Like of the Year 2020
Rambler Group and Group-IB have identified a multi-stage fraudulent scheme under the guise of a fictitious year-round Like of the Year 2020 award. Users were offered to win a large cash prize for a randomly chosen like in social networks. In total, more than 1,000 related domains were identified that were used in this campaign.
To attract victims, fraudsters hacked the mail servers of one of the fiscal data operators (OFDs) and massively sent users messages on behalf of the “Rambler team”. After users contacted Rambler Group, the company conducted its own investigation and involved Group-IB in responding to the incident.
CERT-GIB experts found that scammers used several attack vectors. In addition to sending e-mail messages, they also delivered phishing messages through other channels, in particular, sent remuneration alerts via the Google calendar. With the help of social engineering, fraudsters for a long time tricked out the data of bank cards of users. The theme of the messages was somehow related to cash payments. The recipients were congratulated on winning the contest and on a cash prize that ranged from $ 100 to $ 2,000.
As a result of these activities, mailing on behalf of the fake Rambler Group was stopped. For its part, the Rambler Group contacted public email services, warned them of the attack, and asked them to proactively move fraudulent emails to Spam. In the course of further work, Group-IB specialists managed to block most of the sites related to the attack, to which conversions from received letters and invitations were carried out. In total, the scheme has more than 1000 domains, but the work on blocking is still ongoing.
How it works
CERT-GIB Deputy Director Yaroslav Kargalev says that the Like of the Year scheme is qualitatively laid out. On the desktop, mobile platforms and at all stages of implementation, it is designed to inspire confidence in the user. In addition to “like,” the graph analysis identified about six different scenarios of fraudulent campaigns with the same logic, including, for example, payments from non-existent “Video Bloggers Fund”, the Financial Protection Center, and so on. From 100 to 350 domains were associated with each scenario. In some scenarios, mailing addresses used as support and consultations were registered to Ukrainian numbers.
Like of the Year attack features a number of features. Thus, the use of a calendar in the Gmail service is a relatively recent trend in social engineering. With the default calendar settings, invitation data is automatically added to it along with a reminder. That way, any Google Calendar user can send event invitations to other Gmail users, even if they’re not in his address book. As a result, the victim will receive a notification of the creation of a new event by mail. The key words in the content will be as follows: “bank, approved, payment of funds, program, reimbursement, receipt, agreed, federal, official, details” and so on.
In any case, when you click on a link in a letter or invitation, the user gets to the bait site. The win amount, for example, $ 1735, will be displayed on the screen, and to create confidence in the contest here, on the site, rave reviews of allegedly already winning prize users are posted. Next, the “operator” contacts the victim and advises the user on further steps. Instead of a standard chat window with an avatar, for realism, scammers use video, and instructions are shown in the window next to it.
Then a new redirect occurs – this time the user is asked to enter a bank card number to transfer the winnings to him. The next step in the scheme is that the bank suddenly rejects the user's card. To solve the problem, it is proposed to convert the currency, since the payment can be made only in rubles. The user needs to pay a small commission – about 270 rubles.
If the user agrees to pay the commission, the scheme comes to a climax – a redirect to the site with a “safe” entry of bank details: card number, expiration date and CVV in order to pay the commission for services allegedly verified by all possible payment systems.
It is at this stage that the theft of the user's bank card data takes place. Interestingly, in the “Like of the Year” scheme, at the last stage of data entry, a real payment gateway is used. That is, the scammers really write off the “commission”, but their main goal is card data. As a rule, in the future, collections of textual data of cards are sold on card sites or, with their help, goods are purchased for the purpose of further resale and cash out.