Group-IB’s High-Tech Crime Investigations team has been helping clients understand scams and uncover threat actors behind them for many years. In this series of articles, Group-IB investigators share their views on how a criminal community called Classiscam emerged, developed, and prompted the spread of scams throughout the world.
Underground forums
There are many online forums that cybercriminals use. Some of them are designed to appear neutral and are positioned as platforms for discussions and “nothing else”, while others are deeply integrated in the criminal world and provide advertising, guarantor and arbitration services.
Forums are usually specialized. Each has a unique community made up of active participants, sellers of goods and services, employers, and customers. Everyone knows where to get what. Some forums are used for finding malware specialists, others — for money mules, and others — for forged documents. Due to being dedicated to specific things, communities do not compete with each other, and many threat actors use several forums at once.
It is usually the same well-known platforms that make the headlines and are publicly described. Ransomware investigations tend to feature screenshots from one notorious forum, stories about phone fraud and scam call centers usually mention another, and major data leaks used to lead to RaidForums (shut down in April 2022).
Forums that are not connected with high-profile incidents are usually not interesting to security specialists. Many social engineering–themed platforms have their own community whose interests did not attract a lot of attention for a long time. Users on them never offered to cash out stolen millions, nor did they sell drugs, arms, zero-day vulnerabilities, or any serious malicious code. These forums were used for small-scale goods and services that had to do with social media and the gaming industry.
An average purchase on these platforms is not big: a compromised social media account is offered for half a dollar; the price of a Steam account is determined on the basis of the game and inventory in it and is usually between 2 and 80 dollars; increasing follower and like counts is almost free; and an e-wallet can cost as much as a SIM card. Similar prices feature in offers of jobs, services, and arbitrage.
These communities did not cause much damage and were primarily made up of adolescents. Without attracting the attention of security researchers or law enforcement agencies, these platforms gradually multiplied and evolved.
First steps
Where there is demand, there is supply, and these communities started to be more criminalized. In order to obtain more accounts (such as Steam, for example) to put them up for sale, threat actors started using brute-forcing tools, stealers, and social engineering techniques. They also began thinking about their own security. The growth of this market started attracting high-skilled people.
By 2017–2018, this community had become quite similar to other criminal platforms. The forums had permanent moderators, guarantors, arbitrage services, and paid advertisement spaces. Even though transaction sums were extremely small compared to prices discussed on other, more established forums, this community looked quite mature.
There was a lack of everything, however: no experienced hackers, developers, skilled organizers, or scammers. Forum users tricked each other all the time, and anyone who was able to develop their skills left for other platforms. Still, even in these conditions, the desire to make money prevailed.
The community adapted and made up for the lack of hacking tools and skilled scammers by using social engineering techniques and relying on a big number of lower-skilled people. The first organized groups that emerged on social engineering–themed forums continued doing basically the same: stealing Steam and social media accounts. Now, however, this activity was coordinated much better.
Organizers provided links to phishing websites that imitated social media pages or gaming platforms. The task of sharing these links and convincing potential victims to enter their bank details was delegated entirely to the actual scammers. Manuals were provided, however.
After successful phishing attacks, organizers resold obtained accounts, and scammers received their remuneration (either a fixed amount or a percentage of stolen accounts’ market price).
This practice became popular, since everyone got what they wanted. Scammers did not have to deal with complex infrastructure to create phishing websites, nor did they have to resell obtained accounts. Organizers, on the other hand, did not have to spend time and effort to distribute phishing links and only paid for successful attacks.
To monitor scammers’ activities, organizers used simple admin panels, in which registered participants received ready-made links containing their personal identifiers. By tracking victims’ visits via these links, organizers determined which scammers did their task successfully.
Such groups operate to this day, even though they do not have high profits. Over time, this scheme became more complex and is now successfully used for stealing accounts belonging to popular bloggers. Instead of selling these accounts, however, threat actors demand ransoms from account owners.
While the scheme was effective, it had a major downside. We’ll talk about it, as well as about the further evolution of scams, in part 2 of our series.
