Originating as an online shopping scam, Classiscam has evolved into a global operation, constantly expanding its reach and capabilities.
This deceptive Classiscam campaign, initially emerging in Russia, has transformed into a full-fledged scam-as-a-service, with its targets now spanning across 79 different countries, revealed a recent report.
Classiscam Campaign: Scam-as-a-Service
A research discovered that the automated Classiscam campaign can generate phishing emails and scam pages within seconds. This campaign, which has been active since 2021, has targeted a staggering 251 brands across 79 countries.
The cybercriminals behind the Classiscam phishing campaign use Telegram bots to create ready-to-use phishing pages. These pages were duplicated using genuine company websites ranging from marketplaces to logistics operations, and classified web pages.
In a particular case, the operators behind Classiscam employed spoofing techniques to imitate a legitimate logistics website, with the intention of targeting users in 31 different countries.
In the past two years, the following data about the Classiscam scams and scamsters has been detected –
- The cybercriminals operating the Classiscam campaign created phishing templates for each brand they impersonated.
- They edited the phishing templates to fit the local language and currency of the country they targeted.
- About 1,366 other groups on Telegram made use of the tools offered in the Classiscam Scam-as-a-Service operation to launch attacks on their targets.
- Those running the Classiscam operations had a presence on Telegram with a strength of 393 groups with over 38,000 members. These groups were found active throughout H1 2020 and H1 2023.
- Fake login pages were created to dupe users. 63 banks in 14 countries were incorporated in the phishing web pages. The banks were based in Belgium, Canada, France, Czech Republic, Germany, etc.
Presently, the operators orchestrating Classiscam have adopted advanced technology capable of harvesting bank account credentials. In addition to launching phishing attacks, they employ information-stealing malware to further their illicit activities.
Classiscam Operations Between 2021 to 2023
Researchers found that Classiscam became popular among cybercriminals during the COVID-19 pandemic when most offices across the globe began working from home. They also leveraged the Classiscam phishing service to target online shoppers which also increased during the pandemic.
The scammers first used Classiscam tactics against targets marked in Europe and then reached others in the United States of America. Following this, they stole data and money from users in the Asia Pacific (APAC) region and the Middle East and Africa (MEA).
Addressing the targeted number of people, the research report stated, “Internet users in Germany completed 26.5% of all transactions registered in Classiscam chats, the highest value of any country. Next on this list were Poland (21.9%), Spain (19.8%), Italy (13.0%), and Romania (5.5%).”
‘Classiscammers’ have made an estimated earning of $64.5 million in the past two years. Their targeted brands increased from 38 in 2021 to 169 in 2022 and finally reached 251 in H1 2023.
Earlier this group was found to create malicious advertisements selling products on classified websites. They would create specially crafted emails for targets that would urge users to buy the said product.
Willing users would enter their bank details and make payments transferring money to the Classiscam scammer’s account.
Selling Classiscam-as-a-Service
Cybercriminals avail the benefits of Classiscam-as-a-Service as it has become automated over the past two years.
Besides automated phishing pages being created and modified based on target location, Classiscam-as-a-Service has easy-to-follow instructions and members who would answer questions posed by buyers on the dark web.
Researchers also found other features added to the Classicam-as-a-Service model. Other buyers were offered fake bank login pages to dupe users and a balance check feature to know the amount to charge the unsuspecting user.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
