Saving World Health Day: UNICC and Group-IB Take Down Scam Campaign Impersonating the World Health Organization

News provided by

Group-IB

30 Apr, 2021, 08:37 ET

AMSTERDAM, April 30, 2021 /PRNewswire/ -- Group-IB, a global threat hunting and adversary-centric cyber intelligence company that specializes in investigating hi-tech cybercrimes, and the United Nations International Computing Centre (UNICC), detected and took down a massive multistage scam campaign circulating online on April 7, World Health Day. Scammers had created a distributed network of 134 rogue websites impersonating the World Health Organization (WHO) on its health awareness day, encouraging users to take a fake survey with the promise of funds in return. The scheme targeted millions of users worldwide with the goal of tricking them into visiting fraudulent third-party websites. Upon detection, Group-IB's Digital Risk Protection (DRP) reached out UNICC's Common Secure team as a trusted contact for cyber threat intelligence matters within the UN ecosystem, to assure that proper contacts within WHO were aware of the scam. Group-IB then took down all the scam domains. Group-IB researchers established that one scammer collective, codenamed DarkPath Scammers, is likely to be behind the campaign. The investigation is underway.

On April 7, Group-IB alerted UNICC about a fake website impersonating WHO branding. Visitors to the website were encouraged to answer a few simple questions in return for a 200-euro prize on the occasion of World Health Day.   

Once users answered the questions, they were prompted to share the link with their WhatsApp contacts. That way, scammers tried to ensure that their multistage scheme was distributed virally. The users would also see fake Facebook comments about the gifts the commentors supposedly received. Group-IB researchers discovered that when victims hit the share button and unknowingly involved friends in the scam, instead of receiving the promised reward they were redirected to third-party fraudulent resources that offered to take part in another lucky draw. By this time in the scam routine is no longer mentioned as users would visit a hookup website, inadvertently install a browser extension, or subscribe to paid services. In the worst-case scenarios, users would end up on a malicious or phishing website.

In addition to the scam's multi-stage nature, which makes it hard to detect, victims were shown customized content depending on their geolocation, user agent, and language settings. Group-IB's DRP team discovered that it was not a one-off short-lived website impersonating the WHO brand, but rather a sophisticated distributed infrastructure, which included a network of 134 almost identical domains that hosted web pages exploiting the World Health Day theme. Within 48 hours upon discovery, Group-IB managed to block all the rogue domains.

Group-IB researchers discovered connections between the blocked 134 websites involved in the WHO scam and at least 500 other scam and phishing resources impersonating more than 50 well-known international food, sportswear, e-commerce, software, automotive, and energy industry brands. The analysis of websites revealed that the cybercriminals use scam kits. Like phishing kits, scam kits are sets of tools that help create and design scam pages. One scam kit allows impersonating multiple brands at a time using the same template. It is worth noting that after the takedown efforts by UNICC and Group-IB, the scammers stopped using the WHO branding across their entire network.

While analyzing the infrastructure, Group-IB researchers examined the domains and other digital indicators and concluded that the whole network is likely to be maintained and controlled by a scammer collective codenamed DarkPath Scammers. According to Group-IB's estimates, their whole network attracts around 200,000 users daily from the US, India, Russia, and other countries.

"After warning us, we knew Group-IB was the team to deal with this World Health Day scam", says Bojan Simetic, Information Security Specialist, UNICC. "They have the expertise and tools to get the job of takedown done, in short order."

"We are delighted to cooperate with the UNICC in detection and elimination of scams that deceive people into thinking they are dealing with legitimate websites", says Dmitry Tyunkin, Head of Group-IB's Digital Risk Protection team in Amsterdam. "Yet many brands still underestimate the impact of such scams on their businesses and customers. The approach most companies take when tackling brand abuse online can be compared to tilting at windmills: they overlook the continuous trend involving multistage scams and distributed infrastructure."

Media Contact:
Group-IB PR team
+65 3159-3798
[email protected]

SOURCE Group-IB

Related Links

https://www.group-ib.com/

Also from this source

Group-IB wins prestigious Red Dot Design Award with innovative Managed XDR solution

Group-IB wins prestigious Red Dot Design Award with innovative Managed XDR solution

Explore

More news releases in similar topics

PRN Top Stories Newsletters

Sign up to get PRN’s top stories and curated news delivered to your inbox weekly!

Thank you for subscribing!

By signing up you agree to receive content from us.
Our newsletters contain tracking pixels to help us deliver unique content based on each subscriber's engagement and interests. For more information on how we will use your data to ensure we send you relevant content please visit our PRN Consumer Newsletter Privacy Notice. You can withdraw your consent at any time in the footer of every email you'll receive. Mit Ihrer Anmeldung erklären Sie sich damit einverstanden, Inhalte von uns zu erhalten.
Unsere Newsletter enthalten Zählpixel, die die Lieferung einzigartiger Inhalte in Bezug auf das Abonnement und die Interessen der einzelnen Abonnenten ermöglichen. Weitere Informationen über die Verwendung Ihrer Daten im Hinblick auf die Zusendung von relevanten Inhalten, finden Sie in unserer PRN Consumer Newsletter Privacy Notice. Ihre Zustimmung können Sie jederzeit in der Fußzeile jeder erhaltenen E-Mail widerrufen. En vous inscrivant à la newsletter, vous consentez à la réception de contenus de notre part.
Notre newsletter contient des pixels espions nous permettant la fourniture à chaque abonné, d’un contenu unique en lien avec ses souscriptions et intérêts. Pour de plus amples informations sur l’utilisation faite de vos données en vue de l’envoi des contenus concernés, nous vous invitons à consulter la politique de confidentialité disponible à partir du lien suivant PRN Consumer Newsletter Privacy Notice. Vous pouvez à tout moment revenir sur votre consentement par le biais des informations situées au bas de chaque e-mail reçu. Регистрирайки се, Вие се съгласявате да получавате информационно съдържание от нас. Нашите бюлетини съдържат проследяващи пиксели, които ни помагат да предоставяме уникално съдържание въз основа на ангажираността и интересите на всеки абонат. За повече информация относно начина, по който ще използваме Вашите данни, за да гарантираме, че Ви изпращаме подходящо съдържание, моля, направете справка с нашето Уведомление за поверителност на потребителския бюлетин на PRN. Можете да оттеглите съгласието си по всяко време в долния колонтитул на всеки от имейлите, които ще получите.