Thursday, 25 April 2024

Tracking the tracker: a case study of profiling a scam website

by David Barnett, Tom Ambridge and Bryan Cheah

BLOG POST

In Q1 2024, Stobbs investigated a large-scale scam campaign, utilising large numbers (potentially several thousands) of fake websites impersonating a large number of well-known brands. The scam was found to be associated with a central fake shipping tracking website, which was investigated in detail in partnership with a number of targeted brand owners, as part of a referral to law enforcement.

The scam site was found to host over 900,000 individual, victim-specific pages, requesting that the recipient makes payment for delivery of their item. Across the duration of the campaign - which has been active for over three years - the site has been used to attempt to steal almost $77 million. Assuming a success rate of between 0.1% and 1% for a typical phishing scam, this single site may have generated between $77,000 and $770,000 for the fraudsters.

It has also proved possible to extract the distinct contact e-mail addresses utilised by the fraudsters on the individual pages of the site. In total, 485 unique addresses were used, utilising a mixture of webmail providers and other host domains. The most frequently used address was utilised on over 195,000 pages on the website, and the 'longest-lived' e-mail address began utilisation in August 2022, and was still in use at the time of analysis. In general, multiple e-mail addresses were in use at any given time.

This article was first published on 24 April 2024 at:

https://www.iamstobbs.com/opinion/tracking-the-tracker-a-case-study-of-profiling-a-scam-website

* * * * *

WHITE PAPER

Introduction

In Q1 2024, Stobbs investigated a large-scale scam campaign, which utilised large numbers (potentially several thousands) of fake websites impersonating a large number of well-known brands. The scam was found primarily to be targeting brands in the consumer goods industries, and made use of domains featuring the name of the targeted brand, usually together with a country name (in English or local language), and also sharing other registration and hosting characteristics.

As part of the investigation, involving a partnership with a number of brand customers as part of a referral to law enforcement, the campaign was found also to be associated with a central fake shipping tracking website (anonymised in this study as ***track.com) hosting a large number of victim-specific scam pages soliciting for payments (Figure 1). Test purchases revealed that, following the placing of an order from any of the initial lookalike websites, the customer was sent an email containing a link to the scam site, purportedly as a means of 'tracking' their delivery. Further in-depth investigation also revealed the use of a second related site (tracking***.com).

Figure 1: Example of a user-specific page on the scam tracking website

The URL of each scam page on the initial identified site included a string of digits, identical to the purported 'tracking number' displayed on the page, giving a URL of the form: https://***track.com/pid/xxxxxxx. Further analysis showed that modification of the string of digits produced URLs resolving to additional pages hosted on the same site. An initial check of 100 consecutive ID-numbers, surrounding the example identified initially (ID-number 13437xx), showed that 35 (i.e. 35%) of the associated URLs generated live scam pages, displaying requested payment amounts of between $9.99 and $207.72.

The inactive ID-numbers generated a page displaying the message "we could not find the order, maybe you have used the different email address?" [sic].

Analysis

In order to gain an overview of the potential scale (in terms of end-to-end time-window and total financial impact) of the scam, we carried out a further analysis of the range of content available, by varying the string of digits at the end of the URL.

Table 1 shows the dates on which each 100,000th ID-number (or the first subsequent example corresponding to an active scam page) appears to have been used, based on the 'date of payment' shown on the page - noting that the ID-numbers appear to have been used in ascending order over time.

ID-number
                                		 Date
                                		 Amount requested
on page (US$)
                                		 Days since
previous 100,000th
ID-number
                                
1 21-Jan-2021 100.00 -
100000 25-Oct-2021 125.98 277
200002 16-Dec-2021 10.00 52
300000 25-Feb-2022 68.52 71
400000 18-Mar-2022 34.99 21
500000 02-Apr-2022 43.00 15
600000 15-Apr-2022 34.95 13
700000 30-Sep-2022 100.00 168
800000 20-Nov-2022 119.85 51
900000 29-Mar-2023 69.00 129
1000002 13-Aug-2023 115.00 137
1100000 05-Sep-2023 90.00 23
1200000 18-Oct-2023 12.50 43
1300007 12-Jan-2024 72.50 86
1400010 23-Feb-2024 50.00 42

Table 1: Data for the first active scam page in each block of 100,000 ID-numbers

As of the date of initial analysis (15-Mar-2024), the scam was still ongoing, with ID-number 1447000 used on that date. It is also noteworthy that the style of the pages changed slightly over time; many of the earliest examples included no personal or contact details, whereas the later ones referenced named recipients and included a contact telephone number and e-mail address.

As a deeper dive, we next considered the set of all 100,000 candidate URLs with ID-numbers between 1300000 and 1399999 (the '13xxxxx' block). This block of ID-numbers covered a six-week period between 12-Jan-2024 and 23-Feb-2024. Within this block of URLs, 31,646 (of the 100,000, i.e. 31.6%) were found to resolve to active scam pages, with an average of 745 pages utilised each day (Figure 2). The currency was requested in US$ in all but four cases (which instead used GBP). The average amount requested per page was US$59.50, meaning that a total of US$1.88 million was requested through the scam site over the six-week period (i.e. US$44,000 per day) (Figure 3).

Figure 2: Daily numbers of active pages utilised on the scam site during the six-week period covering the block of 13xxxxx ID-numbers

Figure 3: Daily total amounts of payment requested through the scam site during the six-week period covering the block of 13xxxxx ID-numbers

It is also informative to compare these statistics with those for the 5xxxxx block of ID-numbers, which covered the shortest time duration of any 100,000 block (just 13 days). One possible explanation for the shorter duration of this block would be if a smaller proportion of the ID-numbers within the range were used for active scams, but the analysis shows this is not the case. Rather, actually a larger proportion (69,963, or 70.0%) were associated with active pages, showing that this period exhibited a significantly higher rate of scam activity. At this time, the scam appears to have been targeting a wider geographical range of victims (with 64,937 of the pages requesting amounts expressed in US$, 3,500 in EUR, and the remainder in five additional currencies (AUD, GBP, NZD, CAD and DKK). Over this period, on average 5,700 active scam pages were utilised per day, requesting an average (with all amounts converted to US$) of US$93.55 per instance. The average total amount requested per day was over US$530,000, or a total of over US$6.5 million over the 13-day period.

For additional comparison purposes, we also consider the first block of 100,000 ID-numbers (referred to as the '0xxxxx' block, although in practice the URLs do not incorporate leading zeroes in the ID-number string), which actually covers the longest duration (around 9 months) of any block. Within this block, 72,569 (72.6%) of the ID-numbers were found to be associated with active scam pages (262 pages per day), requesting an average of US$78.73 each (i.e. over US$20,000 per day, or US$5.7 million over the period). Across the duration of usage of this block, significant variability in activity levels was identified (Figure 4).

Figure 4: Daily total amounts of payment requested through the scam site during the nine-month period covering the block of 0xxxxx ID-numbers

More generally, patterns of usage of the site have changed significantly over its full period of activity. Figure 5 shows heat maps representing the total numbers of active scam pages in each 'sub-block' of 50 adjacent ID-numbers, for the three blocks of 100,000 considered in this first part of the study (with darker shades of red denoting that a greater proportion of the ID-numbers in each sub-block were utilised for active scam pages). The high-level trends are that, earlier in the campaign: (a) a greater proportion of the available ID-numbers were being utilised (shown by the fact that the top and middle figures appear darker overall than the bottom one); and (b) there was a greater degree of variability in the extent of use of the available ID-numbers over time (shown by the marked alternation between dark and light areas in the top figure).

Figure 5: Heat maps showing the total numbers of active scam pages in each 'sub- block' of 50 adjacent ID-numbers (with darker shades indicating greater utilisation of the available set of ID-numbers), for the 0xxxxx (top), 5xxxxx (middle) and 13xxxxx (bottom) blocks of 100,000 ID-numbers

In order to produce an initial estimate of the total scale of the scam, based on this sampling exercise, we might extrapolate the numbers presented above to assume that, across the full duration of utilisation of the site, approximately 50% of the possible available ID-numbers were utilised for active scam pages, requesting an average of $50 per instance (potentially both somewhat conservative estimates). On this basis we would determine that, since January 2021, the site has been used to attempt to steal 1.4 million (the ID-number range covered to date) × 50% × US$50 = approximately US$35 million.

Instead, it is also possible to carry out a full formal analysis, inspecting all possible 1.5 million ID-numbers used to-date (requiring a longer run time for the automated analysis tool). The overall findings from this piece of research are shown in Figures 6 and 7.

Figure 6: Daily numbers of active pages utilised on the scam site during the full duration of its period of use (vertical lines show the boundaries between the blocks of 100,000 ID-numbers)

Figure 7: Daily mean payment requested per individual scam page, during the full duration of the period of use of the scam site

Overall, 900,640 active scam pages were identified (out of a range of 1,465,505 - the final ID-number to have been used on the date on which this second stage of analysis was carried out (25-Mar-2024) - i.e. 61.5%). The average amount of payment requested per page was in fact US$85.33, or a total of US$76,848,200. Amongst the other trends noted are the facts that: (a) there tends to be a drop-off in daily activity following the transition from one block of 100,000 ID-numbers to the next, in many cases; and (b) there was a large spike in requested payment on 15-Sep-2022, a date on which there were a significant number of pages requesting very large amounts of money in each individual instance (up to US$20,004 in one case), with an average per page for that day of $3,698.31, or a daily total of $5,699,098.22).

The full version of the utilisation heat map (of which extracts were shown in Figure 5) is shown in Figure 8.

Figure 8: Heat map showing the total numbers of active scam pages in each 'sub-block' of 50 adjacent ID-numbers (with darker shades indicating greater utilisation of the available set of ID-numbers), for the full range of of utilised ID-numbers (thicker lines show the boundaries between the blocks of 100,000 ID-numbers)

As the next phase of the deep dive (and to provide information to accompany the referral to law enforcement), we ran an analysis of all 900,640 active scam pages, to extract the contact e-mail address given in each case. This analysis required a more sophisticated approach than that used to extract the payment amount shown on each page (which appeared in plain text in the HTML), as the e-mail addresses were dynamically generated in each case using a Javascript function intended to prevent automated scraping. Accordingly, it was necessary to use a more technical approach involving explicit inspection of webpage elements.

The obvious assumption is that each e-mail address is under the direct control of the scammers, since this represents one of their primary means of being able to receive communications from the victims of the scam. However, many of the e-mail addresses use what appear to be wholely unrelated usernames or host domains, suggesting that they may in these cases be associated with compromised domains, or even just have been given as 'dummy' contact details. However, it does seem reasonable to assume that at least those e-mail addresses used most frequently across the duration of the scam campaign are likely to directly pertain to the underlying fraudsters.

In total, 485 unique e-mail addresses were found to have been utilised on the pages of the scam site. In total 2,290 of the pages did not give any contact e-mail address, mostly in the early phases of the campaign, between January 2021 and February 2022. The e-mail addresses used a mixture of webmail providers and third-party host domains (Table 2).

Host domain
                                                                		 No. of instances
                                
  gmail.com 185
  hotmail.com 11
  icloud.com 7
  protonmail.com 6
  outlook.com 6
  yahoo.com 6
  proton.me 4
  kerdxcorp.[TLD] 4
  aussieblueterpenes.[TLD] 3
  mail.com 3
  multiqulo.[TLD] 2
  snifffr.[TLD] 2
  pm.me 2
  emailfashionhypexyz.[TLD] 2
  babylonsciences.[TLD] 2
  globalpaymentgroup.[TLD] 2
  naturecan.[TLD] 2
  aol.com 2
  securetranz.[TLD] 2
  lakime.[TLD] 2
  vapelab.[TLD] 2
  vapeyou.[TLD] 2
  mrnino.TLD] 2
  wholeearthgifts.[TLD] 2

Table 2: All host domains (obfuscated in some cases) used more than once in the set of 485 distinct contact e-mail addresses used on the scam site

E-mail address
                                                          		 No. of times utilised
                                        
  c***@my-ordersupport.[TLD] 195,030
  b***@gmail.com 98,741
  k***@gmail.com 41,977
  s***@kaylahost.[TLD] 34,604
  s***@cratesoftwarehouse.[TLD] 34,430
  g***@gmail.com 31,052
  m***@gmail.com 25,036
  s***@gmail.com 24,671
  d***@gmail.com 18,872
  s***@snifffr.[TLD] 18,130

Table 3: The top ten most frequently used individual e-mail addresses (obfuscated), across the full duration of the scam

Figure 9 shows a 'timeline' view of when (i.e. in which month) each of the top 80 most frequently used e-mail addresses were utilised. The colour shading denotes the number of unique pages on which the e-mail address in question appeared, within each month.

Key:

Figure 9: Number of pages on which each of the top 80 most frequently-used e-mail addresses (obfuscated) appeared, within each calendar month (with one calendar year shown in each part of the figure)

The 'longest-lived' (though not one of the top 80 most frequently used) e-mail address in the whole dataset (l***@securetranz.[TLD]) was utilised over a total period with a duration of 20 months, between August 2022 and March 2024 (i.e. was still in use at the time of analysis). It was used at least once in all but one month (January 2024) during that period, being utilised 534 times in total.

Discussion

The success rates of phishing scams are difficult to quantify, and there is a wide range of relevant published statistics. The number of click-throughs for a typical phishing campaign may be as high as 18% (based on 2021 data)[1], though it is not necessarily the case that every recipient who receives and clicks on a link will ultimately lose money to the scam. A 2022 study by the US Internet Crime Complaint Center[2,3] reported approximately 300,000 phishing victims in the US, from a global number of (what were described as) phishing 'attacks' of approximately 500 million[4]. This is markedly different from the value of approximately 5 million attacks reported by APWG[5] - referring to the number of distinct reported phishing sites - and appears instead to relate to the total number of (blocked instances of) attempts to access fraudulent sites, as reported by Kaspersky for the same period[6]. If, therefore, we assume a conservative figure (particularly given the fact that this campaign appears to be specifically targeted, with the scam pages personalised to the recipient) for the success rate of the campaign of between 0.1% and 1% (i.e. between one in a thousand and one in a hundred of those individuals targeted by the scam will ultimately have experienced a financial loss), the total funds successfully stolen through this single scam site since the start of 2021 may be in the range of US$77,000 to US$770,000.

References

[1] https://www.stationx.net/phishing-statistics/

[2] https://www.ic3.gov/Media/PDF/AnnualReport/2022State/StateReport.aspx

[3] https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3Report.pdf

[4] https://www.forbes.com/advisor/business/phishing-statistics/

[5] https://docs.apwg.org/reports/apwg_trends_report_q4_2023.pdf

[6] https://www.kaspersky.com/about/press-releases/2023_the-number-of-phishing-attacks-doubled-to-reach-over-500-million-in-2022

This article was first published as an e-book on 24 April 2024 at:

https://www.iamstobbs.com/tracking-the-tracker-ebook

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Unregistered Gems Part 6: Phonemizing strings to find brandable domains

Introduction The UnregisteredGems.com series of articles explores a range of techniques to filter and search through the universe of unregis...