Saving World Health Day: UNICC and Group-IB take down scam campaign impersonating the World Health Organization

Group-IB, a global threat hunting and adversary-centric cyber intelligence company that specializes in investigating hi-tech cybercrimes, and the United Nations International Computing Centre (UNICC), detected and took down a massive multistage scam campaign circulating online on April 7, World Health Day. Scammers had created a distributed network of 134 rogue websites impersonating the World Health Organization (WHO) on its health awareness day, encouraging users to take a fake survey with the promise of funds in return. The scheme targeted millions of users worldwide with the goal of tricking them into visiting fraudulent third-party websites. Upon detection, Group-IB’s Digital Risk Protection reached out UNICC’s Common Secure team as a trusted contact for cyber threat intelligence matters within the UN ecosystem, to assure that proper contacts within WHO were aware of the scam. Group-IB then took down all the scam domains. Group-IB researchers established that one scammer collective, codenamed DarkPath Scammers, is likely to be behind the campaign. The investigation is underway.

No honor among thieves

On April 7, Group-IB alerted UNICC about a fake website impersonating WHO branding. Visitors to the website were encouraged to answer a few simple questions in return for a 200-euro prize on the occasion of World Health Day.

Once users answered the questions, they were prompted to share the link with their WhatsApp contacts. That way, the scammers tried to ensure that their multistage scheme was distributed virally. The users would also see fake Facebook comments about the gifts the commentors supposedly received. Group-IB researchers discovered that when victims hit the share button and unknowingly involved friends in the scam, instead of receiving the promised reward they were redirected to third-party fraudulent resources that offer to take part in another lucky draw. By this time in the scam routine is no longer mentioned as users would visit a hookup website, inadvertently install a browser extension, or subscribe to paid services. In the worst-case scenarios, users would end up on a malicious or a phishing website.

In addition to the scam’s multi-stage nature, which makes it hard to detect, victims were shown customized content depending on their geolocation, user agent, and language settings. For example, the currency of the reward would change depending on the user’s location.

Under the hood

Group-IB’s Digital Risk Protection team discovered that it was not a one-off short-lived website impersonating the WHO brand, but rather a sophisticated distributed infrastructure, which included a network of 134 almost identical connected domains that hosted web pages exploiting the World Health Day theme. Within 48 hours upon discovery, Group-IB managed to block all the rogue domains.

Screenshot from the Group-IB Digital Risk Protection Platform showing the network of 134 rogue websites impersonating the World Health Organization

Further investigation revealed that the 134 domains identified and blocked by Group-IB are part of a wider scam network attributed to a single scammer collective.

Scam syndicate

Group-IB researchers discovered connections between the blocked 134 websites involved in the WHO scam and at least 500 other scam and phishing resources impersonating more than 50 well-known international food, sportswear, e-commerce, software, automotive, and energy industry brands. The analysis of websites revealed that the cybercriminals use scam kits. Like phishing kits, scam kits are sets of tools that help create and design scam pages. One scam kit allows impersonating multiple brands at a time using the same template. It is worth noting that after the takedown efforts by UNICC and Group-IB, the scammers stopped using the WHO branding across their entire network.

Brands impersonated by DarkPath Scammers broken down by industry

While analyzing the infrastructure, Group-IB researchers examined the domains and other digital indicators and concluded that the whole network is likely to be maintained and controlled by a scammer collective codenamed DarkPath Scammers. Most domains with phishing and scam content use CDNs (Content Delivery Networks) to hide the IP address of the real servers. Thanks to its proprietary Graph Analysis system, Group-IB researchers analyzed dozens of SSL certificates, SSH keys, and DNS and were able to track down malicious infrastructure, unveil the IP addresses of the real servers where phishing content was stored, and connect the domains into one distributed scam network. The scammers use the same infrastructure configuration with its own traits and misconfigurations across all their servers. Group-IB continues to monitor the scammers’ activity.

At the time of writing, most scam websites controlled by DarkPath Scammers remain active and target millions of users around the world. The scammers advertise their resources using email blasts, paid ads, and social media. According to Group-IB’s estimates, their whole network attracts around 200,000 users daily from the US, India, Russia, and other countries.

Breakdown of DarkPath Scammers traffic by country

After warning us, we knew Group-IB was the team to deal with this World Health Day scam. They have the expertise and tools to get the job of takedown done, in short order.

Bojan Simetic

Information Security Specialist, UNICC

We are delighted to cooperate with the UNICC in detection and elimination of scams that deceive people into thinking they are dealing with legitimate websites. Yet many brands still underestimate the impact of such scams on their businesses and customers. The approach most companies take when tackling brand abuse online can be compared to tilting at windmills: they overlook the continuous trend involving multistage scams and distributed infrastructure. Scammers use smart advanced technologies and are successful due to the lack of comprehensive digital asset monitoring by brand owners.

Dmitriy Tiunkin

Head of Group-IB’s Digital Risk Protection team in Amsterdam

Organizations should carry out seamless online monitoring to promptly detect any cases of their brands being used illicitly. Many institutions monitor only separate brand infringements, such as phishing pages and domains, but they overlook other elements of fraudulent infrastructure. To obtain a comprehensive picture of all brand violations, companies should use solutions such as Group-IB’s Digital Risk Protection, which promptly eliminates brand infringements online on a pre-trial basis without the need for additional investment or lengthy litigation.

To avoid falling prey to such schemes, online users should carefully examine the website they visit. It is never a waste of time to check whether the link you will click on is identical to the domain of the organization’s official website fraudsters often register domain names mimicking official ones. Anyone who wants to keep their personal data and money safe should foster a habit of always being suspicious of any website on which they plan to enter their data.

About Group-IB

Founded in 2003 and headquartered in Singapore, Group-IB is a leading creator of cybersecurity technologies to investigate, prevent, and fight digital crime. Combating cybercrime is in the company’s DNA, shaping its technological capabilities to defend businesses, citizens, and support law enforcement operations.

Group-IB’s Digital Crime Resistance Centers (DCRCs) are located in the Middle East, Europe, Central Asia, and Asia-Pacific to help critically analyze and promptly mitigate regional and country-specific threats. These mission-critical units help Group-IB strengthen its contribution to global cybercrime prevention and continually expand its threat-hunting capabilities.

Group-IB’s decentralized and autonomous operational structure helps it offer tailored, comprehensive support services with a high level of expertise. We map and mitigate adversaries’ tactics in each region, delivering customized cybersecurity solutions tailored to risk profiles and requirements of various industries, including retail, healthcare, gambling, financial services, manufacturing, crypto, and more.

The company’s global security leaders work in synergy with some of the industry’s most advanced technologies to offer detection and response capabilities that eliminate cyber disruptions agilely.

Group-IB’s Unified Risk Platform (URP) underpins its conviction to build a secure and trusted cyber environment by utilizing intelligence-driven technology and agile expertise that completely detects and defends against all nuances of digital crime. The platform proactively protects organizations’ critical infrastructure from sophisticated attacks while continuously analyzing potentially dangerous behavior all over their network.

The comprehensive suite includes the world’s most trusted Threat Intelligence, The most complete Fraud Protection, AI-powered Digital Risk Protection, Multi-layered protection with Managed Extended Detection and Response (XDR), All-infrastructure Business Email Protection, and External Attack Surface Management.

Furthermore, Group-IB’s full-cycle incident response and investigation capabilities have consistently elevated industry standards. This includes the 77,000+ hours of cybersecurity incident response completed by our sector-leading DFIR Laboratory, more than 1,400 successful investigations completed by the High-Tech Crime Investigations Department, and round-the-clock efforts of CERT-GIB.

Time and again, its solutions and services have been revered by leading advisory and analyst agencies such as Aite Novarica, Gartner®, Forrester, Frost & Sullivan, KuppingerCole Analysts AG, and more.

Being an active partner in global investigations, Group-IB collaborates with international law enforcement organizations such as INTERPOL, EUROPOL and AFRIPOL to create a safer cyberspace. Group-IB is also a member of the Europol European Cybercrime Centre’s (EC3) Advisory Group on Internet Security, which was created to foster closer cooperation between Europol and its leading non-law enforcement partners.