The bad news is that the syndicate operating hundreds of other brand impersonation scams worldwide is still at large.

A distributed network of 134 rogue websites impersonating the World Health Organization (WHO) to lure visitors into taking a fake survey (promising a 200-Euro prize) has been taken down.

The scheme, launched on World Health Day on 7 April, targeted millions of users worldwide with the goal of tricking them into visiting fraudulent third-party websites. Once victims answered the questions, they were prompted to share the web link with their WhatsApp contacts and redirected to another website instead of receiving the reward.

By this time, the visit to the hookup website would have installed a browser extension or subscribed victims to paid services. In the worst-case scenarios, users ended up on a malicious or a phishing website. 

One mastermind group

The group that discovered the scam, Group-IB, had reported the situation to the United Nations International Computing Centre (UNICC)’s Common Secure team and initiated steps to take down the fraudulent websites.

While analyzing the infrastructure, researchers had concluded that the whole network was likely to be maintained and controlled by a scammer collective codenamed DarkPath Scammers.

At the time of writing, most scam websites controlled by DarkPath Scammers were still active and targeting millions of users worldwide. The scammers advertise their resources using email blasts, paid ads, and social media. According to Group-IB’s estimates, their whole network attracts around 200,000 victims daily from the US, India, Russia, and other countries.

Within 48 hours upon discovery of the WHO scam, the cybersecurity firm had managed to get all the rogue domains blocked.  

Scam kits made it easy

The 134 scam websites involved in the WHO scam was part of at least 500 other scam and phishing resources impersonating more than 50 well-known international food, sportswear, e-commerce, software, automotive, and energy industry brands.

Analysis of the removed websites revealed that the cybercriminals had used scam kits, which are sets of tools that ease the creation and design of scam pages. One scam kit allows impersonating multiple brands at a time using the same template.

After the takedown efforts by UNICC and Group-IB, the scammers had notably stopped using the WHO branding across their entire network.  

According to Dmitry Tyunkin, Head of Group-IB’s Digital Risk Protection team in Amsterdam: “Many brands still underestimate the impact of such scams on their businesses and customers. The approach most companies take when tackling brand abuse online can be compared to tilting at windmills: they overlook the continuous trend involving multistage scams and distributed infrastructure. Scammers use smart advanced technologies and are successful due to the lack of comprehensive digital asset monitoring by brand owners.”

UNICC warned that organizations should carry out seamless online monitoring to promptly detect any cases of illicit use of their brands. Many institutions monitor only separate brand infringements, like phishing pages and domains but overlook other elements of fraudulent infrastructure.  

To avoid falling prey to this scheme, online users should carefully check the website they are interacting with. UNICC advised that it is never redundant to check if the link you’re going to click on is identical to the domain of the organization’s official website since fraudsters often register domain names mimicking official ones. Staying suspicious of any website on which you plan to enter your data is a habit that must be developed by everyone willing to keep their money safe, it said.