30 November 2020

Lotsy Evolution. Group-IB warns of new scam using branded surveys

Group-IB, a global threat hunting and intelligence company headquartered in Singapore, has discovered a new wave of multi-stage Lotsy scams involving the use of more than 90 famous brands such as KitchenAid, KFC, IKEA, Golden Village, and many others. Lotsy has evolved significantly and now affects users from multiple countries worldwide, such as Singapore, Malaysia, New Zealand, Indonesia, and Sweden among others. Group-IB Digital Risk Protection team had identified close to 250 fake Facebook pages and 101 fake advertising campaigns. Group-IB has reached out to the affected brands with the help of the Retail and Hospitality Information Sharing and Analysis Center (RH-ISAC) to report violations.

Lotsy scheme was first reported by Group-IB researchers in August 2019. The scam leverages a freebie strategy, involves illegal use of famous brands and fake surveys to deceive people into visiting fraudulent third-party websites. A new wave of Lotsy, identified by the Group-IB Digital Risk Protection team, however, has grown more sophisticated and covert now using fake brand pages, ad campaigns on Facebook as well as surveys on Google forms.

COVID-19 has given rise to digital crime of all kinds. On October 20, Singapore police alerted the public of a new variant of phishing scam leveraging fake advertisement campaigns and lucky draws from banks. Not only public and private companies embraced the transformations brought about by the pandemic, but also fraudsters who see opportunities to deceive users. A recent survey suggested searches for cooking-related keywords and kitchen-related appliances increased before and during the circuit breaker in Singapore. As such, Group-IB researchers identified at least 150 non-official Facebook brand pages for KitchenAid alone. Other than KitchenAid, another 86 brands such as KFC and IKEA were similarly affected with fake pages pretending to be them. Fraudsters use fake Facebook brand pages to launch massive ad campaigns on social media leveraging built-in tools targeting wider audience.

With greater audience and traffic, fraudsters opt to use social media sites for advertising. «Another reason social media is a prime choice for fraudsters is because many more online shoppers look to social media instead of Google before making a purchase. Promoting fraudulent ads on Facebook leaves users almost unable to check if it belongs to the official page before clicking on it and starting a fraudulent journey.

Ilya Rozhnov

Ilia Rozhnov

Head of Group-IB Digital Risk Protection in APAC

The ads resemble normal Facebook promotional posts, using the same creatives as legitimate brands do. Such posts prompt users to follow a unique bit.ly link in order to win a prize. However, instead of a fraudulent link, as it was with Lotsy scheme previously, the ad links to a survey on Google Forms page that asks simple questions about the brand. Using multiple Google forms helps to look harmless for automated brand monitoring systems, especially since the questions asked are simply about customer experience using a particular brand.

The use of multiple stages and surveys is clearly an attempt to gain the trust of the user and something we’ve seen in Lotsy before. Once the user is confident it is a real brand site, the likelihood of divulging real information is much higher. The new addition to the scheme is the use of Google Forms to avoid detection from traditional brand monitoring systems and Ad Managers. As only a Google Form link is seen, the content of the form is not being properly analyzed. Almost every fraudulent ad campaign is run from a separate Facebook business account and uses its own unique page on Google Forms with a survey. At the end of the survey, there is a fraudulent link users have to click on to „claim the prize“. In this case, all surveys targeting a particular country led to one fake site, e.g. sites targeting Singaporeans led to one Singapore-themed site. The similarities in fake campaigns mechanics and fake website design may indicate it’s a single group running the operations.

Ilya Rozhnov

Ilia Rozhnov

Head of Group-IB Digital Risk Protection in APAC

Because the first 2 stages attracted and earned the trust of users, this stage does not require clear brand logos. Instead, they focus on the «giveaway» aspect of the scheme, which includes the user divulging their personal information to claim a prize. Because neither the brand name nor its logo is being used, it makes detection even more difficult.

The lynchpin of the evolved Lotsy scheme is the request for a phone number, address, and even credit card number in order to continue the survey. Fraudsters may sell this information or use it for malicious purposes. For example, there were an estimated 10,990 visitors per day to the above fraudulent site in August, with over 31,000,000 visits to this site from its conception in late 2018. Furthermore, to ensure a steady stream of visits to the site, users are sometimes encouraged to subscribe to push notifications, leading them to more fraudulent sites.

Apart from misusing user information, such fraud activity can harm the reputation of a brand. Any fraudulent activity can quickly be associated with the brand in the eyes of potential customers. All it takes is one negative experience for a potential customer to have a negative impression of the brand. If such fraudulent activity is not stopped in time, there may be more severe losses incurred by the company.

Group-IB has reported the scam to RH-ISAC, an organization for consumer-facing companies operating globally to share cybersecurity information and intelligence.

As part of our global outreach program, victim notification is always a top priority for Group-IB so proper defensive measures can be put in place. Working closely with sharing organizations such as RH-ISAC ensures that retail organizations are in the know when it comes to threats to the retail and hospitality segment.

Nicholas Palmer

Nicholas Palmer

Director of International Business Development

Fraudsters exploit the lack of comprehensive monitoring and blocking efforts to create fake sites that misuse legitimate brand names. Traditional monitoring systems raise an alert when a brand is mentioned or its logo is detected. Because some of the Lotsy stages do not mention brand trademarks, such monitoring systems are unable to detect fraudulent landing pages. Detection at every stage of the scheme is the key to eradicating this type of fraud. Effective monitoring and blockage should involve an automated machine-learning brand protection system fueled by regular updates to its knowledge base about cybercriminals’ infrastructure, tactics, tools, and new fraud schemes. If a violation is detected, brands should be swift to initiate take down of such fraudulent websites.

Users should not click on any suspicious link because an IP address and approximate location can be collected the moment a link is clicked. If they are on such malicious sites, they should not provide any personal information. That includes email addresses, full names and credit card/bank account information. Any online payment should be done with extra caution, checking the actual domain name and the website itself.

Group-IB is one of the leading providers of solutions dedicated to detecting and preventing cyberattacks, identifying online fraud, investigation of high-tech crimes and intellectual property protection, headquartered in Singapore. The company’s threat intelligence and research centers are located in the Middle East (Dubai), the Asia-Pacific (Singapore), Europe (Amsterdam), and Russia (Moscow).

Group-IB’s Threat Intelligence & Attribution system has been named one of the best in class by Gartner, Forrester, and IDC. Group-IB’s Threat Hunting Framework (earlier known as TDS) intended for the proactive search and the protection against complex and previously unknown cyberthreats has been recognized as one of the leaders in Network Detection and Response by the leading European analyst agency KuppingerCole Analysts AG, while Group-IB itself has been recognized as a Product Leader and Innovation Leader. Gartner identified Group-IB as a Representative Vendor in Online Fraud Detection for its Fraud Hunting Platform. In addition, Group-IB was granted Frost & Sullivan’s Innovation Excellence award for its Digital Risk Protection (DRP), an Al-driven platform for identifying and mitigating digital risks and counteracting brand impersonation attacks with the company’s patented technologies at its core.

Group-IB’s technological leadership and R&D capabilities are built on the company’s 18 years of hands-on experience in cybercrime investigations worldwide and 70,000 hours of cybersecurity incident response accumulated in our leading forensic laboratory, high-tech crime investigations department, and round-the-clock CERT-GIB. Group-IB is a partner of Europol.

Group-IB’s experience in threat hunting and cyber intelligence has been fused into an ecosystem of highly sophisticated software and hardware solutions designed to monitor, identify, and prevent cyberattacks. Group-IB’s mission is to fight high-tech crime while protecting our clients in cyberspace and helping them achieve their goals. To do so, we analyze cyber threats, develop our infrastructure to monitor them, respond to incidents, investigate complex high-tech crimes, and design unique technologies, solutions, and services to counteract adversaries.

Report an incident

Get 24/7 incident response assistance from our global team

APAC: +65 3159-3798
Europe: +31 20 226-90-90
EMA: +971 4 508 1605

Thank you for filling out the form! We will get back to you shortly.

We use cookies on the website to make your browser experience more personal, convenient and secure. You may block or manage the use of cookies, however, in some cases they’re essential to make this site work properly. Learn more about cookies in Group-IB Privacy And Cookies Policy.

Report an incident