The Anti-virus Times

Thursday, January 11, 2024

In this Anti-virus Times issue, we want to share with our readers a real story about how one person fell for some online fraudsters’ tricks. The technology of this deception is simple, but, at the same time, it is remarkable enough for us to devote a separate article to it. In our issues, we often raise the topic of online fraud as, unfortunately, the number of such incidents remains consistently high. Users who are too trusting or inexperienced are popular targets for attackers. At the same time, cybercriminals continue to use essentially the same techniques, changing only the “scenery”. As the saying goes, why change what works? But first things first.

To make this issue livelier, we will tell our story in chronological order, without indicating the obvious fraud. Only at the end will we comment on the main techniques used by the intruders. We are sure that most of our readers will detect the deception at the very first stage. But it will be all the more interesting for them to observe how the events unfold in detail. We received permission to publish the story from the hero of this article; all names have been changed, and any coincidences are accidental.

Stage 1. An unexpected acquaintance

Mark, who leads a completely ordinary life, is no dummy. When he accumulated some savings, he decided to make investments so that the money would begin to generate a profit. Mark also had free time to make some extra money.

One day, Mark received an SMS, sent from a Chinese number, in which a girl named Martha wrote in Russian that her sister Eliza is looking for friends, as she would soon be coming to Russia. After that, Marta suggested to Mark that he write Eliza in Telegram and attached a link to her sister's profile in the messenger. Usually Mark doesn't write to strangers, but on this occasion, he became curious — perhaps, because the girl was from China. It is worth noting that the original message was clearly auto translated from Chinese into Russian. The photo of Eliza's profile showed a girl whose face was not visible since the photo was taken from behind.

Mark wrote to Eliza and was pleasantly surprised that she responded rather quickly. They started to chat; Eliza was clearly using an online translator. Sometimes she sent Chinese characters by mistake, apparently forgetting to translate the text into Russian. It turned out that she was a successful designer from Hong Kong, and she flies to Russia on business. Then Eliza said that she earned good money, as she had her own store on the Chinese trading platform Shein. The range of products in the marketplace was very wide — from clothes for everyday wear to digital electronics. Judging by their communication, Mark clearly liked the girl: she invited him to try his hand at opening his own store, since the platform had just begun cooperating with users from Russia. Essentially this was an individual offer, and Mark was very happy that he had managed to gain such confidence. In addition, in words, the conditions were very favourable, and having additional income never hurts. Eliza sent him a link to the marketplace site in which he was to conduct his business, and showed him how to use the platform. Everything was ready to go.

Stage 2. Getting started

Eliza briefly described the work scheme. First, Mark had to register on the website and open his own store. After that, he could put up for sale the goods available to him and wait for orders. When customers order a particular product, Mark's task is to process the order. Processing means that he bought the goods at a cost approximately 30% less than the nominal value. Once a parcel reaches a recipient, the order is closed, and the full cost of the goods, paid by the buyer upon receipt, is credited to Mark's account. This arrangement for working with clients was not chosen by chance — after all, one needs to stir buyers’ interest in the new platform. And, in theory, the profits aren’t bad! For example, from one order of 200 €, Mark would earn 60 € since he bought the goods for 140 €. The most attractive thing is that in a single day, multiple orders can come in. Once you’ve accumulated an amount with a part-time job like this, you can relatively quickly double or even triple it. After some thought, Mark agreed. To register the store, a personal ID was required, so he needed an identity document. Eliza said that uploading a scanned copy of his passport to the site would be enough. When everything was ready, Mark began his work, and his new acquaintance constantly stayed in touch to help him take his first steps in this business.

After Mark registered his store, Eliza gave him the contact information for Shein's official technical support, which helps sellers solve various issues. Communication with the specialists was also conducted in Telegram. Obviously, these were Chinese citizens since they communicated in a similar way — using an online translator.

The time came for him to deposit the first portion of his personal funds so that an incoming order could be processed. The order was small, so the amount of money turned out to be insignificant. The technical support employees told Mark in detail how to deposit money to his balance. That was done in his personal account area on the site via a special payment form. A support service employee also consulted with Mark on how he could submit a withdrawal request. For convenience, all incoming transfers were made directly to a card.

The first transaction was successful, and the promised amount of money was transferred to Mark's balance on the website. Of course, like any clearheaded person, Mark decided to try to withdraw the money to check how well the scheme works. After consulting with tech support, he performed all the necessary actions on the site. And what relief he felt when the corresponding amount was credited to his card. “The scheme works!” thought Mark, and with full confidence, he continued to work. Meanwhile, Eliza continued to heighten his interest, sharing her success in the field of the miracle marketplace.

Stage 3. The first difficulties

Two weeks have passed since Mark started cooperating with the new employer. He had invested a considerable amount of personal funds, but his virtual balance had been replenished very significantly. Orders continued to arrive steadily, with ever more expensive goods having to be “handled” each time. Mark tried to operate his store competently, but there came a moment when only expensive goods that were out of his reach to buy became available to him. Tech support informed Mark that his refusal to process orders would draw complaints from customers. As a solution, they proposed that Mark close the store, then withdraw the invested money and profits, and after that open a new store and a new account on the site. With the help of a tech support employee, Mark requested the closure of the store and the withdrawal of the funds. Eliza, in turn, continued to be interested in how things were going for him and whether he had managed to get his first large sum of money from the marketplace.

I propose that you wait for all the goods to be delivered, withdraw all the funds to a bank card, and then reopen the store.

Hello, your package has been fully delivered and you can now initiate the withdrawal. Then, reopen the store. I will help you close your old store.

The finance staff just notified me that your withdrawal request has been accepted and the bank can transfer the money to you after you pay personal income tax. Personal income tax at the rate of 20% of the profit.

I'll ask our finance guy to send you the tax ID number later. And then you can pay. You need to pay personal income tax.

Quoted above are some of the messages (without indicating specific amounts) that Mark received after requesting the store’s closure. Thus, he had to pay a significant commission to get not only the profit but also his own money spent on processing orders. At this point, Mark for the first time had real doubts about the people he was sending his money to. But there was nothing he could do; everything had already happened, and Mark decided to risk a smaller amount — after all, hope dies last.

The expected result

After paying the commission, Mark wrote to technical support and waited for a quick incoming transfer to his card. In response, he received a message that his transfer had been received, and now he had to wait 24 hours. Eliza continued to stay in touch and said that he had nothing to worry about. The next day, Mark contacted the support service again but received no response. The 24-hour period passed, and there were no transfers made to his card. Eliza also stopped responding, although she did not add him to the blacklist. The personal account on the site continued to offer orders as well as display its virtual balance. A few days later, quite expectedly, the site didn't load, and Eliza and tech support were offline in the messenger. The trap slammed shut simultaneously with the first incoming transfer from a Qiwi wallet, simulating the withdrawal of funds. After that, everything depended on the solvency of the fraudsters’ "client".

Implementation and the details of the scheme

Yes, you heard right. The incoming transfer, presented as a withdrawal, was made using a Qiwi wallet account. At this stage, it was possible to suspect that something had gone wrong, but the fact is that throughout the entire scheme there had been dozens of signs literally screaming that the whole exercise up to that point had been a fraud. The case we have described is notable in that our hero violated literally all the basic Internet security commandments. Let's analyse some of the signs — after all, it is better to learn from other people's mistakes. It’s free.

The first thing to catch the eye is, of course, the spam messages sent from a Chinese number. In the case of Mark, social-engineering techniques were used — after all, in their SMS, the cybercriminals did not come right out with promises of huge earnings. Here we can observe a more “creative” approach and more individualized work with the victim. And, of course, the cybercriminals were not Chinese. By registering several accounts in Telegram to virtual Chinese numbers, the attackers imitated real Chinese people with whom people could communicate, for example, on AliExpress. At the same time, in our opinion, the punctuation marks gave them away; among other things, they were arranged according to the typical rules of the Russian language (albeit with errors). The most correct solution for Mark would have been to delete the message at the very first stage, while simultaneously reporting it as spam.

The second thing to note is the initial work done with the victim on the part of "Eliza". Before making a "unique" offer, the scammer first created the illusion of acquaintance and won the victim's affection. The copying of random Chinese characters into the chat is an interesting approach. That strengthened the victim's confidence that the real Eliza from China was communicating with him. Mark trusted the fraudster because, among other things, he had no doubts about the unknown girl. After that, the job offer was perceived by Mark not as an obvious trick but as some kind of good fortune. At that moment, the victim was already on the hook. It would have been right to keep thinking critically and to soberly assess the situation.

As soon as it became clear that the victim could be worked with, the scammers sent him a link to a phishing site disguised as the Shein trading platform. The most obvious sign of deception is the site's URL: ussheim668[.]com. Here we see a typical address for a phishing site. But, as mentioned above, at this stage, the victim had stopped thinking critically. In addition, his lack of basic Internet security knowledge affected the situation. By clicking on such a link, Mark violated the first rule of online behaviour — do not follow suspicious links.

Now let's talk about the site itself. It was disguised as the official Shein website, but it was made extremely clumsily. For example, the privacy policy section included text stolen from the Adidas website. The language swap worked poorly. The link to the supposedly official app led to a separate page, which was disguised as the AppStore. At the same time, on that page, the user was offered for download an APK file for installing a fake application on Android. The same page opened when users requested an app for Apple devices, which is absurd.

However, by the standards of such sites, the scammers had managed to create a fairly believable fake resource. They created a catalogue of goods with basic navigation, a shopping cart, a registration section, and a personal account section. It should be remembered that, as a rule, on phishing sites, only those functions that a victim will actually use work. In our case, the attackers counted on the fact that no one would read the text of the privacy policy, and on the fact that, by clicking on such suspicious links, the victim was already on a long hook. It should be noted that according to the whois service, the site was registered to a Malaysian legal entity, not a private one. The phishing resource had existed for about two weeks when "cooperation" with Mark started.

In the case of Mark, the fraudsters managed to steal not only money but also the victim's passport data. As mentioned above, in order to register the store, Mark had to upload a certain document, allegedly to create a personal identifier. Since Eliza directly assisted the victim with registration, she stressed that Mark had to upload his real document and that it could be a passport. Moreover, the victim could specify links to their social networks in the created profile. As a result, a significant set of data, collected by the attackers, was obtained. It is worth noting that any "junk" text file could be uploaded in the document upload field. There was no verification of the downloaded file on the site, nor was there any verification of other input data, such as the email address. This suggests that no "random" people should be on the platform — all the victims were led there by the scammers personally.

The way the personal account area worked was also noteworthy. All the victims were directed according to the same scenario — from cheap goods to expensive ones. The site ran the same type of script, which over time generated more and more expensive goods. The solution is "elegantly" designed because the fraudsters' earnings depended on the victim's capacity to pay. Simultaneously, "tech support" and "Eliza" worked with Mark so that he did not have time to suspect that something was wrong.

The mechanism for replenishing the virtual balance deserves special mention. To replenish the virtual balance, the victim was redirected to a separate website, which was disguised as a payment gateway. In fact, it was a static page controlled by the intruders. The victim entered the top-up amount, after which the page generated a card number and offered to transfer this amount using the card number to an individual via their bank. Thus, Mark violated the second rule — never send money transfers to unknown persons. At the same time, different card numbers were generated for each request, and after a transfer, they were no longer available in the bank's payment documents.

In their scheme, the scammers also used a typical trick — for starters they allowed the victim to withdraw a small amount of money. Once he was assured that everything worked, Mark sent his money to the attackers with more confidence. Of course, he lost all subsequent transfers, and his earnings were never directly expressed.

Finally, Mark violated the third rule — he transferred money to pay the commission in order to “save” his invested money. The fraudsters were versed in psychology and deliberately made it clear that non-payment of the commission would lead to the money in his virtual balance going up in smoke. In doing so, they hurried the victim. In this difficult situation, it is also very hard to think critically and to remember that the commission should be included in the money transfer. In addition, Mark found himself in a "stand or fall" situation and decided to take a risk. Therefore, such a technique can be referred to as a classic trick of intruders, which, alas, still works perfectly.

Fraudulent schemes involving fake marketplaces have recently become very common. In this article, we described a real case in order to show in detail how a victim is deceived. One can only guess at the scale of such cybercrimes. Taking into account today's economic situation, it is possible to predict a further increase in online fraud, as many people are actively looking for ways to earn extra money, and attackers take advantage of that by offering easy ways to increase one’s capital.