Group-IB, a global threat hunting and intelligence company headquartered in Singapore, has discovered a new wave of multi-stage Lotsy scams involving the use of more than 90 famous brands such as KitchenAid, KFC, IKEA, Golden Village, and many others. Lotsy has evolved significantly and now affects users from multiple countries worldwide, such as Singapore, Malaysia, New Zealand, Indonesia, and Sweden among others. Group-IB Digital Risk Protection team had identified close to 250 fake Facebook pages and 101 fake advertising campaigns. Group-IB has reached out to the affected brands with the help of the Retail and Hospitality Information Sharing and Analysis Center (RH-ISAC) to report violations.
Lotsy scheme was first reported by Group-IB researchers in August 2019. The scam leverages a freebie strategy, involves illegal use of famous brands and fake surveys to deceive people into visiting fraudulent third-party websites. A new wave of Lotsy, identified by the Group-IB Digital Risk Protection team, however, has grown more sophisticated and covert now using fake brand pages, ad campaigns on Facebook as well as surveys on Google forms.
COVID-19 has given rise to digital crime of all kinds. On October 20, Singapore police alerted the public of a new variant of phishing scam leveraging fake advertisement campaigns and lucky draws from banks. Not only public and private companies embraced the transformations brought about by the pandemic, but also fraudsters who see opportunities to deceive users. A recent survey suggested searches for cooking-related keywords and kitchen-related appliances increased before and during the circuit breaker in Singapore. As such, Group-IB researchers identified at least 150 non-official Facebook brand pages for KitchenAid alone. Other than KitchenAid, another 86 brands such as KFC and IKEA were similarly affected with fake pages pretending to be them. Fraudsters use fake Facebook brand pages to launch massive ad campaigns on social media leveraging built-in tools targeting wider audience.
Head of Group-IB Digital Risk Protection in APAC
The ads resemble normal Facebook promotional posts, using the same creatives as legitimate brands do. Such posts prompt users to follow a unique bit.ly link in order to win a prize. However, instead of a fraudulent link, as it was with Lotsy scheme previously, the ad links to a survey on Google Forms page that asks simple questions about the brand. Using multiple Google forms helps to look harmless for automated brand monitoring systems, especially since the questions asked are simply about customer experience using a particular brand.
Head of Group-IB Digital Risk Protection in APAC
Because the first 2 stages attracted and earned the trust of users, this stage does not require clear brand logos. Instead, they focus on the «giveaway» aspect of the scheme, which includes the user divulging their personal information to claim a prize. Because neither the brand name nor its logo is being used, it makes detection even more difficult.
The lynchpin of the evolved Lotsy scheme is the request for a phone number, address, and even credit card number in order to continue the survey. Fraudsters may sell this information or use it for malicious purposes. For example, there were an estimated 10,990 visitors per day to the above fraudulent site in August, with over 31,000,000 visits to this site from its conception in late 2018. Furthermore, to ensure a steady stream of visits to the site, users are sometimes encouraged to subscribe to push notifications, leading them to more fraudulent sites.
Apart from misusing user information, such fraud activity can harm the reputation of a brand. Any fraudulent activity can quickly be associated with the brand in the eyes of potential customers. All it takes is one negative experience for a potential customer to have a negative impression of the brand. If such fraudulent activity is not stopped in time, there may be more severe losses incurred by the company.
Group-IB has reported the scam to RH-ISAC, an organization for consumer-facing companies operating globally to share cybersecurity information and intelligence.
Director of International Business Development
Fraudsters exploit the lack of comprehensive monitoring and blocking efforts to create fake sites that misuse legitimate brand names. Traditional monitoring systems raise an alert when a brand is mentioned or its logo is detected. Because some of the Lotsy stages do not mention brand trademarks, such monitoring systems are unable to detect fraudulent landing pages. Detection at every stage of the scheme is the key to eradicating this type of fraud. Effective monitoring and blockage should involve an automated machine-learning brand protection system fueled by regular updates to its knowledge base about cybercriminals’ infrastructure, tactics, tools, and new fraud schemes. If a violation is detected, brands should be swift to initiate take down of such fraudulent websites.
Users should not click on any suspicious link because an IP address and approximate location can be collected the moment a link is clicked. If they are on such malicious sites, they should not provide any personal information. That includes email addresses, full names and credit card/bank account information. Any online payment should be done with extra caution, checking the actual domain name and the website itself.