Researchers have observed a current credit card stealing campaign dubbed Classicscam in Singapore, in which the payment details of the sellers on classified websites are swiped via an elaborate phishing scheme.
The credit card stealers tried to transfer funds to their accounts through a one-time passcode on the targeted bank’s authentic platform. The researchers monitoring this attack observed a recent surge last March. They claimed that this recent attack is a part of a global credit card stealing operation that was first discovered two years ago.
The campaign has reached Singapore, implying that this criminal operation is still blossoming and expanding its attack scope.
Experts emphasised that Classicscam is a sophisticated credit card stealing campaign that targets classified sites.
Classicscam is an automated scam-as-a-service platform that targets users of classified websites trying to sell or purchase anything endorsed on the web pages. The scheme also focuses on crypto exchanges, delivery companies, moving firms, financial institutions, and other service providers, reflecting its targeting scope.
The scam service relies on its Telegram channels for endorsement and operational coordination. Further, the attack has caused nearly $30 million in damages since 2019.
According to the researchers, the criminal network has approximately 38,000 registered users who receive nearly 75% of the stolen amounts, while the platform administrators get a 25% share.
In this Singapore-based threat campaign, the operation utilised 18 domains that behave like a space for developing phishing websites via Telegram bots. In the attack, the scammers will approach the seller and declare interest in purchasing its products. The adversary will then send them the URL of the generated phishing website.
If the targeted seller accesses it, they will land on a website that appears as part of the classified domain, implying that the scammers have processed the payment for the item.
The attacker’s website will then ask for the seller’s full card details to receive the payment for the purchase, such as their card number, expiration date, holder’s full name, and the CVV code.
Subsequently, the targeted victim will receive a phoney OTP page from the actors. At the same time, the Classicscam service utilises it to log in the scammers on the legitimate banking portal through the reverse proxy.
Lastly, to differentiate the valuable accounts from those with non-significant funds, the victim will be asked by the site to enter their account balance for a supposed verification step.
