Cybersecurity firm Group-IB, an international company and Skolkovo resident that specializes in cyberattack prevention, has uncovered Russian scam groups that recently began conducting activities in Europe, the United States, and the CIS. The groups, which steal money and bank card data from victims using fake websites that mimic popular online services, are active in Romania, Bulgaria, France, Poland, Czech Republic, US, Ukraine, Uzbekistan, Kyrgyzstan, and Kazakhstan. According to Group-IB, the scammers comprise no fewer than 20 groups.

"The Mammoth Goes Abroad - Russian-speaking scam groups move into CIS, the US, and EU.". Source: Group IB.

In 2020 alone, these criminal groups stole approximately $6.2 million and Group-IB has stated that this sum could increase. Analysts predict that the fraud scheme developed within Russia is scaling up into European and American online spaces, where cybercriminals can increase their income with a lower risk of getting caught. With this in mind, companies in the scammers’ crosshairs will need to improve and consolidate their online security strategy to minimize the risk of becoming a victim.

The Mammoth Goes Abroad

The so-called “Mammoth” scheme – among fraudsters “mammoth” is a slang term for victim – was already spotted as early as 2019 by CERT-GIB and Group-IB specialists after a number of fraud victims turned to them for help.

When the pandemic struck and people began working remotely, the fraud groups reaped the rewards as online sales increased by up to 40% along with demand for courier services. This was yet another gap for fraud groups to exploit.

“If during the summer of 2020 we blocked 280 fake web resources that were exploiting courier delivery services, by December that number had increased tenfold up to 3000 sites,” said Yaroslav Kargalev, the deputy head of CERT-GIB. “Active countermeasures against fraudsters by Group-IB as well as the companies that own courier services and message boards has driven criminal groups to move their online activities abroad to the CIS and countries in Europe. These malicious actors have also found new niches such as home rental websites and bookmakers. The Russian internet space has once again become a testing ground, allowing fraudsters to scaleup their business onto the international arena.”

A Scam in the West

Right now, specialists from Group-IB Digital Risk Protection and CERT-GIB have highlighted 40 active criminal groups that are running a fraud scheme with fake courier delivery and half of these are already operating outside Russia. The scam itself has not undergone any serious changes, but it has been localized for East and West European markets as well as for the CIS markets.

The scammers fool users by posting bait ads on popular free ad services, showing intentionally lowered prices for goods such as cameras, game consoles, laptops, smartphones and so on. The purchaser contacts the seller who then “processes” it, creating a feeling of trust and “moves” further communication into a messenger app.

In spite of the fact that many courier services and message boards for sales of new and second-hand goods are adopting policies to protect users from fraudulent activity, including posting warnings on their own resources, this often does not stop buyers.

As a rule, the messenger asks for the victim’s contact information to confirm delivery with a courier service. Following this, a link to one of the popular courier service websites is sent to the victim to pay for the delivery, although the site itself is fake. The result is that the victim’s money and bank card details stolen. The scheme offers various options whereby some victims can be defrauded again – through a “refund” – and the same sum of money is taken from the card.

In 2020 Group-IB specialists identified isolated cases where fraudsters used foreign courier service brands and free ad platforms. From February phishing scams began appearing on a Ukrainian version of the OLX free ad website. In April, scams appeared on the Belarussian free ad website Kufar as well as CDEK (Belarus) and Belpost. Towards the end of August, scammers had mastered the Ukrainian marketplaces and and had also entered the CIS markets using the French website Lebencoin for free ads. Over the last month, they have found examples of the Polish brand Allegro and the Czech brand Sbazar being exploited by scammers. Based on the results of an analysis of closed forums and chats, fraudsters are preparing to use FedEx and DHL Express in the US and Bulgaria, and CDEK in Kazakhstan and the US.

If the damage in Russia from a fraudulent operation amounts to between 10,000-30,000 rubles (€110-€330), then the sum in Europe could be even greater due to the higher purchasing power among online users and their lack of preparedness for this new type of fraud.

Pyramid of Fraud

The structural hierarchy of the fraud groups is in the shape of a pyramid. At the top level are the organizers – the admins (Topic Starter) – who are responsible for recruiting new participants, creating phishing pages, registering domains, and consulting on solving “Error 900” when a bank blocks an operation or a bank card to which they, the fraudsters, are attempting to transfer money. The admins get between 20-30% of the revenue. “Workhorses” – workers – work explicitly on communicating with the victims and uploading phishing websites and get 70-80% of the takings for this.

All dealings and transactions by workers are displayed in a separate Telegram-bot, where the sum is shown, along with the payment number and the recipient’s nickname. The most successful workers can reach the so-called “top rating,” where members have influence on project development and access to VIP-scripts to work, for example, on more lucrative European and American sites. “Callers” and “refunders” act as helpers for workers and get between 5-10% for their support service.

By analyzing the payment messages in chat bots, Group-IB analysts found that 20 out of the 40 active fraud groups are focused on foreign countries. On average, they are earning $60,752 a month, although the income differs from group to group and is in no way uniform. Overall, the monthly income of the 40 most active criminal groups amounts to no less than $522,731 a month.

Phishing Kit from Telegram

The simplicity and adaptability of the Mammoth scheme is the main reason for the sharp increase in this type of fraud, with Telegram chat bots facilitating automated management of the scheme and the spread of phishing. There are over 5,000 unique scammers in the top forty chats.

Now it is enough for a worker to send a chatbot link to the bait product, after which the bot itself generates a full phishing kit: links on courier service pages for payment and refund. Over ten different types of Telegram bots exist that create pages using foreign brands in France, Bulgaria, Romania, Poland and Czech Republic. Under each brand and country, the scammers write instruction scripts that help new workers log in on foreign sites and conduct dialogue with victims in the local language.

Aside from that, chat bots are linked to “shops” where you can buy accounts for different messaging boards, digital wallets, targeted email newsletters, manuals and so on, including finding a lawyer who will defend a scammer should they be caught and end up in court.

“For now, two things are serving as obstacles to this fraud scheme scaling up: the language barrier and the difficulty with transferring cash from abroad,” said Andrey Busargin, the deputy head of Group-IB for Digital Risk Protection. “Once these obstacles are overcome, we expect a fraud boom in the West. On the flip side, such popularity will mean competition between the scammers themselves who often unknowingly try to rip each other off.”

How to fight Mammoth: recommendations for brands and users

Compared to Russia, where courier services, free ad websites, and property rental resources took the strongest hit from Mammoth, the vast majority of security personnel in international companies are unprepared for this type of fraud. Classic types of monitoring and blocking is no longer enough – it is necessary to identify and block the infrastructure of criminal groups by using an automated DRP class detection system for identifying and eliminating digital risks based on artificial intelligence, the knowledge base of which is regularly fed with information about the infrastructure, tactics, and tools of new fraud schemes.

Advice for users is simple but necessary when making online purchases: Trust only official sites. Before entering your card details, study the web address carefully, Google it and check when it was created. If the site is a couple of months old, there’s a good chance that it is fraudulent. When using home rental services or services for selling new and second-hand goods, do not go to messengers, conduct all communication on the chat service. Do not make a prepayment for goods until you have received the product and are certain it is in good condition. Large discounts are one of the signs that you are looking at a “bait product” and that the site has been created by scammers.