Group-IB detects $64.5M phishing scam in APAC

A global scam-as-a-service operation called Classiscam has stolen an estimated US$64.5million from victims in Telegram channels since 2019.

According to findings by cyber security vendor and service provider Group-IB, victims in Australia were the most targeted in the Asia Pacific (APAC) region at 34.6 per cent.

Other heavily affected countries were India (11.5 per cent), Hong Kong (10.3 per cent), Singapore (7.7 per cent) and Malaysia (5.1 per cent).

Group-IB’s analysts found that automated scheme uses Telegram bots to create ready-to-use phishing pages impersonating companies in a range of industries, including online marketplaces, classified sites and logistics operators.

These phishing pages are designed to steal money, payment data and, recently, bank login credentials from unsuspecting internet users.

Over 251 unique brands in a total of 79 countries were used on Classiscam phishing pages from the first half of 2021 to 2023, with one particular logistics brand being impersonated by scammers in as many as 31 countries.

Group-IB found that the average amount lost by Classiscam victims worldwide was US$353. 

While users in APAC were less likely to fall victim to Classiscam schemes, victims in Singapore lost US$682 on average, with those in Australia losing US$515.

Classiscam originally appeared in Russia before being launched across the globe. The scam-as-a-service affiliate program surged in popularity in spring 2020 with the emergence of COVID-19 and the subsequent uptick in remote working and online shopping.

Group-IB experts noticed how the scam was first exported to Europe, before entering other regions such as APAC, the US and the Middle East and Africa (MEA).

Classiscam operations have become increasingly automated over the past two years. The scheme now utilises Telegram bots and chats to coordinate operations and create phishing and scam pages in a matter of seconds.

“Classiscam shows no sign of slowing down and the ranks of the Classiscammers are continuing to swell,” said Afiq Sasman, head of Group-IB’s Computer Emergency Response Team (CERT) for APAC.

“Over the past year, we have seen scam groups adopt a new expanded hierarchy and roles within organisations are becoming increasingly specialised. Classiscam will likely remain one of the major global scam operations throughout 2023 due to the scheme’s full automation and low technical barrier of entry.”

Since the second half of 2019, when Group-IB’s CERT first identified Classiscam’s operations, the team has discovered 1,366 separate groups leveraging this scheme on Telegram.

Experts from Group-IB examined Telegram channels containing information about 393 Classiscam groups with more than 38,000 members that operated between 2020 and 2023. During this period, these groups made combined estimated earnings of US$64.5 million.

Group-IB noted how the threat actors behind Classiscam have been formalising and expanding the scam model’s operations and will continue to share its findings about the scam operation, drawn from the company’s proprietary Digital RIsk Protection solution, with law enforcement authorities.