A new credit card stealing campaign is underway in Singapore, snatching the payment details of sellers on classifieds sites through an elaborate phishing trick.
The scammers also attempt to transfer the funds directly to their accounts using valid one-time passcodes (OTPs) on the bank’s actual platform.
Threat analysts at Group-IB, who detected this recent wave in March 2022, believe it’s part of a global operation called “Classicscam,” which they discovered in 2020.
Singapore is a new addition to the targeting scope of the criminal operation, which is a bad sign indicating that the scheme is still growing and its reach is expanding.
Classicscam is a fully-automated “scam as a service” platform that targets users of classifieds sites attempting to sell or buy something listed on the pages.
The scheme also targets banks, cryptocurrency exchanges, delivery companies, moving companies, and other types of service providers, reflecting its broad targeting scope.
It relies on Telegram channels (90 active right now) for promotion and operational coordination, and since 2019 when it launched, it is estimated to have caused over $29 million in damages.
According to Group-IB, the criminal network currently has 38,000 registered users who get about 75% of the stolen amounts, while the platform administrators receive a 25% cut.
Classicscam hierarchy diagram (Group-IB)
Singapore in the crosshair
Classicscam was previously seen in Russia, Europe, and the United States but recently added the option to create phishing sites that mimic popular Singaporean classifieds sites. Hence, a new and sizable target pool opened up.
For this particular campaign, the operation used 18 domains that served as a space for creating phishing sites through Telegram bots.
Mapped Singapore network (Group-IB)
The scammers approach the seller of an item and declare interest in buying it, and eventually send them the URL of the generated phishing site.
If the sellers click on it, they will land on a site that looks like part of the classifieds portal, indicating that the payment for the mentioned item has been completed.
Fake payment notice (Group-IB)
Allegedly, the seller must enter their full card details to receive the funds for the purchase, including their card number, expiration date, holder’s name, and the CVV code.
Phishing card form (Group-IB)
Next, the victim is served a fake OTP (one-time password) page, while the Classicscam service uses it to log in the scammer on the real bank portal via a reverse proxy.
Finally, to separate valuable accounts from those holding fewer funds, the victim is requested to enter their account balance, supposedly as a verification step.
Victims are prompted to enter their card balance (Group-IB)
Hard to stop
Group-IB says they are actively tracking and blocking Classicscam sites, reporting its infrastructure, and alerting targeted services to inform their users of the risk.
However, despite having blocked over 5,000 malicious endpoints in the past three years, Classicscam continues to proliferate and expand.
“Classiscam is far more complex to tackle than the conventional types of scams,” commented Group-IB’s head of digital risk protection team, Ilia Rozhnov.
“Unlike the conventional scams, Classiscam is fully automated and could be widely distributed. Scammers could create an inexhaustible list of links on the fly.”
“To complicate the detection and takedown, the home page of the rogue domains always redirects to the official website of a local classified platform.”
Users of platforms that facilitate financial transactions should be acquainted with the provided features and options before attempting to make any purchases or enter sensitive details.