Pierluigi Paganini
February 28, 2023
Resecurity identified one of the largest investment fraud networks by size and volume of operations created to defraud Internet users from Australia, Canada, China, Colombia, the European Union, India, Singapore, Malaysia, United Arab Emirates, Saudi Arabia, Mexico, the U.S. and other regions. The bad actors operating as an organized crime syndicate developed a massive infrastructure to impersonate popular Fortune 100 corporations from the U.S and the U.K by using their brands and market reputation to defraud consumers. Once payments are collected from the victims, they make previously created resources vanish and set up the next new campaign – this is why investigators named the group “Digital Smoke”.
According to the latest report by FTC released last week called “The Top Scams of 2022” people reported losing $8.8 billion to scams. The total damage from investment fraud including ponzi and pyramid schemes exceeds $5.8 billion in the U.S and over $77 worldwide (2022), with significant rapid growth at the start of Q1 2023. Investment fraud does serious damage to investors – beyond monetary losses. A FINRA survey points to health, marital and trust problems resulting from financial scams. Businesses experience significant damage in customer loyalty and brand reputation – in the long run negatively affecting sales and market profile.
Notably, the bad actors have chosen high-demand investment areas to impersonate world-known brands including ABRDN (UK), Blackrock (US), Baxter Medical (US), EvGo (US), Ferrari (Italy), ITC Hotels (India), Eaton Corporation (US/UK), Novuna Business Finance (UK), Tata (India), Valesto Oil (Malaysia), Lloyds Bank (UK), and many more.
The majority of the identified fraudulent projects were related to financial services (FIs), oil & gas, renewable energy, EV batteries, electric vehicles, healthcare, semiconductors, and world-recognized investment corporations and funds with a global presence.
The information about Digital Smoke along with the identities of key actors has been timely shared with the Indian Cybercrime Coordination Center and the U.S. Law Enforcement in Q4 of 2022. As a result of the coordinated action and numerous domain takedowns, the majority of scam projects have been terminated.
Modus operandi of the group was focused on investment options in non-existing products and investment plans supposedly offered by Fortune 100 corporations and state-owned entities. The bad actors developed a large network of WEB-resources and related mobile applications hosted on bulletproof hosting providers, and located in jurisdictions not easily reachable for immediate takedowns – the total number of identified hosts in December 2022 alone exceeded 350+ with thousands of related domains used for ‘cloaking’ (Black SEO), hidden redirects and short URLs for protection of the payment gateway used by fraudsters to collect payments from victims leveraging AliPay (China) and Unified Payments Interface (UPI) – an instant real-time payment system developed by National Payments Corporation of India, along with cryptocurrencies. Notably, a combination of these methods enabled fraudsters to process funds with great flexibility – supporting Google Pay (GPay), PhonePe, Paytm, and major online-banking platforms.
The bad actors registered multiple fake domain names which had similar brand spelling then promoted them via social media and instant messenger apps to attract investors. Notably, the links planted by bad actors to register new victims contained a referral code tied to affiliates promoting the scam via Youtube and WhatsApp IM. Once the victim registers, the bad actors ask them to make a deposit by sending payment to an account registered in India.
Notably, the cybercriminals from Digital Smoke were focused on oil markets and renewable energy products. The impersonated Velesto Oil, a Malaysia-based multinational provider of drilling for the upstream sector of the oil and gas industry, along with major oil corporations including Shell, Glencore, Ovintiv and Lukoil. One of the latest brands abused in January 2023 was identified as ACWA Power based in the Kingdom of Saudi Arabia.
This aspect makes the campaign unique due to a strong focus on oil traders which typically is not widely used by investment scammers. In some of the observed scams, the bad actors offered victims the opportunity to invest in new oil fields, construction of petroleum stations, and technologies related to the renewable energy sector. It’s worth noting, some of the languages for this pretext was copied from existing investment programs, typically for entrepreneurs and franchises looking for new business opportunities in the oil and gas sector. This activity is not typical for cybercriminals and may clearly outline the differentiator of the Digital Smoke group. The activity spike was registered during the Christmas and New Year’s period when online activity skyrocketed, and when both Internet users and financial institutions get overwhelmed with logistics and payments. In Q1, 2023 – the activity continued to involve new impersonated brands from other fields including semiconductors and EV batteries.
Besides enterprises, the fraudsters had no fear when it came to targeting state-owned organizations and used their profiles to defraud users. One of the organizations impersonated by the Digital Smoke fraudsters was the India Brand Equity Foundation, a Trust established by the Government of India – Department of Commerce, Ministry of Commerce and Industry. Following a similar pattern, the bad actors created multiple scams which impersonated government resources in the United Arab Emirates by copying the profile of the Minister of State for Foreign Trade.
The Digital Smoke case is somewhat remarkable and may confirm how investment scams have now become more sophisticated than before. Fraudsters are investing large amounts of time and effort to prepare high-quality resources which look almost identical to their well-known investment product counterparts – in the case of Digital Smoke, for each investment scam they ran, they also created a separate mobile app with a unique design.
Digital Smoke has clearly demonstrated how bad actors leverage cross-border payments and various jurisdictions to complicate further investigation and identification of their victims. Investment fraudsters leverage this weakness to blur the origin of the activity as well as distribute payment flows by multiple merchants and money mules located in different countries. Resecurity identified a large network of money mules leveraging accounts in multiple financial institutions based in India that process the payments from victims. The accounts involved in fraudulent activity have been reported to law enforcement.
“Proactive fraud intelligence gathering enables to protect consumers and keep financial institutions aware about merchants used by cybercriminals. Their timely identification along with tracking of involved money mules helps to minimize potential damage caused by illicit activity.” – said Christian Lees, Chief Technology Officer (CTO) at Resecurity, Inc.
Notably, legitimate businesses that were impersonated suffer serious damages, both reputationally and from a customer loyalty perspective – that’s why an effective and ongoing brand protection system is one of the must-have solutions to minimize the negative side effects of such scams. Business leaders should consider monitoring the exposure of their brands online, including but not limited to social media, mobile marketplaces, and instant messaging services.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Digital Smoke)
