In 2019, cybersecurity firm Group-IB exposed a Russia-based scam-as-a-service operation. This scheme, initially known as Classiscam, employed counterfeit classified advertisements and social engineering tactics to deceive individuals into purchasing non-existent products or services. Victims were manipulated into transferring money directly to the malicious actors or to their bank cards.
Over the course of four years, Classiscam evolved from a relatively simple and straightforward scam into a highly sophisticated and globally reaching network. It involved at least 393 groups with approximately 38,000 participants engaging in phishing campaigns across 79 countries. These groups impersonated 251 different brands and raked in $64.5 million in ill-gotten gains, according to a new report released by Group-IB.
The vendor identified 1,366 separate Classiscam groups established between 2020 and the beginning of the current year. Victims of this scam typically suffered an average loss of $353.
As time passed, Classiscam schemes expanded to allow fraudsters to pose as both buyers and sellers of items, with many operations becoming automated. This automation lowered the barrier for entry, making it easier for new inexperienced participants to get involved.
Classiscam operations have also taken on a more corporate and hierarchical structure. They now employ Telegram bots and chats for coordination, swiftly creating phishing and scam pages. Many of these groups offer straightforward instructions and provide assistance to other users.
The scope of Classiscam schemes has broadened beyond classified ad sites, targeting online marketplaces and classified services. Scammers impersonate various entities, from classified and reservation websites to delivery services, real estate rentals, retail businesses, carpooling services, and bank transfer platforms. Phishing pages often include features for checking victims’ account balances and harvesting credentials through fake login pages, indicating continued evolution.
Similar to ransomware-as-a-service (RaaS) and other service-based criminal operations, sometimes referred to broadly as ‘Cybercrime-as-a-Service’ (CaaS), Classiscam allows hackers to multiply potential attacks without the need for extensive technical expertise. They simply need to invest in the necessary tools.
Victor Acin, KrakenLabs Manager at Outpost24 explains the cybercrime ecosystem: “The Classiscam fraud-as-a-service behaviour is very similar to the credential-stealing groups known as Traffers. These are organised groups of cybercriminals specialising in credential theft, typically organised on Telegram, they recruit affiliates and provide them with the tools and the knowledge they need to deploy malware, most commonly stealers. This is another great example of groups leveraging working business models in order to profit more efficiently.”
Crucially, this research unveils the rising popularity of third-party services and providers in the cybercriminal world. These tools allow for less specialised/skilled hackers to leverage powerful tools and infrastructure with malicious intent, across various methods of attacks (like phishing, DDOS, or malware).