30 November 2020

Lotsy Evolution. Group-IB warns of new scam using branded surveys

Group-IB, a global threat hunting and intelligence company headquartered in Singapore, has discovered a new wave of multi-stage Lotsy scams involving the use of more than 90 famous brands such as KitchenAid, KFC, IKEA, Golden Village, and many others. Lotsy has evolved significantly and now affects users from multiple countries worldwide, such as Singapore, Malaysia, New Zealand, Indonesia, and Sweden among others. Group-IB Digital Risk Protection team had identified close to 250 fake Facebook pages and 101 fake advertising campaigns. Group-IB has reached out to the affected brands with the help of the Retail and Hospitality Information Sharing and Analysis Center (RH-ISAC) to report violations.

Lotsy scheme was first reported by Group-IB researchers in August 2019. The scam leverages a freebie strategy, involves illegal use of famous brands and fake surveys to deceive people into visiting fraudulent third-party websites. A new wave of Lotsy, identified by the Group-IB Digital Risk Protection team, however, has grown more sophisticated and covert now using fake brand pages, ad campaigns on Facebook as well as surveys on Google forms.

COVID-19 has given rise to digital crime of all kinds. On October 20, Singapore police alerted the public of a new variant of phishing scam leveraging fake advertisement campaigns and lucky draws from banks. Not only public and private companies embraced the transformations brought about by the pandemic, but also fraudsters who see opportunities to deceive users. A recent survey suggested searches for cooking-related keywords and kitchen-related appliances increased before and during the circuit breaker in Singapore. As such, Group-IB researchers identified at least 150 non-official Facebook brand pages for KitchenAid alone. Other than KitchenAid, another 86 brands such as KFC and IKEA were similarly affected with fake pages pretending to be them. Fraudsters use fake Facebook brand pages to launch massive ad campaigns on social media leveraging built-in tools targeting wider audience.

With greater audience and traffic, fraudsters opt to use social media sites for advertising. «Another reason social media is a prime choice for fraudsters is because many more online shoppers look to social media instead of Google before making a purchase. Promoting fraudulent ads on Facebook leaves users almost unable to check if it belongs to the official page before clicking on it and starting a fraudulent journey.

Ilya Rozhnov

Ilia Rozhnov

Head of Group-IB Digital Risk Protection in APAC

The ads resemble normal Facebook promotional posts, using the same creatives as legitimate brands do. Such posts prompt users to follow a unique bit.ly link in order to win a prize. However, instead of a fraudulent link, as it was with Lotsy scheme previously, the ad links to a survey on Google Forms page that asks simple questions about the brand. Using multiple Google forms helps to look harmless for automated brand monitoring systems, especially since the questions asked are simply about customer experience using a particular brand.

The use of multiple stages and surveys is clearly an attempt to gain the trust of the user and something we’ve seen in Lotsy before. Once the user is confident it is a real brand site, the likelihood of divulging real information is much higher. The new addition to the scheme is the use of Google Forms to avoid detection from traditional brand monitoring systems and Ad Managers. As only a Google Form link is seen, the content of the form is not being properly analyzed. Almost every fraudulent ad campaign is run from a separate Facebook business account and uses its own unique page on Google Forms with a survey. At the end of the survey, there is a fraudulent link users have to click on to „claim the prize“. In this case, all surveys targeting a particular country led to one fake site, e.g. sites targeting Singaporeans led to one Singapore-themed site. The similarities in fake campaigns mechanics and fake website design may indicate it’s a single group running the operations.

Ilya Rozhnov

Ilia Rozhnov

Head of Group-IB Digital Risk Protection in APAC

Because the first 2 stages attracted and earned the trust of users, this stage does not require clear brand logos. Instead, they focus on the «giveaway» aspect of the scheme, which includes the user divulging their personal information to claim a prize. Because neither the brand name nor its logo is being used, it makes detection even more difficult.

The lynchpin of the evolved Lotsy scheme is the request for a phone number, address, and even credit card number in order to continue the survey. Fraudsters may sell this information or use it for malicious purposes. For example, there were an estimated 10,990 visitors per day to the above fraudulent site in August, with over 31,000,000 visits to this site from its conception in late 2018. Furthermore, to ensure a steady stream of visits to the site, users are sometimes encouraged to subscribe to push notifications, leading them to more fraudulent sites.

Apart from misusing user information, such fraud activity can harm the reputation of a brand. Any fraudulent activity can quickly be associated with the brand in the eyes of potential customers. All it takes is one negative experience for a potential customer to have a negative impression of the brand. If such fraudulent activity is not stopped in time, there may be more severe losses incurred by the company.

Group-IB has reported the scam to RH-ISAC, an organization for consumer-facing companies operating globally to share cybersecurity information and intelligence.

As part of our global outreach program, victim notification is always a top priority for Group-IB so proper defensive measures can be put in place. Working closely with sharing organizations such as RH-ISAC ensures that retail organizations are in the know when it comes to threats to the retail and hospitality segment.

Nicholas Palmer

Nicholas Palmer

Director of International Business Development

Fraudsters exploit the lack of comprehensive monitoring and blocking efforts to create fake sites that misuse legitimate brand names. Traditional monitoring systems raise an alert when a brand is mentioned or its logo is detected. Because some of the Lotsy stages do not mention brand trademarks, such monitoring systems are unable to detect fraudulent landing pages. Detection at every stage of the scheme is the key to eradicating this type of fraud. Effective monitoring and blockage should involve an automated machine-learning brand protection system fueled by regular updates to its knowledge base about cybercriminals’ infrastructure, tactics, tools, and new fraud schemes. If a violation is detected, brands should be swift to initiate take down of such fraudulent websites.

Users should not click on any suspicious link because an IP address and approximate location can be collected the moment a link is clicked. If they are on such malicious sites, they should not provide any personal information. That includes email addresses, full names and credit card/bank account information. Any online payment should be done with extra caution, checking the actual domain name and the website itself.

Group-IB is one of the leading providers of solutions aimed at detection and prevention of cyberattacks, online fraud, and IP protection. Group-IB Threat Intelligence & Attribution system was named one of the best in class by Gartner, Forrester, and IDC.

Group-IB’s technological leadership is built on the company’s 17 years of experience in cybercrime investigations worldwide and 65,000 hours of incident response accumulated in our leading forensic laboratory and 24/7 CERT-GIB.

Group-IB is a partner of INTERPOL, Europol, and a cybersecurity solutions provider, recommended by SWIFT and OSCE. Group-IB is a member of the World Economic Forum.

Report an incident

24/7 Incident Response Assistance +65 3159-4398

Thank you for the inquiry! We will contact you soon.
Cookies

We use cookies on the website to make your browser experience more personal, convenient and secure. You may block or manage the use of cookies, however, in some cases they’re essential to make this site work properly. Learn more about cookies in Group-IB Privacy And Cookies Policy.

 
Report an incident