According to researchers at Group-IB, the multi-stage phishing attack exploited the credibility of Russian Internet portal Rambler to trick users into participating in a fictitious "Like of the Year 2020" contest.
The development is a reminder that rewards-based social engineering campaigns continue to be an effective means to scam users, not to mention the leveraging the collected data to their financial advantage.
Under the "Like of the Year" scheme, users were invited to win a large cash prize, telling them they've been randomly selected after liking a post on social media platforms such as VKontakte.
The invites were sent via an email blast by hacking the mail servers of a fiscal data operator, which refers to a legal entity created to aggregate, store and process fiscal data to serve the Federal Tax Service of Russia.
Apart from sending emails, the fraudsters also delivered the phishing messages by sending cash prize alerts as Google Calendar events, a new trend in social engineering.
"With the default calendar settings, invitation data is automatically added to it along with a reminder," Group-IB researchers highlighted. "That way, any Google Calendar user can send event invitations to other Gmail users, even if they're not in their address books. As a result, the victim will receive a notification of the creation of a new event by mail."
Upon reaching out to Runet users on behalf of the online portal in either of the two ways, unsuspecting recipients who clicked the link were redirected to a bait website.
This website not only congratulates the victim on winning the fake contest and a cash prize ranging from $100 to $2,000 but also offers them to redeem the money online.
However, when a user attempts to proceed, the site alerts users that they can't receive money in U.S. dollars and offers them to convert it into Rubles through an online currency exchange service—and for this, they need to pay a small fees, approximately 270 rubles.
Once users agree to pay the commission and fall for the bait, the site redirects them to another attacker-controlled phishing site purporting to be a payment gateway, where they are asked to enter details such as card number, expiration date, and the CVV number, resulting in the theft of card data.
"The scammers really write off the 'commission,' but their main goal is card data," the researchers concluded.
Group-IB said "Like of the Year" is just one of six different fraud campaigns that operate under the same modus operandi, including payments from a non-existent "Video Blogging Fund," and financial protection centers.
Each of these schemes was found to operate 100 to 350 domains, with the Like campaign alone accounting for more than 1,000 domains, most of which have since been blocked.
Rambler, for its part, is said to have warned public email services in the country about the attack, proactively asking them to mark those fraudulent emails as spam.
It's a known fact that criminals are continually finding new ways to trick users into revealing their information. If anything, the attack stresses the need to be vigilant when it comes to opening emails and attachments from unknown senders.
Furthermore, turning on two-step authentication, disabling the option to automatically add events from Gmail to Google Calendar, and scrutinizing the addresses in links can go a long way towards improving cyber hygiene.
