Group-IB specialists identified a fraudulent network of two de a sift of sites. Attackers mislead users by masquerading as state services and sites of popular browsers.
The creators of fake resources promised the visitors a reward amounting to 200,000 rubles. To "earn" it was necessary to fulfill a number of conditions, each of which required a cash contribution: the minimum amount is 350 rubles, the maximum amount is 1700 rubles. The "work" of the network for luring money was put on stream: beginning in April 2018, with its help, scammers earn money from gullible citizens from Russia, Ukraine, Belarus and Kazakhstan. According to the estimates of the researchers, in just a month, fake resources totaled about 300,000 people.
A fraudulent network was discovered after a complaint to the CERT Group-IB website on May 20, 2018: http: // browserupd [.] space.
Visitors of the site were promised from 50 to 3000 dollars (from 3000 to 200 000 rubles) for using allegedly "updated" versions of Google Chrome, Safari, Opera and so on. The creators of the resource explained the "unprecedented generosity" marketing action: to encourage the first 10,000 users who updated the browser, it was allegedly allocated 1,500,000 dollars. Of course, no one received any money.
As the Group-IB specialists were able to establish, the fraudulent scheme worked as follows. Attackers did not just copy the brand, logos and firm colors of browsers, but also identified them, "adjusting" their offer to participate in the promotion for a particular user. So, a special script was installed on the site that checked the type of the user's browser and, based on the received information, automatically loaded the required content, and also generated a personal "certificate of browser update" with the user's real IP address, the data of its operating system and, in fact, , browser.
For example, if a user has installed Google Chrome, then all content was "sharpened" just under it. So, in one of the scenarios, the site visitor was informed that after the "automatic update" of Google Chrome to version 66, the prize was $ 2195 (about 135,000 rubles). However, to receive the prize, you need to convert dollars into rubles and pay a "commission" (in this case it was 162 rubles). The money was offered to be paid through the e-pay platform, which was previously repeatedly seen in questionable schemes.
Analyzing information about the resource, the specialists found out that it was registered on April 26, 2018, and 9 other identical sites are associated with it (browserupd [.] space, successupdate [.] space, successbrowser [.] space and so on). But much more interested in the fact that along with the "browser scheme" scammers launched its variation, imitating the operation of state-owned online services.
One of the most popular, judging by the attendance, the resources of the fraudulent network was the fake internet platform "Active Citizen" . Beginning on April 11 of this year, the cybercriminals created six identical fake sites of the "Development of Regions" program, where the visitors were promised to pay from 65,000 rubles for replies to the interactive survey on the need to reform the housing and communal services, education and health.
As well as in the case of fake browsers, the fraudulent scheme was targeted at a specific user: the program on the IP address determined the location of the site visitor, depending on what the content changed and about resource shaping. For example, for the residents of the Russian capital, Moscow and the Moscow region are mentioned in the survey header, and for the residents of the Vinnitsa region the site is styled in the colors of the Ukrainian flag.
Even after answering questions, users could not receive their reward because of an allegedly inactive account: "Activation account and its unlocking in the system "Active citizen" during the survey is paid and is 170 rubles. " To confuse users, scammers referred to a certain "Regulations for conducting a remote citizen survey" No. 203 on January 17, 2018. The payment was proposed to be made through a non-existent bank of the Eurasian Economic Union, but in fact the money went through the same e-pay platform that was involved in the first scheme.
But even having paid the activation of the account, the "active citizen" could get his winnings, scammers spun him into new and new expenses. "Pricelist" looked like this:
- Assurance of requisites for receiving funds – 350 rubles
- Entering survey data into a single register – 420 rubles
- Commission information system – 564 rubles.
- Payment of transfer insurance – 630 rubles
- Registration of payment in the management department – 710 rubles
- Activation of the digital signature – 850 rubles
- Approval of the transfer with the security service – 975 rubles.
- Registration of the digital signature – 1190 rubles.
- Service fee – instant transfer – 1280 rubles.
- Connection of the encrypted communication line – 17 30 rubles.
Despite the insignificant work period of fraudulent sites (from one month to two), experts of Group-IB note the scale with which the attackers acted: they had "blanks" with stylistics and content for different regions Russia, Ukraine, Belarus and Kazakhstan. The spread of links to fraudulent sites occurred through spam mailing and advertising: on average, each of the sites visited from 4 500 to 35 000 people every month.
"The constantly growing level of fraudulent schemes is a dangerous trend in recent years. This concerns both external characteristics – the design of sites, the design of interactive elements, such as fake forums, survey windows, and technological infrastructure: once a single resource is blocked, a new one appears in its place as soon as one scheme has exhausted itself and does not bring the desired income – "Packaging" is changing and a new "share" is launched. A feature of the scheme with browsers and gossays is the qualitative elaboration of all links of the chain: from plausible content, a whole network of interconnected fraudulent resources to the system of withdrawal. This allowed fraudsters in a short time to generate a significant coverage of more than 300,000 visitors in less than 2 months, "says Yaroslav Kargalev, deputy head of CERT Group-IB.