Group-IB, a global cybersecurity leader headquartered in Singapore, in coordination with the UAE Cybersecurity Council has today published a new research blog outlining a new fake investment scam that is targeting users across the globe. In total, experts from Group-IB’s Digital Risk Protection team uncovered almost 900 unique scam pages leveraged by the cybercriminals behind this still-ongoing scheme. Links to these scam pages were contained in Facebook advertisements purchased by the scammers and the text of these posts offered users the opportunity to invest in one of 35 market-leading companies from 13 countries. This text was often accompanied by an image in which the scammers used the logo of the impersonated company in question. In total, 60% of the scam pages created in this scheme, which peaked in activity in December 2022, targeted users from the Middle East and Africa (MEA) region. Based on Group-IB’s estimations, this scam campaign caused roughly $280,000 in financial damages for internet users between March and June 2023.
Group-IB has a zero-tolerance policy to cybercrime, and the company blocked all discovered scam pages that contained the brand name or likeness of Group-IB clients. In order to investigate this scam campaign, Group-IB analysts used the company’s proprietary Digital Risk Protection platform, leveraging its AI technology and highly accurate logo analysis and text recognition features. The company’s researchers are continuing to monitor this scam scheme amid the continued uptick in the number of retail investors and, subsequently, investment scams.
The core aim of the cybercriminals behind this campaign is financial gain, as they leverage sophisticated social engineering techniques to exploit individuals’ vulnerabilities and inherent trust in well-known brands. Group-IB researchers first began tracking this scam scheme in June 2022, when the campaign burst into life, although there is evidence to suggest that the scammers purchased a small portion of the domains used to host scam sites as early as 2020.
Figure 1. Overview of investment scam.
In total, 884 unique scam pages were created and registered by the scammers since the start of the campaign. The peak in activity was registered in December 2022, when 308 new pages were created. Throughout the entire duration of the scam campaign, 60% of scam pages targeted users in the MEA region, with the bulk of these adverts containing text written in the Arabic language. Users in Latin America were targeted on 9.2% of the scam pages, and 4.8% of scam pages were geared towards users in the Asia-Pacific region, while 25% of the resources had no specific geographic focus.
Due to the sector’s seemingly easy integration with investment opportunities, 30% of scam pages discovered during this campaign impersonated legitimate financial and insurance companies. Other highly targeted sectors were transportation (25% of all scam pages), stock trading (8.6%), oil and gas (5.3%), and construction (5.3%).
Group-IB researchers estimated the potential financial losses from this campaign over a four-month period to amount to $280,000. This figure was drawn from an analysis of activity on several of the scam sites leveraged between March and June 2023.
H.E. Dr. Mohamed Al Kuwaiti, Head of Cybersecurity for the UAE Government, said: “As technology continues to advance, so do its risks. Our eagerness to adopt new innovative technologies in the pursuit of advancement has made us an attractive target for cyber criminals. However, we’ve been resilient in the face of these challenges, learning invaluable lessons and placing cyber literacy as a priority. The UAE Cybersecurity Council has been dedicated to enhancing cybersecurity awareness and fortifying the digital landscape, contributing significantly to reducing the influence of scammers. The UAE, a leader in the cybersecurity space, stands as a prime example with its cutting-edge infrastructure and comprehensive strategy to bolster digital defenses. Agility in swiftly addressing emerging threats is paramount in today’s dynamic cyber landscape.”
A typical victim will first encounter this scam by seeing an advertisement placed by the cybercriminals on their social media feeds. Group-IB researchers found adverts placed in multiple languages, most notably English, Arabic, and Spanish. On Arabic-language advertisements and scam sites created for this campaign, the scammers entice individuals with claims that they could earn millions by investing a mere $200. These adverts may also use the words “news”, “media”, “investment”, and “digital”, either in English or in Arabic. Spanish-language adverts, such as those in the below Figure 2, offer users the chance to earn money each month.
Figure 2. Example of Spanish-language Facebook advertisement used in this campaign.
If the user clicks on the advertisement, they are redirected to a scam page that contains the logo and branding of a prominent company, imploring the user to register for the possibility to make quick, easy money by investing. The scammers request the name, email address, and phone number from the user.
Figure 3. Example of an Arabic-language scam page offering users the opportunity to invest in a prominent MEA company.
Once the user has completed this form, they will receive daily emails claiming to be from a trading portal. These emails implore the user to sign up for the chance to begin trading stocks, and the first email contains an account number, login information, password, and server name for their supposed account on this platform. Users are then urged to deposit money into their trading account to begin buying stocks.
Figure 4. Example of email urging potential victims to invest.
If, after a period of time, the user does not place a deposit, they will receive a call from a person claiming to be a customer service representative. This individual begins pressuring the victim to deposit funds, promising the chance to earn immediate dividends. Should the victim agree, they are asked for information about their bank card, desired investment amount and place of residence. Additionally, they will then receive an email asking for their ID and passport. Group-IB researchers examined multiple user testimonies of the investment portal posted online. Users frequently complain that representatives of the portal stop communicating once they transfer money. Users are also blocked on messaging platforms once they request a refund.
“Retail investing is becoming increasingly popular among individuals who are looking for ways to diversify their income, but this has created opportunities for cybercriminals to exploit this trend. This particular scam is notable as the cybercriminals leverage multiple communication channels, such as email and direct phone calls, as part of their social engineering efforts. Investment scams have the potential to cause great financial damage to victims, given the potential large sums of money involved, and we urge individuals to never share personal information or money with third parties unless you are certain of their legitimacy,” Sharef Hlal, Head of Group-IB’s Digital Risk Protection Analytics Team, MEA, said.