Selling something on a classified ads platform or Telegram group? Read this before you become a classiscam victim!
Cybersecurity researchers have detected that a sophisticated international scamming-as-a-service operation known as Classiscam, have expanded their operations into South-east Asia—having landed in Singapore since March 2022.
The name Classiscam derives from the term “classified ads (classifieds)” which are publicly-placed advertisements for the buying and selling of products and services. In a typical classiscam operation,
Scammers pose as legitimate buyers and approach sellers, with the intention to steal payment data.
Since its arrival on Singapore’s shores, a total of 18 domains have been linked to the scam, although the actual number could be significantly higher.
Group-IB, which initially discovered the operation in 2020, has shared its findings with the Singapore Police Force’s Alliance of Public-Private Cybercrime Stakeholders and the local classifieds website in question.
The Classicam modus operandi
The scamming-as-a-service operation is a fully automated affiliate program designed to help members steal payment and personal data from the users of popular classifieds platforms and marketplaces.
The scheme relies heavily on Telegram bots and chats to coordinate operations and create phishing and scam pages in seconds. The fake web pages mimic the official platform of a local classifieds service. The fake links used for capturing victims’ sensitive information are generated using web panels or Telegram bots. After scammers have received credit card details from the victim, they request one-time-password (OTP) verification from the bank and use a fake notification page to trick the victim into divulging the actual OTP. Once the victim submits the OTP code on the fake website, scammers will be able to make illegal money transfers to their accounts.
Within Telegram, some 90 active classiscam groups are active now, comprising more than 38,000 scammers—seven times more than in 2020. According to Group-IB’s estimates, globally, the damage from the Classiscam operations can be as high as US$29,500,000.
Having originally appeared in Russia, the scheme had since migrated to Europe, the USA and has the Asia Pacific region. The short-lived websites in the scam network have impersonated European, Asian, and Middle Eastern classified websites; moving companies; banks; marketplaces; food and crypto brands; and delivery firms.
Elaborate evasion techniques
According to Ilia Rozhnov,Head of the Digital Risk Protection, Group-IB Singapore, the fake websites do not live long—by design: “To complicate the detection and takedown, the home page of the rogue domains always redirects to the official website of a local classified platform. Content on the fraudulent domains is available only by direct links, which are the subsections of these websites.”
Since the operation is highly automated, scammers could create an inexhaustible list of links on the fly. Additionally, classiscammers use anonymization tools such as antidetection browsers to create a unique fingerprint to spoof conventional anti-fraud systems.
Group-IB has managed to detect the scam by using AI and threat intelligence (such as data on previous emails and phone numbers that had been involved in past fraudulent operations) to monitor suspicious bot-like activities on Telegram, such as the number of chat requests generated per hour, various device parameters, etc.
Users of classifieds platforms should be alert to being diverted to fake URLs during any transactional discussion. Always triple-check the domain of the URL to verify that it is the official website before sharing any personal and payment details.
Also, when communicating with other parties for the sale of goods or services, engage them ONLY via the official chat engine of the official website.
Finally, individuals should always be wary of offers that are “too good to be true”.