Threat hunting company Group-IB published a report on a new scam scheme that they named “Classiscam.” The report reveals 40 or more groups currently running this scheme across Russia and Europe. The scheme involves a hierarchy of administrators, workers, and callers, who organize their activities through a Telegram bot. The scam itself targets customers of online marketplaces with a combination of baits, messages, and fraudulent sites to steal a victim’s money.

While there seem to be a couple of variations, here is the core of how the scam works: The malicious actors will create a bait ad on a legitimate marketplace, usually offering a high-value technology item with a significant discount. The actor will then send a request to the Telegram bot, which will provide the actor with scam materials for the ad (including a fraudulent payment page). When a potential victim contacts the actor through the marketplace, the actor will attempt to move the conversation to a messaging application like WhatsApp. There, the actor will provide the victim with a link to the fraudulent payment page.

By directing victims to WhatsApp, the actors can bypass any communication protection that the marketplace might otherwise be able to provide (such as flagging or blocking suspicious links). If they get the victim to pay through the fraudulent site, they avoid any payment protection the marketplace may have offered (such as refund on items not delivered).

Commenting on this issue, Otavio Freire, CTO & Co-Founder of SafeGuard Cyber, says: Classiscam highlights the new nature of today’s cyberattacks — social engineering across multiple vectors, in this case mobile apps like WhatsApp and Telegram. We’ve seen similar hacks from North Korean actors across LinkedIn to WhatsApp. It’s clear that security teams need to have controls at the messaging level to detect social engineering language and take quick defensive action.”