As cyber-awareness levels grow, scammers need new ways to evade detection and investigation. Latest technique: use one-off phishing content.

A worldwide scam campaign targeting users in over 90 countries, including Singapore, Malaysia, and Australia, has been brought to light.

Using fake surveys and ‘giveaways’ purporting to be from any of 120 big-name brands, fraudsters steal users’ personal and payment data. Some users are sometimes even asked to pay a tax or a test payment to receive their unreal prize.

The new wave scam is particularly persistent due to the use of targeted links, which makes investigating and tackling such attacks increasingly challenging. This involves so-called ‘traffic cloaking’, where different victims are shown different content based on certain user parameters leading to the survey page. Victims  find themselves in a long chain of redirects, during which scammers gather information about the victim’s connection, including country, time zone, language, IP, browser, and etc.

The content on the final page will be determined based on what was learned about the user and tailored as much as possible to their possible interests. This final scam link is customized to a specific user and can be opened only once, which complicates the process of forensic tracing by the authorities. Ultimately, this technique helps the scammers evade takedown and investigations.

According to Group-IB, which disclosed its research on this scam, the potential victim pool of a single scam network is estimated at about 10 million people, while the potential damage totaled about S$80 million per month.Some 60 different scam networks are currently known to use such targeted links.

Forensic analysis

With the stolen user details, fraudsters can buy goods online, register fake user accounts on any online resources, or simply sell the data on the Dark Web.

Analysis of the hosted scam websites reveals that the targeted regions are Europe (36.3%), Africa (24.2%), and Asia (23.1%). In the Asia Pacific region, cybercriminals have exploited 31 brands, with the majority of them originating from South Korea (7), Singapore (5), Malaysia (4), Japan (4), and Australia (3).

Each scam network contains over 70 domain names. One of the largest networks discovered in terms of traffic attracted contained over 50 domain names. Judging from the number of visitors, scammers’ potential victim pool on this network could hit 10 million people, with possible damage amounting to

US$80m per month, based on the number of sites detected, their minimum conversion, and an average money loss on a scam website.

For each specific website that hosts fraudulent content, Group-IB found the following statistics: the main sources of traffic for targeted links operators are India (42.2%), Thailand (7%), and Indonesia (4.4%), among others.

Globally, the cybercriminals mostly try to exploit the brands of leading telecommunications companies, which make up more than 50% of the total number of brands exploited. E-commerce and retail brands are the next preferred exploits.

Commented Ilia Rozhnov, the firm’s Head of Digital Risk Protection in APAC: “Just a couple of years ago, online scams were focused on scale: by indiscriminately targeting users, fraudsters tried to ensure that at least someone would take the bite. Over time, as scam awareness grows, fewer people have fallen prey to such schemes, which make its much more difficult for cybercriminals to make money. They have started to explore new ways that would meet their financial ambitions.”

This can explain the diversity of various fraudulent schemes that people observe today.