Researchers at Group-IB have uncovered that Classiscam, a sophisticated scam-as-a-service operation, has expanded to Singapore.
The scam has been active since March 2022 and involves Classiscam fraudsters targeting users of one of the leading classified platforms in Singapore.
Scammers pose as legitimate buyers and approach sellers with the request to purchase goods from their listings, with the ultimate aim of stealing payment data.
Since Classiscams' appearance in Singapore, the Group-IB Digital Risk Protection (DRP) team has detected a total of 18 domains intended to target buyers on the local classified website, however, according to the team, this number is believed to be significantly higher.
The scam relies heavily on Telegram bots and chats to coordinate operations and create phishing and scam pages in seconds. Having originally appeared in Russia, the scheme migrated to Europe, the US and has now infiltrated the Asia Pacific.
The Group-IB Digital Risk Protection team says that in the past three years, they have successfully blocked close to 5,000 resources that were part of Classiscammers infrastructure.
The hierarchy of the Classiscam groups has been found to operate in a pyramid formation. A team of administrators is on top of the chain and responsible for recruiting new members, automating the creation of scam pages, registering new accounts, and providing assistance when the bank blocks the recipient's card or the transaction.
The administrator's share is about 20-30% of the stolen sum. Workers receive 70-80% of the stolen sum for communicating with victims and sending them phishing URLs. All details of deals made by workers (including the sum, payment number, and username) are displayed in a Telegram bot.
The latest domain intended to target Singaporeans was created in the second week of July, and Group-IB head of the digital risk protection team Ilia Rozhnov says although brief, they come with significant challenges.
"They do not live long by design," says Rozhnov. "To complicate the detection and takedown, the home page of the rogue domains always redirects to the official website of a local classified platform. Content on the fraudulent domains is available only by direct links, which are the subsections of these websites."
Rozhnov also says that although Classiscam's automation has added a significant degree of complexity, Group-IB has used special AI risk protection measures to help block and solve issues.
"Unlike the conventional scams, Classiscam is fully automated and could be widely distributed," he says.
"Scammers could create an inexhaustible list of links on the fly. In the past three years, we have successfully blocked close to 5,000 resources that were part of Classiscam infrastructure. It was only possible because we were able to identify and eliminate adversary infrastructures which produce resources to support Classiscams with the help of AI-driven digital risk protection, enriched with data on adversary infrastructure, techniques, tactics, and new fraud schemes."