An extensive investment fraud campaign has been discovered that aims to defraud internet users from Australia, Canada, China, Colombia, European Union, India, Singapore, Malaysia, United Arab Emirates, Saudi Arabia, Mexico, the US and other regions.
Dubbed “Digital Smoke” by researchers at Resecurity, the campaign involves a massive infrastructure designed to impersonate popular Fortune 100 corporations from the US and the UK and con users out of money. Once payments are collected from the victims, the threat actors abandon previously created resources and set up the next new campaign, hence the name “Digital Smoke”.
Digital Smoke lured potential victims with investment options in non-existing products and investment plans supposedly offered by the Fortune 100 corporations and state-owned entities.
Most of the identified fraudulent projects were related to financial services, oil and gas, renewable energy, EV batteries, electric vehicles, healthcare, semiconductors, and world-recognized investment corporations and funds with global presence. Among those impersonated were well-known brands like ABRDN (UK), Blackrock (US), Baxter Medical (US), Ferrari (Italy), ITC Hotels (India), Eaton Corporation (US/UK), Novuna Business Finance (UK), Tata (India), Valesto Oil (Malaysia), Lloyds Bank (UK).
The majority of domain names and hosting platforms used by the threat actors were registered via Alibaba (China), however the scammers were primarily targeting India.
Threat actors behind the campaign created a large network of websites and related mobile applications hosted on bulletproof hosting services.
The term “bulletproof hosting” refers to hosting services that are considerably lenient about the kinds of material they allow their customers to upload and distribute. Bulletproof hosting services are often found in countries with more relaxed laws about what type content is hosted on these servers, and also have less strict extradition laws, therefore making it easier to evade law enforcement.
Resecurity says that the total number of the identified hosts in December 2022 alone exceeded 350, with thousands of domains used for cloaking, hidden redirects and protection of the payment gateway used by fraudsters to collect payments from victims leveraging AliPay and Unified Payments Interface (UPI) payment platforms.
“The Digital Smoke case is somewhat remarkable and may confirm how investment scams have now become more sophisticated than before,” Resecurity noted. “Legitimate businesses who were impersonated also suffered serious damages, both reputationally and from a customer loyalty perspective - that's why an effective and ongoing brand protection system is one of the must-have solutions to minimize the negative side effects of such scams. Business leaders should consider monitoring the exposure of their brands online including but not limited to social media, mobile marketplaces, and instant messaging services.”