The old bait of using freebies to entice brand survey participation has evolved into a confidence scheme for unwary shoppers.

A new wave of multi-stage scams involving the use of more than 90 famous brands across Singapore, Malaysia, New Zealand, Indonesia, and Sweden among others.

This ‘Lotsy’ scheme involves over 250 fake Facebook pages and 101 fake advertising campaigns in which fake surveys and freebies are used to deceive people into visiting fraudulent third-party websites.

The scheme was originally reported by Group-IB researchers in August 2019. However, the tactics have grown more sophisticated and covert over the months, and now use fake brand pages, ad campaigns on Facebook as well as surveys on Google forms. 

How Lotsy works

lotsy scheme ad survey

The ads resemble normal Facebook promotional posts, using the same creatives as legitimate brands do. Such posts prompt users to follow a unique link where they stand to win a prize.

However, instead of a fraudulent link, as it was with previous Lotsy schemes, the ad now links to a survey on a Google Forms page that asks simple questions about the brand. The use of multiple Google forms helps attackers to look harmless to automated brand monitoring systems, especially since the questions asked are simply about customer experience using a particular brand. 

The lynchpin of the evolved Lotsy scheme is the request for a phone number, address, and even credit card number in order to continue the survey. Fraudsters may sell this information or use it for malicious purposes. 

For example, there were an estimated 10,990 visitors per day to a fraudulent site in August, with over 31,000,000 visits to this site from its conception in late 2018. Furthermore, to ensure a steady stream of visits to the site, attackers encouraged users to subscribe to push notifications, leading them to more fraudulent sites.

Apart from the phishing of personal information, such fraudulent activities can harm the reputation of a brand. In the eyes of potential customers, any fraudulent activity can quickly be associated indelibly with the brand. If such fraudulent activity is not stopped in time, brands may suffer more severe losses. 

Social media makes scamming easier

With greater audience impact and physical traffic, social media sites draw fraudsters. Another reason social media is a prime choice is that many more online shoppers look to social media instead of Google before making a purchase. Promoting fraudulent ads on Facebook leaves users almost unable to check if it belongs to the official page before clicking on it and starting a fraudulent journey.

Said Ilia Rozhnov, head of Group-IB Digital Risk Protection (APAC): “The use of multiple stages and surveys is clearly an attempt to gain the trust of the user and something we’ve seen in Lotsy before. Once the user is confident it is a real brand site, the likelihood of divulging real information is much higher.”

Almost every fraudulent ad campaign is run from a separate Facebook business account and uses its own unique page on Google Forms with a survey. At the end of the survey, users have to visit a fraudulent link to ‘claim the prize’. In this case, all surveys targeting a particular country have led to one fake site. For example, sites targeting Singaporeans have led to one Singapore-themed site. The similarities in fake campaigns mechanics and fake website design may indicate a single group running the operations.

For the creation of fake websites, fraudsters exploit the lack of comprehensive monitoring and blocking efforts that spot misuse of legitimate brand names. Traditional monitoring systems raise an alert when a brand is mentioned or when its logo is detected. As some of the Lotsy stages do not mention brand trademarks, such monitoring systems are unable to detect fraudulent landing pages.

Detection at every stage of the scheme is the key to eradicating this type of fraud. Effective monitoring and blockage should involve an automated machine-learning brand protection system fueled by regular updates to its knowledge base about cybercriminals’ infrastructure, tactics, tools, and new fraud schemes. If a violation is detected, brands should be swift to initiate take down of such fraudulent websites. 

Precautions to observe

Group-IB has reported the scam to RH-ISAC, an organization for consumer-facing companies operating globally to share cybersecurity information and intelligence.

Commented Nicholas Palmer Group-IB’s Head of Global Business: “As part of our global outreach program, victim notification is always a top priority so proper defensive measures can be put in place. Working closely with sharing organizations such as RH-ISAC ensures that retail organizations are in the know when it comes to threats to the retail and hospitality segment.”  

Reminder: Users should not thoughtlessly click on any suspicious link because an IP address and approximate location can be collected the moment a link is clicked. If they are on such malicious sites, they should not provide any personal information. That includes email addresses, full names, and credit card/bank account information. 

Any online payment should be done with extra caution, by checking the actual domain name and the website itself.