Global cybersecurity leader Group-IB has reported that the scam-as-a-service operation known as Classiscam remains active and continues to target internet users worldwide into 2023. Group-IB’s analysts have outlined the operation’s tactics in a recent blog post, shedding light on how Classiscam employs Telegram bots to facilitate the creation of phishing pages that impersonate various companies, spanning online marketplaces, classified sites, and logistics operators. These deceptive pages are designed with the intention of stealing money, payment data, and, in recent cases, bank login credentials from unsuspecting users.
According to Group-IB’s research findings, Classiscam phishing pages have targeted 251 unique brands across 79 countries from the first half of 2021 to the first half of 2023. Notably, these phishing templates can be customized for different countries by altering language and currency details, resulting in the impersonation of one logistics brand across as many as 31 countries.
In the Asia-Pacific (APAC) region, Australia was the most heavily targeted country by Classiscammers, accounting for 34.6% of the regional total. Other affected countries in the APAC region included India (11.5%), Hong Kong (10.3%), Singapore (7.7%), Sri Lanka (7.7%), and Malaysia (5.1%).
Since the latter half of 2019, when Group-IB’s Computer Emergency Response Team (CERT-GIB) initially identified Classiscam, they have uncovered 1,366 separate groups employing this scheme on Telegram. The researchers examined Telegram channels associated with 393 Classiscam groups, boasting over 38,000 members, that operated between the first half of 2020 and the first half of 2023. In this period, these groups collectively earned an estimated $64.5 million.
Classiscammers have consistently expanded their operations since the scheme’s inception. Starting in 2022, they introduced innovations such as phishing attacks targeting online bank account credentials and the use of information stealers.
Group-IB’s mission to combat global cybercrime drives them to share their findings about Classiscam with law enforcement agencies. This research aims to raise awareness of the latest scamming methods and reduce the number of victims falling prey to this scam operation.
Classiscam’s Global Reach
Classiscam initially emerged in Russia, where it was tested before spreading globally. The scheme gained popularity in the spring of 2020, coinciding with the COVID-19 pandemic, increased remote work, and online shopping. It expanded first to Europe and subsequently to the Asia-Pacific (APAC) region, the United States, and the Middle East and Africa (MEA). As of the first half of 2023, Classiscam had targeted users in 79 countries, up from 30 in the first half of 2021. During the same period, the number of targeted brands globally surged from 38 to 251.
More than 61% of the Classiscam resources analyzed by Group-IB experts between the first half of 2021 and the first half of 2023 focused on European users. Other heavily targeted regions included the Middle East and Africa (18.7%) and the Asia-Pacific region (12.2%).
Within the APAC region, Australia remained the country with the highest number of targeted brands, with 34.6% of the regional total. India (11.5%), Hong Kong (10.3%), Singapore (7.7%), Sri Lanka (7.7%), and Malaysia (5.1%) were also significantly affected.
On average, Classiscam victims worldwide lost $353 per incident. However, users in the UK experienced the highest average loss at $865 per fraudulent transaction. In APAC and MEA, victims in Singapore lost an average of $682, while Australian victims lost $515 on average. In Saudi Arabia (MEA), successful Classiscam schemes resulted in an average loss of $525 per victim.
Evolution of Classiscam
Classiscam initially began as a relatively simple scam operation involving fake ads on classified sites and social engineering tactics to deceive users into making fraudulent transactions. Over the past two years, the operation has become increasingly automated, employing Telegram bots and chats to swiftly create phishing and scam pages. Some groups even offer step-by-step instructions and expert assistance.
Group-IB researchers observed a specialization of roles within Classiscam groups, including the addition of a balance check to assess potential charges to victim’s cards and the inclusion of fake bank login pages for credential harvesting. At the time of reporting, 35 scam groups distributed links to phishing pages featuring fake banking login forms for 63 banks across 14 countries.
Afiq Sasman, Head of Group-IB’s Computer Emergency Response Team in the Asia Pacific, emphasized, “Classiscam shows no sign of slowing down, and the ranks of the Classiscammers are continuing to swell. Classiscam will likely remain one of the major global scam operations throughout 2023 due to the scheme’s full automation and low technical barrier of entry.”
Group-IB remains committed to monitoring Classiscam campaigns globally and collaborating with law enforcement agencies and affected brands to combat these scams. Brands targeted by scammers are advised to employ Digital Risk Protection solutions capable of actively identifying and taking down phishing domains.