Classiscam scam-as-a-service operation now active in Singapore

Classiscam – a scam-as-a-service operation – has expanded to Singapore, cybersecurity provider Group-IB has announced. Active since March 2022 locally, Classiscam fraudsters target users of e-commerce (classified) platforms in Singapore. 

Scammers posing as legitimate buyers approach sellers with the ultimate aim of stealing payment data. They claim that payment has been made for an item, then dupe the victim into sharing their payment card credentials, one-time password (OTP) verification details, as well as card balances. 

Since Classiscam’s appearance in Singapore, Group-IB Digital Risk Protection (DRP) team has found more than 200 domains, 18 of which were created to deceive the users of a Singaporean e-commerce website, including two active as of July 19, 2022. The latest domain intended to target Singaporeans was created in the second week of July. 

“They do not live long by design,” said Ilia Rozhnov, head of the Digital Risk Protection team at Group-IB’s Global HQ in Singapore. 

“To complicate the detection and takedown, the home page of the rogue domains always redirects to the official website of a local classified platform. Content on the fraudulent domains is available only by direct links, which are the subsections of these websites.” 

The group targeting Singapore is just one of many, Group-IB added. Since 2019, the Group-IB Digital Risk Protection team has identified and categorised 380 different groups operating under the Classiscam model in Telegram, with 90 active groups at the time of writing. Currently, more than 38,000 scammers are registered in these groups, which is seven times more than in 2020. According to Group-IB’s estimates, globally, the damage from the Classiscam operations can be as high as US$29,500,000. More details about the scheme are available in the Group-IB report DEMYSTIFYING CLASSISCAM.

Source: Group-IB. Screen capture of a phishing page.

A team of administrators are responsible for recruiting new members, automating the creation of scam pages, registering new accounts, and providing assistance when the bank blocks the recipient’s card or the transaction. The administrator’s share is about 20-30% of the stolen sum. “Workers” receive 70-80% of the stolen sum for communicating with victims and sending them phishing URLs. All details of deals made by workers (including the sum, payment number, and username) are displayed in a Telegram bot. 

Other websites in the network impersonate Singaporean moving companies, European, Asian, and Middle Eastern classified websites, banks, marketplaces, food and crypto brands, and delivery companies. 

“As it sounds, Classiscam is far more complex to tackle than the conventional types of scams,” said Rozhnov. 

“Unlike the conventional scams, Classiscam is fully automated and could be widely distributed. Scammers could create an inexhaustible list of links on the fly. In the past three years, we have successfully blocked close to 5,000 resources that were part of Classiscam infrastructure. It was only possible because we were able to identify and eliminate adversary infrastructures which produce resources to support Classiscams with the help of AI-driven digital risk protection, enriched with data on adversary infrastructure, techniques, tactics, and new fraud schemes.”