Russian hackers steal more than $6 million from European and U.S. residents in 2020

Russia Beyond/Legion Media
Twenty Russian-speaking hacker groups stole money using fake websites mimicking popular courier services and marketplaces.

In 2020, Russian-speaking hacker groups used fake courier and marketplace websites to siphon off more than $6.2 million from citizens of Europe, the U.S. and the CIS, according to Group-IB, a cyberattack prevention company.

The scheme itself was dubbed ‘Mamont’ (Russian for “mammoth” — hacker slang for “victim”). Having first appeared in Russia in summer 2019, in spring 2020, it was deployed in other countries, too, in connection with the coronavirus pandemic, the switch to remote working and surging demand for online courier services, explains Group-IB.

The scheme works as follows: cybercriminals use popular free ad services to place clickbait offering cameras, games consoles, laptops, smartphones and other goods at low prices. The hopeful buyer contacts the “seller”, who makes sure that the “sale” is carried out away from the official platform, via a messenger app.

Once communication is established there, the victim provides contact information for delivery of the goods through a courier service, such as DHL, FedEx or CDEK. After that, they receive a link supposedly to the website of said courier service for payment of delivery. In fact, the user is redirected to a fake page for entering card details, which are then stolen, together with the money. Sometimes the cybercriminals offer to “return” the debited funds on another page with a fake return request form. This only results in the same amount being debited from the victim’s account.

Scammers have used this scheme to steal money from people in the following countries:

  • U.S.
  • France
  • Poland
  • Czech Republic
  • Bulgaria
  • Ukraine
  • Uzbekistan
  • Kyrgyzstan
  • Kazakhstan

Scammers are actively faking the websites of popular international classifieds and marketplaces, among them ‘Leboncoin’ (France), ‘Allegro’ (Poland) and ‘Sbazar’ (Czech Republic). And analysis by Group-IB indicates that they are getting ready to exploit other brands as well, in particular FedEx and DHL Express in the U.S. and Bulgaria and CDEK in Kazakhstan and the US.

Many cybercriminals create fake pages through special groups in Telegram, where they plant a link to a bait product in a chatbot and the bot itself creates phishing pages for courier services, payment and goods return.

Bots are able to create fake pages to mimic popular marketplaces, rental sites and bookmakers, which are then used in similar schemes. Such chatbots also provide links to “stores”, where users can purchase accounts for marketplaces, e-wallets, etc., or even hire a lawyer should the need arise.

Andrey Busargin, Deputy CEO for Digital Risk Protection at Group-IB

An analogous scheme exists for the purchase of goods, says Group-IB. The scammer first looks for a genuine seller on an ads site. Then, after arranging the sale in a messenger app, they ask the seller to send their card details to receive payment, which are then stolen.

“For now, efforts to scale up the scam in Europe are hindered by two factors: the language barrier and difficulties with cashing out funds abroad,” notes Andrey Busargin, Deputy CEO for Digital Risk Protection at Group-IB. “Once these obstacles are overcome, we can expect a boom of fraud in the West. The downside for fraudsters is the competition this creates among themselves, since they often unknowingly try to dupe each other [in the case when a scam buyer writes to a scam seller].”

If using any of Russia Beyond's content, partly or in full, always provide an active hyperlink to the original material.

We've got more than 2 million followers on Facebook. Join them!
Read more

This website uses cookies. Click here to find out more.

Accept cookies