A new report from Singapore-based Group-IB, a leading cybersecurity research firm, outlines a new and quickly growing segment of fraud scams: so-called “targeted links.”
This new approach blends elements of digital marketing, such as targeted advertising and participation in legitimate well-known ad networks, with more typical phishing and spoofing approaches. It has become particularly common for threat actors using this approach to pose as popular brands and use surveys (with the promise of a reward at the end) to harvest a variety of sensitive personal and financial information.
Fraud scams increase in sophistication as digital marketing elements are added
Group-IB finds that campaigns involving targeted links have been observed in 90 countries around the world; some of the biggest names on the list are Singapore, Australia and Malaysia. The way in which these fraud scams work and the success they have met with would indicate that they can be expected to be seen everywhere else before long. Thus far, schemes involving targeted links are netting about $80 million per month from a pool of about 10 million victims globally.
One of the keys to these fraud scams is that perpetrators do not rely on impersonating the same companies or using the same offers over and over. Using some elements of targeted advertising, they can even switch up the contents of the fake survey (and the promised reward) to take advantage of the existing business relationships and preferences of victims. Group-IB reports seeing at least 120 companies impersonated thus far.
The basic setup of these fraud scams is essentially the same as the average phishing attempt: get the victim to follow a malicious link to an attack site. But these scams do much more than send a spoofed email with some company branding attached to it. Targeted links make use of elements of the entire digital advertising ecosystem to deliver these personalized links to potential victims. In addition to emails, text messages and social media posts, the attackers make use of advertising networks that span both legitimate and illicit sites.
Whatever the medium, the attack message invites the target to a survey purportedly hosted by a legitimate big-name consumer brand. The victim is promised some sort of reward for completing the survey. Victims who click on the initial link are taken into a “traffic cloaking” system that routes them through a maze of redirects to different URLs, where they are asked various questions while their hardware and settings information (such as language and time zone) are collected in the background.
This maze is designed to do two things. One is to frustrate tracking by law enforcement. The other is to use the gathered information to create a specific survey link tailored to the individual user. These targeted links can thus adapt to a wide variety of languages and cultures.
The target is then redirected to a legitimate-looking survey that appears to be from the brand. It is usually hosted by a “lookalike” URL that is very similar to that of the actual brand. Upon completion, the target is asked for a variety of personal information in order to collect their prize: their full name, email address, postal address, phone number, and bank card data including expiration date and CVV. Some of the more bold of these fraud scams will even ask the victim to make a “test payment” before receiving the prize.
The stolen information is then used to drain accounts, and also may be sold on the dark web.
Targeted links growing in frequency, telecommunications and retail brands most commonly used
Numbers gathered by Group-IB indicate that attacks using targeted links have a regional focus at present, most likely due to the scammers using languages and brands they are familiar with. Analysis of the servers behind these fraud scams finds that the threat actors most frequently target internet users in Europe, Africa and Asia. The researchers found about 60 groups operating scams of this nature, each using around 70 URLs.
The scammers also show a preference for impersonating telecommunications companies and retail sites (with a special focus on ecommerce platforms). Though the targeted links approach is not yet commonly seen in North America, the scammers most often impersonate American telecommunications companies. A fake survey from Verizon was shown as an example of one of these attacks.
Much as ransomware recently evolved to better fit modern circumstances and adapt to security changes, Group-IB believes that fraud scams are becoming more targeted and innovative in response to greater security awareness and automated filtering measures.