Cybercrime gangs are increasingly using Fraud-as-a-Service (FaaS) to target online marketplaces, especially message boards, as FaaS offers tools and infrastructure for fraudsters to launch attacks, lowering the technical barrier to entry.
These gangs steal personal data and funds through various methods and then automate distribution or sell tools for further scams, creating a complex and adaptable criminal network.
Scammers on message boards use phishing to steal financial information. In a buyer scam (scam 1.0), the scammer impersonates the seller and tricks the buyer into clicking a phishing link that steals their card details, which is less common as users are aware of it.
In a seller scam (scam 2.0), the scammer impersonates the buyer and deceives the seller into sending the item before receiving payment through a phishing link. Scammers target paid ads, unprofessional photos (indicating individual sellers), and those willing to use third-party messengers or provide phone numbers.
By impersonating buyers on marketplaces to steal sellers’ credit card information, they initiate conversations, feign interest in the product, and then propose a fake secure payment scheme, which involves a phishing link that mimics either the marketplace or a payment service.
Clicking the link takes the seller to a fraudulent page where they enter card details, which scammers then steal, and these phishing pages are well-designed replicas, often differing only in minor button text or layout.
Cybergangs specialize in message board scams using a Fraud-as-a-Service model, and have a hierarchical structure with roles like coder, refunder, carder, motivator, marketer, worker, and mentor.
Workers target users on message boards, often buying accounts to avoid detection, and use Telegram channels and bots to manage communication, create phishing links, and track results.
To evade security measures, workers buy proxies to hide their IP addresses and use techniques like misspelling banned keywords or cyrillic characters.
A phishing Telegram bot automates creating scam listings and communicating with victims. Workers choose a target country and product type (buying or selling), while the bot generates a replica of a real ad and steals card details entered by the victim.
The bot provides phishing links in various languages for different platforms, as workers can contact the victim through messaging services and track their earnings within the bot.
According to the Secure List, the phishing group uses a Telegram bot to create phishing links that mimic legitimate message boards, as the link consists of a domain, language, action (pay or receive), and ad number.
The domain name may contain the name of the imitated board, and the language code depends on the target country. Clicking the link directs the user to a phishing site that steals credit card information upon submission.
The Telegram bot notifies the scammer when a user clicks the link and completes the transaction. The scammer then steals the money and distributes the profit among themselves according to a predetermined scheme.
Also Read: