam.

In terms of its geographical reach, the scam campaign focused on Arabic, English, and Spanish-speaking individuals, primarily targeting MEA countries (60.2%), Latin America (LATAM, 9.2%), and the Asia-Pacific (APAC, 4.8%).

Figure 7: Example of Spanish-language Facebook advertisement used in this campaign.

One of the first pages used in this campaign was registered in July 2022. Some pages were registered by the scammers earlier but were likely not leveraged in this particular scheme. The campaign burst into life towards the end of 2022, as more than 300 pages were registered in December alone, mostly impersonating a company in the United Arab Emirates. At the time of writing, the reason for the spike in activity in this month is unclear. New pages, as well as new Facebook advertisements were still being created as of June 2023. The campaign is still ongoing and new scam pages and social media advertisements are appearing regularly.

Moreover, the Group-IB Digital Risk Protection team has investigated the potential financial damage of this scam scheme. For this investigation, we selected the scam sites that received the most traffic and analyzed their activity between March and June 2023. Our criteria were the following:

• The total number of website views, the corresponding percentage share in each region since the domain could target different regions with various brands, and inverted bounce rate.
• Percentage of possible victims
• Average monthly salary of affected country
• Average investment rate

Based on our estimations, the cybercriminals running this campaign could  have raked in at least $280,000 over this four-month period, across all the websites used in this scam campaign.

How to avoid falling victim to investment scams

The nature of this scam is rooted in a long history that predates our modern era. It exploits individuals by employing emotive language, false partnerships, and promises of quick and substantial financial gains. Scammers exhaust all avenues, using phone calls, emails, and well-crafted websites to bombard their targets with attention. However, excessive attention can often be a red flag. The concept of investment itself can be traced back to ancient times, even mentioned in the Code of Hammurabi. Throughout history, people have fallen victim to various unconventional investment schemes, taking advantage of the allure of potential financial rewards. The rise of social media and the widespread use of the internet has made it even easier for scammers to perpetrate these fraudulent activities, and users should remember the golden rule – if something sounds too good to be true, it probably is.

Recommendations for users

• The first step for users is to stay updated on scam tactics and new methods, which are regularly evolving. One effective way is to follow Group-IB’s blogs and social media channels.
• Any investment opportunities, quizzes, or posts promising quick and easy money should raise suspicion. Easy money often carries the scent of illegitimacy.
• Read online reviews from other users, as they may have already fallen victim to scams. However, be aware that scammers can manipulate this by purchasing fake positive reviews, so don’t rely solely on them.
• Never share personal information with third parties unless you are certain of their legitimacy. Scammers can purchase advertisements on Facebook, meaning that many opportunities that appear in your newsfeed may not be trustworthy.
• Additionally, avoid sharing your bank account information. Doing so can lead to financial losses. If you have already shared such information, it is better to block your card to prevent further issues.
• Be skeptical when receiving calls or messages that pressure you to take immediate action, using phrases like “the last deal of the year” or making exaggerated claims. Such attention should be regarded with caution.
• If you are interested in becoming an investor, opt for well-known and secure platforms. Engage in discussions with others and gather information before making any decisions.

Recommendations for companies

• Diligently monitor social media platforms. These platforms are frequently utilized by scammers to propagate fraudulent activities.
• Conduct daily monitoring of advertisements, given their transient nature. Their lifespan can be as short as a couple of hours in some cases.
• Companies should proactively educate their customers on how to discern between scam resources and legitimate ones. Therefore, when identifying such scam campaigns, it is advisable to promptly share this information on the official website or through customer email communication.
• To prevent the illegal use of your intellectual property assets, use Digital Risk Protection solutions that help promptly detect threats to a specific brand in the digital space and then send them for blocking. These solutions can also issue proactive takedowns to stop new scams before they begin operating.
• We advise our clients to conduct investigations into brand abuse and scam cases in order to identify the threat actors and collect valuable evidence that can be used to take a legal action against the threat actors.
• Leverage high-quality Threat Intelligence solutions to be aware of new schemes and tools cybercriminals use, so you can proactively respond to them and inform your customers.