A complex and ambitious investment scam has used more than 10,000 domains to induce speculators to give up not just funds, but personal information as well. Researchers at security firm Group-IB describe the campaign as one that proceeds through several distinct stages. It begins with ads placed in social media, or with pages displayed in compromised Facebook or YouTube accounts.
The come-on invites prospects to learn more about an investment opportunity, enticing them with bogus celebrity endorsements and (always a warning sign) promises of guaranteed returns. Should the prospect click through to learn more, they find that, for an initial investment of just €250 (roughly $255 USD), they’ll receive a personal investment counselor who will guide them through the process. And they’ll also receive a dashboard they can use to track their investment’s progress.
The scam follows a well-established set of steps:
- The bogus come-on is published on social media.
- The victim is taken to a phony investment website.
- The victim enters personal information in a form on the scam site.
- A call center contacts the victim, offering more information about the fraudulent investment prospectus.
- The victim, after providing more information, is given a login to a site that offers a dashboard of general investment performance.
- The victim makes an initial deposit of €250, and receives an individualized dashboard showing their own investment’s performance (the information displayed there is bogus).
- The victim is urged to invest more money. If the victim asks to cash out, the victim is told more needs to be invested to reach the cash out threshold. This continues until the victim is eventually disillusioned.
The malicious domains–some 5000 of which, Group-IB reports, are still in use–have been employed in a campaign that’s affected victims in Belgium, the Czech Republic, Germany, the Netherlands, Norway, Poland, Portugal, Sweden, and the United Kingdom.
What are some of the red flags? Two stand out in particular: the promise of a guaranteed return, and the assignment of a personal investment counselor to a small investor. The amounts taken initially aren’t large, but the scammers make up for this in volume.
The complex, multistage approach can persuade some who might pride themselves on their resistance to scams. New-school security awareness training focused on social engineering, however, can help inoculate people against this sort of caper by exposing them to it in a convincing yet safe way before they encounter it for real.
BleepingComputer has the story.