Pierluigi Paganini
December 11, 2024
Resecurity has identified a wide-scale fraudulent campaign targeting consumers in the UAE by impersonating law enforcement.
Victims are asked to pay non-existent fines online (traffic tickets, parking violations, driving license renewals) following multiple phone calls made on behalf of Dubai Police officers. This social engineering scheme has been amplified by targeted phishing, smishing, and vishing activities, with a noticeable increase around the winter holidays. Dubai Police have warned against calls from scammers asking for financial details, reminding residents that official institutions will never request this information over the phone.
Notably, a spike in fraudulent activities has been detected around a significant date for the UAE – National Day, now known as Eid Al Etihad, celebrated annually on December 2. The Ministry of Human Resources and Emiratisation (MoHRE) has announced that December 2 and 3, 2024, will be official paid holidays for all private sector employees in the UAE. Cybercriminals quickly took advantage of this festive period when citizens were relaxed, and less vigilant at home, resulting in financial losses.
According to a recent Strategic Analysis Report released by the UAE Financial Intelligence Unit (UAEFIU), fraud, particularly in the UAE, remains a major risk, contributing to money laundering activities, with an estimated financial loss of AED 1.2 billion (equal to USD 326 million) between 2021 and 2023. The expert report by the authority outlined that vishing, phishing, and smishing are the top fraud types in the UAE, based on the analyzed STRs (Suspicious Transaction Reports) and SARs (Suspicious Activity Reports).
Rogue Law Enforcement – Scam Exploiting Trust
The actors launched a sophisticated campaign, targeting multiple victims with phone calls from individuals impersonating law enforcement officials requesting payment arrangements. A month earlier, Dubai and Abu Dhabi Police warned citizens not to share their confidential information, including their account, card details or online banking credentials.
The actors became more creative. Before contacting victims, they sent fake payment requests via SMS/iMessage and email notifications mimicking Dubai Police branding, which included a payment page. This caused confusion among victims, who assumed they were receiving legitimate instructions to act.
In one documented call reported by Resecurity, the victim was contacted by an individual with an Indian accent and background noise typical of call centers. The individual introduced himself as an inspector and warned the victim that if he did not pay, his driving license would be revoked and his vehicle would be seized. Typically, such fraudsters are part of organized crime groups that stress the victims and extort payments.
Further smishing scenarios included a reference to a minimal fine, which encouraged the victim to provide credit card details. The low amount and the notification from Dubai Police tricked many victims. Once the credit card details were entered, cybercriminals used them for much higher charges at the controlled merchants registered on money mules.A smishing scenario involved imitating an online payment form copied from legitimate e-government resources to pay penalties for traffic violations.Multiple variations designed for PC and mobile devices were detected, including scenarios involving the theft of personally identifiable information through a fake UAE PASS form.Resecurity identified over ten different templates that bad actors used to bypass spam filters.
Notably, some of the domain names identified in the observed campaign have been registered via Chinese domain registrars. Based on available Passive DNS records, Resecurity identified over 144 domain names registered by the actors in the .com, .om, .site, .top and .icu domain zones. Notably, some of them were registered between September and November 2024.
According to independent research, a 40 percent increase was identified in phishing attacks involving the new generic top-level domains (gTLDs), which attract fraudsters due to low prices and a lack of registration detail validation requirements, thereby opening doors for abuse.
Previously, Resecurity described multiple episodes of Smishing Triad activity targeting online banking, e-commerce and payment systems customers in other geographies including USA, EU, UK, Pakistan, India, UAE and KSA.
The experts estimate the scale of threat actors’ activities: they send between 50,000 and 100,000 messages daily. To achieve this, they leverage stolen databases acquired from the Dark Web, which contain citizens’ sensitive personal data, including phone numbers.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Smishing Triad)
Security / December 10, 2024
