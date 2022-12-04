In Russia, cases of fraud have appeared when people act under the guise of delivery service couriers and ask for money for the treatment of children. One of them was told to Izvestia by a resident of Moscow, who was faced with a new way of deception. Why you should not take the word of such messages, how to respond to them and whether it is possible to distinguish a fraudster from a real person who needs help, Izvestia found out.

Request in messenger

According to the interlocutor of Izvestia, Recently, a man wrote to her and introduced himself as a courier who, a few months earlier, allegedly brought her an order from a popular online clothing store. He indicated in the message the girl’s home address and said that his child was seriously ill and he urgently needed money for the operation. The man assured that the operation can be done free of charge under compulsory medical insurance, but waiting in line will allegedly take more than six months.

The man ignored the request to provide documents, and after the offer to tell about free ways to carry out the operation, he stopped responding to messages. In search engines, the “courier” number is categorized as “telephone fraud”.

According to experts interviewed by Izvestia, such messages are not necessarily fraudulent. Sometimes people in trouble are ready to ask for help from anyone. But here the refusal of the man to provide documents and answer other questions is alarming.

Photo: Izvestia / Tatyana Polevaya

“Scammers use many ways to deceive people involved in charity,” says the Group-IB Information Security Incident Response Center. . – The simplest thing is that they create a site-clone of the foundation or a group in social networks: they use a similar logo, corporate colors, content, launch contextual advertising and promotion in search engines. Donors come in, read calls for help, spread information and even transfer money using the details that are indicated there.

Another common pattern: attackers write in private messages, introduce themselves as a friend, a courier or a charitable foundation, tell their story and ask for help. Sometimes (as, most likely, it was in the situation with our reader) they use data from merged databases to get more information about a person – it’s easier to enter his trust.

“When you receive such a message, it is important to be vigilant. It is better to call back once again, clarify, ask for papers, contact the charitable foundation. If you decide to transfer money, be sure to check to whom the payment is intended, whether it corresponds to the documents, the company advises.

Database

In the summer of 2022, Group-IB Threat Intelligence analysts recorded a two-fold increase in the number of open access databases of Russian companies compared to the spring of this year. 140 databases got into the network, and the total number of lines was 304 million.

According to the Moshelovka platform coordinator Evgenia Lazareva, Fraudsters often offer current employees of banks, medical organizations, hotels, online stores, delivery services, mobile operators, and even law enforcement agencies to “earn extra money” by leaking databases to which they have access. Sometimes they ask to promptly “break through” information about a person – to check the status of his accounts, recent transactions or dates of conclusion of contracts.

Photo: Izvestia/Alexey Maishev

— The cost of the database is quite high and varies depending on the number of rows, details and reliability of the data. “Breaking through the client” costs on average from 300 to 500 rubles per person , – says Lazareva, – Disciplinary sanctions are unable to stop this practice: the income from the “drain” directly depends on the risk of the one who leaks information. Therefore, the amount of possible profit will always compensate for the threat of any disciplinary and administrative measures.

However, Semyon Botalov, a junior analyst at the Public Leak Research Group and the IM Department of Threat Intelligence Group-IB, notes that leaks do not always come to scammers from insiders themselves: the most popular way is to use special programs to scan and search for vulnerabilities on servers with further uploading of data.

Where are bases used?

According to Botalov, fraudsters are trying to use all the leaked data – email addresses and passwords to them, phone numbers for further schemes and cyber attacks.

For example, a malicious link can be sent to the email address of a simple user or company employee. The password can be used to try to access other accounts, as most users prefer to use the same password for all sites. Phone numbers are usually called under the guise of bank employees and trying to steal money from cards.

“If your data got into such a database, it’s better to change all the passwords on your accounts that could be compromised and be more vigilant,” the Izvestia interlocutor advises.

Photo: Izvestiya/Mikhail Tereshchenko

Evgenia Lazareva urges not to take a word for any messages from unfamiliar contacts and calls even from known numbers: scammers easily fake them through special services. Any information that the consumer did not request should always be verified.

– If you get a call from a bank, then with almost 100% probability you can talk about a fraudulent attack. It is worth completing such a conversation and calling your bank back on your own at the phone number indicated on the card or in the contract, says the Moshelovka coordinator.

And it is better to immediately block all suspicious messages in instant messengers or social networks: these communication channels are used for false fees, phishing mailings and additional collection of information about a potential victim.

Courier fraud

If we talk about the methods of fraud associated specifically with the delivery of goods, the most common ones usually occur without the participation of couriers, says Evgeny Egorov, Leading Analyst of the Digital Risk Protection Group-IB Department. Attackers look for buyers through popular sites (social networks, instant messengers, free ad sites), offer them some popular product, and then send a link to a phishing resource to pay for delivery. A person enters the card details there, and money is debited from him. This is how the popular mammoth scam works.

Fraud scenarios where couriers are actually involved occur much less frequently, as this carries great risks for the “executor”. This usually happens when the organization itself, from which the goods were ordered, carries out dubious activities.

Photo: TASS/dpa/picture-alliance/Christin Klose

“The peak of fraudulent schemes with “deliveries” came in 2020, when people were in self-isolation and ordered goods and groceries at home,” says Egorov. “Now more and more new attackers are involved in such schemes, so it cannot be said that fraud is losing its relevance. In addition, the schemes have already gone beyond Russia, the tools for implementation have been automated using telegram bots.

To protect yourself from such criminals, the expert advises to always check the domain name of the site where they ask you to pay for delivery – it must correspond to the legal one. You also need to check the domain registration date through Whois services: if it was created quite recently, the site may be fake.

“If you are going to order a product in an unknown online store, it is better to first read reviews about this organization on other resources,” the expert concludes.