Expansion of “Classiscam” Fraud-as-a-Service: Banks and 251 Brands Targeted

The “Classiscam” fraud-as-a-service operation has significantly expanded its global reach, encompassing a broader range of brands, industries, and countries. This expansion has resulted in heightened financial losses compared to previous instances.

In a manner reminiscent of ransomware-as-a-service endeavors, this operation, active on Telegram, collaborates with affiliates who utilize phishing kits to craft counterfeit advertisements and pages. These deceptive creations are designed to illicitly gather funds, credit card particulars, and more recently, banking credentials.

The profits generated are then divided between the developers and their affiliates. The developers receive a portion of 20-30% of the revenue, while the remainder is allocated to the affiliate responsible for the scam.

Initially uncovered by Group-IB in 2019, this criminal platform witnessed rapid growth, serving 40 cybercrime factions that collectively amassed $6.5 million during 2020.

In 2021, Classiscam further extended its operational scope, encompassing 90 Telegram channels vending scam kits, with a registered membership of 38,000 and an estimated cumulative financial impact of $29 million.

Group-IB has unveiled fresh insights into the operation, asserting that Classiscam has generated $64.5 million by exploiting users of classified sites, purloining funds and payment card data.

The tally of targeted brands has surged from 169 in the preceding year to 251 at present. Moreover, 393 criminal groups spanning 79 countries are now involved in the operation, coordinating through 1,366 Telegram channels.

This campaign predominantly focuses on Europe, with Germany heading the list of most frequently targeted victims, followed by Poland, Spain, Italy, and Romania.

Among affected internet users, those in the UK have incurred the highest average loss per Classiscam transaction at $865, compared to the global average of $353.

Group-IB’s findings highlight the heightened automation within Classiscam, facilitated by Telegram bots that swiftly produce phishing and scam advertisement pages.

Furthermore, the hierarchy of participating criminal factions has become more intricate, leading to significant enhancements in the sophistication of phishing sites. Presently, Classiscam phishing sites execute balance assessments to gauge potential maximum charges, alongside featuring counterfeit bank login pages for capturing victims’ e-banking account credentials.

Group-IB analysts have identified 35 scam groups employing phishing sites mimicking the login pages of 63 banks in 14 countries, including financial institutions in Belgium, Canada, Czech Republic, France, Germany, Poland, Singapore, and Spain.

Regrettably, the Classiscam operation persists in its expansion and enhanced effectiveness at defrauding individuals, likely to attract more cybercriminals to its ranks.

To mitigate the risk of falling victim to these scams on classified sites, users are advised to exclusively communicate within the site’s messaging system, refrain from transferring funds to sellers, exercise caution with unusually low prices, and opt for secure payment methods that offer fraud protection.