Telegram-Based Classiscam Operation Targeting Users of European Marketplaces

Recently, Russian-speaking scammers have been observed running a scam-as-a-service operation dubbed Classiscam. According to the Group-IB Computer Emergency Response Team (CERT-GIB), Classiscam comprises around 40 groups of cybercriminals, operating in the U.S. and across several European countries such as Bulgaria, Czech Republic, France, Poland, and Romania.

About Classiscam

The Classiscam scheme has been leveraging Telegram bots that provide scammers with ready-to-use phishing pages mimicking popular classifieds, marketplaces, and delivery services to steal money and payment data.
  • Initially started in the summer of 2019, the Classiscam operation was first recorded in Russia. It was at the peak in the spring of 2020 during the COVID-19 pandemic.
  • The scammers have been publishing bait ads on popular marketplaces and classifieds, claiming to offer various products such as cameras, game consoles, laptops, smartphones, and similar items for sale at low prices.
  • To convert the deals, the scammers move the conversation to a third-party messaging service and use local phone numbers when speaking with the victim.
  • The threat actors have been actively impersonating several popular classifieds, delivery services brands, and marketplaces, such as Leboncoin, Allegro, DHL, FAN Courier, and OLX.
  • By the end of 2020, the Classiscam operation involved more than 5,000 scammers. All the cybercriminal groups altogether have made at least USD 6.5 million in 2020.

Recent Telegram-based attacks

In the recent past, several attackers have been observed abusing the Telegram messaging service.
  • A few days ago, a dark web vendor dubbed Triangulum was observed selling a RAT capable of complete device takeover and exfiltration of sensitive data from popular social networking apps.
  • In December, Agent Tesla malware was using Telegram to exfiltrate data for C&C infrastructure.

Security recommendations

An ever-increasing misuse of Telegram, either as a C&C channel for remotely controlled malware or for hosting bots, is an indication that attackers are actively investing their time in this platform. Therefore, experts suggest users remain cautious while using Telegram-based services, rely on official chats only, and avoid third-party messenger redirection.

Cyware Publisher

Publisher

Cyware