Classiscam Spreading into Europe

The InfoSec community sees time and time again that a successful scam does not need cutting edge malware to succeed. Relatively lo-fi scams with regards to technology still are a massive problem for anyone using the Internet or an Internet-connected device. Sextortion scams are a case in point. Group-IB has been tracking another relatively lo-fi scam since the summer of 2019, that originated in Russia and is now spreading to Europe. The scam has been called classiscam and involves luring potential victims to websites that closely resemble classified selling a variety of goods.

When compared to the recent SolarWinds, classiscam looks almost medieval, but readers should note that the scam has already netted scammers 6.5 million USD in 2020 alone. However, the scam does make use of technology to automate the scam so it can be offered as a service to other less morally inclined individuals.

The scam makes use of Telegram bots that provide scammers with ready to use classified ad templates that mimic popular classifieds, marketplaces, and sometimes delivery services. According to Group-IB,

“over 20 large groups, leveraging the scheme, currently operate in Bulgaria, the Czech Republic, France, Poland, Romania, the US, and post-Soviet countries, while 20 more groups work in Russia. These 40 groups altogether made at least USD 6.5 mln in 2020. Scammers are actively abusing brands of popular international classifieds and marketplaces, such as Leboncoin, Allegro, OLX, FAN Courier, Sbazar, and etc.”

Initially, the scam looked to exploit delivery companies in Russia. Once this proved successful the scam was expanded to include popular classified services. It is believed the expansion of the scam into Europe is done to increase profits and reduce the likelihood of being caught. The 40 independent groups conducting the scam run their own Telegram bot and the scam's success can not only be seen in the profit generated by the scammers but in the proliferation of fake classified ads, which have increased from 800 to over 3,000 in little over a year. classiscam spreading in europe

Researchers have estimated that a group can make on average 61,000 USD a month, with the most successful groups clearing 500,000 USD in a similar time frame. The average theft per victim is around 120 USD.

As to how these scams play out, they first involve the scammer publishing a bait ad on a popular classified platform or marketplace platform. The ad will typically look to sell cameras. Laptops, gaming consoles, and other electronic equipment at a price the potential victim will see as a bargain. The buyer, who may soon be a victim, reaches out to the scammer pretending to be a seller who requests that communications be moved to a third-party messaging app like WhatsApp. Scammers working in teams will act as both buyers and sellers to add a veneer of legitimacy. Scammers will also use local numbers to be persuasive. Local numbers can be purchased on thriving underground marketplaces and do not need the scammer to reinvent the wheel. According to researchers, the next phase of the scam involves,

“Evildoers ask victims to provide their contact information to allegedly arrange a delivery. The scammer then sends the buyer an URL to either a fake popular courier service website or a scam website mimicking a classified or a marketplace with a payment form, which turns out to be a scam page. As a result, the fraudster obtains payment data or withdraws money through a fake merchant website. Another scenario involves a scammer contacting a legitimate seller under the guise of a customer and sending a fake payment form mimicking a marketplace and obtained via Telegram bot, so that the seller could reportedly receive the money from the scammer.”

Hierarchy of Scammers

The scammers don’t operate in a vacuum and have created a hierarchy of roles that are filled by certain individuals. The structure of these scam groups resembles that of any modern business and can best be described as a pyramid. At the top are the group’s admins who roughly take between 20 and 30 % of the scam’s profits. They are responsible for recruiting new members, creating the scam pages and the accounts used on the marketplace platforms. Researchers also believe they assist in cases when banks block the transaction.

The next section of the pyramid is the workers. These are individuals who are responsible for communicating with the victims of the scam and sending them the URLs which act as phishing websites to steal payment details. Researchers believe that workers who show promise are promoted up the ladder so to speak and become more prominent members of the group. Amongst the workers the lion’s share of the profit is distributed, amounting to 70 to 80% of the profit. The last class of scam members is the caller who pretends to be from tech support to further add legitimacy to the scammer's claims. They split the remaining 10% of the profit generated by the scam.

While the scam involves individuals central to the scam’s success is the use of Telegram bots. Access to the bot is granted to the workers access to the URL links they need to con the victim. This allows the worker to generate a complete phishing kit including courier URL, payment, and refund. There are more than 10 types of Telegram bots that create scam pages for brands from Bulgaria, the Czech Republic, France, Poland, and Romania. For each brand and country, scammers write scripts that help newbie workers log in to foreign sites and communicate with victims in the local language. As to extra services, the chatbot will assist in where workers can purchase accounts to various marketplaces, e-wallets, targeted mailings, and manuals, or even hire a lawyer to represent the worker in court if caught.

Defending against the Scam

Researchers advise the following steps in defending against a classiscam:

  • Trust only official websites. Before entering your login details and payment information, double-check the URL and Google it to see when it was created. If the site is only a couple of months old, it is highly likely to be a scam or a phishing page.
  • When using services for renting or selling new and used goods, do not switch to messengers. Keep all your communication in the official chat.
  • Do not order goods or agree to deals involving a prepaid transaction. Pay only after you receive the goods and make sure that everything is working properly.
  • Large discounts and unbelievable promotions may be just that: too good to be true. They are likely to indicate a bait product and a phishing page. Be careful.

According to Bleeping Computer, Russian authorities have already arrested several scammers who have posted fake ads. Scams involving classifieds and marketplace platforms have been around since the advent of such platforms. Even if not a classiscam, scammers will look at other ways to part you and your money. For those using eBay in particular it is recommended that you report suspicious ads to the platform itself. eBay makes this easy, as do several other platforms. The eBay procedure involves,

  • Open an unpaid item case if a buyer fails to pay you. eBay will assist in canceling the transaction so you can relist the item.
  • In the event of a refund/return problem, eBay will work with both you and the buyer, if possible, to work things out to everyone's satisfaction. And, of course, if the buyer has a history of such issues, eBay will take the appropriate measures.
  • If you feel that responding to negative feedback is beneath you or won't do any good, you can dispute it and ask eBay to review the comment or comments.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal