Distribution COVID-19 led to a sharp increase in cyber fraud in a very unexpected sector — the delivery of goods purchased over the Internet. Using the constraints associated with isolation, scammers steal money and credit card users through fake websites of popular courier services. The specialists Group-IB has already sent to block over 250 phishing resources.The experts at CERT-GIB (center for response to cyber incidents Group-IB) investigated the structure, activity and mechanism of monetization of several groups, earning on “the Express scheme”. According to experts, a quarantine imposed for the prevention of diseases COVID-19, according to various estimates, has increased the demand for the services of Express delivery of goods by 30-40%. It should be noted that the first appearance of this type of fraud experts of CERT-GIB fixed long before the emergence and spread of COVID-19 — in August of last year, when they asked the first victims. But the peak of activity of malefactors came in the spring of 2020, when the restrictions were imposed. In General, over the last six months the number of registration of phishing domains to brands courier services, according to experts, has increased seven times.Scheme kibermoshennichestvo quite simple. On popular free ads service that sells different kinds of products, schemers place the so-called lots-decoys — sale ads at heavily discounted prices a wide range of products — chainsaws, sound systems for cars, sewing machines, fishing gear, sports equipment, game consoles, etc. the services are struggling with uninvited “guests”, but reproduce constantly find new ways to bypass locks of their messages.”We block the ability to insert links to external resources in the messenger “Avito” in order to avoid fraudulent phishing schemes,— says Andrey Rybintsev, Director Trust & Safety “Avito”.— The company technically controls all the processes on the platform, however, if the user goes to third-party messengers for the transaction, we can’t track his actions.”This is done ostensibly for the convenience of the customer, in fact, machination takes the buyer to a third party site, that security services could not track him. Further, the victim’s personal data is collected ostensibly for the completion of the delivery, the buyer send a link to the website of a popular courier service. This is actually a phishing page, completely copying the design of the courier or postal brands and using a domain name that is similar to the original. Genuine sites services services these pages have no relationship. On the fake page, the attacker himself fills out the form for sending parcels, usingreceived from the buyer data. The victim is invited to check the correctness of the information and to make payment by entering their card details. As a result, the buyer loses money and data cards, while remaining without goods. The average check is one such “shopping” of approximately 15-30 thousand RUB Often then its a victim of cheaters cheat again. A few days after payment the buyer reported that “mail” has been any emergency: caught stealing officer, the ordered goods are confiscated by the police, etc., so to compensate for the transferred amount necessary to issue a “refund”. After that, the card is re-writing off the same amount.Role in the group and the remuneration of each participant are clearly defined. Communication, training “beginners” and the internal accounting is organized with the help of the telegram-bot. The backbone of the group are “administrators” who are engaged in registration of domains, creation of phishing resources under fake “courier service”, as well as the recruitment and distribution of stolen money. On some forums or in a telegram-channel “admins” by the announcement of the hiring of “workerb” who post numerous “ad-bait” on popular services, free ads, communicate with victims (they are often referred to as the mammoths) in the messengers and send them to a phishing page is “courier services” for payment. In one of the chat-bots included numerous transfers in the amount of 7.3 thousand to 63.9 thousand rbl.— first, the money hit the account “admin”, then it distributes the income among the remaining members of the group. As a rule, “sorcery” get 60-80% of the transaction amount to cryptomodule.All criminal groups, experts say, are interested in expanding the business. One of them, who calls himself Dreamer Money Gang (DMG), hires “workerb” via telegram-bot and promises training, “the best domains on the market” and fast payouts with no hidden interest. Daily turnover DMG, according to experts of Group-IB, exceeds 200 thousand rubles.”the Demand during a pandemic service delivery has led to the explosive growth of the popularity of “Express schema” — now we see about 100 ads on hackers ‘ forums where groups advertise their services and are actively recruiting artists,— said Alexander Kalinin, head of CERT-GIB.— Once again we draw the attention of users of delivery services and services, free ads for need for vigilance. We actively block such fraudulent resources, but they may reappear, with the growing demand for courier services.”The staff of CERT-GIB together with the specialists of SDEK and “Avito” have prepared recommendations on how to avoid becoming a victim of scams: in addition, the trust should only�� official sites, similar addresses were forgeries.Alexander Alexandrov
