Resecurity discovered one of the largest investment fraud networks in terms of size and volume of operations designed to defraud InteSecurity from Australia, Canada, China, Colombia, the European Union, India, Singapore, Malaysia, the United Arab Emirates, Saudi Arabia, Mexico, the United States, and other regions. The bad actors, acting as an organized crime syndicate, built a massive infrastructure to impersonate popular Fortune 100 corporations from the United States and the United Kingdom, using their brands and market reputation to defraud consumers. Once the victims' payments are received, they delete previously created resources and launch the next new campaign, which is why the group was dubbed "Digital Smoke" by investigators.
According to the FTC's most recent report, "The Top Scams of 2022," people reported losing $8.8 billion to scams. The total damage from investment fraud, including ponzi and pyramid schemes, exceeds $5.8 billion in the United States and more than $77 billion globally (2022), with significant rapid growth beginning in Q1 2023. Beyond monetary losses, investment fraud causes significant harm to investors. According to a FINRA survey, financial scams cause health, marital, and trust issues. Businesses suffer significant damage to customer loyalty and brand reputation, affecting sales and market profile in the long run.
Notably, bad actors have impersonated world-renowned brands such as ABRDN (UK), Blackrock (US), Baxter Medical (US), EvGo (US), Ferrari (Italy), ITC Hotels (India), Eaton Corporation (US/UK), Novuna Business Finance (UK), Tata (India), Valesto Oil (Malaysia), Lloyds Bank (UK), and many more.
Applied to financial services (FIs), oil and gas, renewable energy, EV batteries, electric vehicles, healthcare, semiconductors, and globally recognized investment corporations and funds. In Q4 of 2022, information about Digital Smoke, as well as the identities of key actors, was shared with the Indian Cybercrime Coordination Center and US Law Enforcement. The majority of scam projects have been terminated as a result of coordinated action and numerous domain takedowns.
The group's operating model was centered on investment opportunities in non-existent products and investment plans purportedly offered by Fortune 100 corporations and state-owned entities. The bad actors created a large network of WEB-resources and related mobile applications hosted on bulletproof hosting providers in jurisdictions not easily reachable for immediate takedowns - the total number of identified hosts in December 2022 alone exceeded 350+ with thousands of related domains used for'cloaking' (Black SEO), hidden redirects, and short URLs for protection of the payment gateway used by fraudsters to collect payments from victims lever Notably, a combination of these methods allowed fraudsters to process funds with great flexibility, including support for Google Pay (GPay), PhonePe, Paytm, and major online-banking platforms.
To attract investors, the bad actors registered multiple fake domain names with similar brand spelling and promoted them via social media and instant messenger apps. Notably, the links used by bad actors to register new victims included a referral code that was linked to affiliates promoting the scam on YouTube and WhatsApp IM. After the victim registers, the bad actors ask them to make a deposit by sending money to an Indian bank account.
Notably, Digital Smoke cybercriminals were interested in oil markets and renewable energy products. The impersonators included Shell, Glencore, Ovintiv, and Lukoil, as well as Velesto Oil, a Malaysia-based multinational provider of drilling for the upstream sector of the oil and gas industry. ACWA Power, based in the Kingdom of Saudi Arabia, was identified as one of the most recent brands abused in January 2023.
This aspect distinguishes the campaign because of the strong emphasis on oil traders, which is not commonly used by investment scammers. In some of the observed scams, bad actors offered victims the opportunity to invest in new oil fields, the construction of petroleum stations, and renewable energy technologies. It's worth noting that some of the language used in this pretext was lifted from existing investment programs aimed at entrepreneurs and franchises looking for new business opportunities in the oil and gas industry. This activity is unusual for cybercriminals and may serve as a clear differentiator for the Digital Smoke group. The activity spike occurred during the Christmas and New Year's holiday seasons when both Internet users and financial institutions were overwhelmed with logistics and payments. In the first quarter of 2023, the activity continued to include new impersonated brands from other industries, such as semiconductors and EV batteries.
Aside from businesses, the fraudsters had no qualms about targeting state-owned enterprises and using their profiles to defraud users. The India Brand Equity Foundation, a Trust established by the Government of India's Department of Commerce, Ministry of Commerce and Industry, was one of the organizations impersonated by Digital Smoke fraudsters. Following a similar pattern, the bad actors created a number of scams that impersonated government resources in the UAE by imitating the profile of the Minister of State for Foreign Trade.
The Digital Smoke case is noteworthy, and it may confirm how sophisticated investment scams have become in recent years. Fraudsters put in a lot of time and effort to create high-quality resources that look almost identical to their well-known investment product counterparts - in the case of Digital Smoke, they created a separate mobile app with a unique design for each investment scam they ran.
Digital Smoke has clearly demonstrated how bad actors use cross-border payments and different jurisdictions to make further investigation and identification of their victims more difficult. Investment fraudsters take advantage of this flaw to conceal the origin of the activity and distribute payment flows through multiple merchants and money mules located in different countries. Resecurity discovered a large network of money mules leveraging accounts in multiple Indian financial institutions that process victim payments. The accounts that were involved in fraudulent activity were reported to law enforcement.
“Proactive fraud intelligence gathering enables to protect consumers and keep financial institutions aware about merchants used by cybercriminals. Their timely identification along with tracking of involved money mules helps to minimize potential damage caused by illicit activity.” – said Christian Lees, Chief Technology Officer (CTO) at Resecurity, Inc.
Notably, legitimate businesses that have been impersonated suffer serious consequences, both in terms of reputation and customer loyalty - which is why an effective and ongoing brand protection system is one of the must-have solutions to mitigate the negative side effects of such scams. Business leaders should consider monitoring their brands' online exposure, which includes, but is not limited to, social media, mobile marketplaces, and instant messaging services.