Threat Research

“ERIAKOS Scam Campaign Uncovered by Recorded Future’s Payment Fraud Intelligence”

RecordedFuture

“`html

Short Summary

The Recorded Future Payment Fraud Intelligence team has uncovered the ERIAKOS campaign, a sophisticated scam e-commerce network targeting Facebook users. Detected on April 17, 2024, this campaign involves 608 fraudulent websites using brand impersonation and malvertising tactics to steal personal and financial data, primarily from mobile users. The report emphasizes the need for financial institutions to block suspicious merchant accounts and monitor transactions closely to mitigate risks.

Key Points

  • Campaign Name: ERIAKOS campaign
  • Detection Date: April 17, 2024
  • Number of Fraudulent Websites: 608
  • Target Audience: Facebook users
  • Tactics Used: Brand impersonation and malvertising
  • Access Method: Mobile devices via ad lures
  • Risks for Financial Institutions: Chargeback disputes and irrecoverable losses
  • Recommended Mitigation Strategies:
    • Blacklist suspicious merchant accounts
    • Monitor customer transactions
    • Encourage customers to report suspicious activities
  • Indicators of the Scam:
    • Content Delivery Network: oss[.]eriakos[.]com
    • Domain Registrar: Alibaba Cloud Computing Ltd
    • Consistent IP Addresses: 47[.]251[.]129[.]84 and 47[.]251[.]50[.]19
    • Domain Misconfiguration Issues
  • Outlook: Advanced screening techniques may challenge current detection technologies.

MITRE ATT&CK TTPs – created by AI

  1. T1071.001 – Application Layer Protocol: Web Protocols
    • Procedure: The ERIAKOS scam campaign utilized web protocols to host and distribute fraudulent e-commerce websites. The campaign exploited legitimate content delivery networks (CDNs) like oss[.]eriakos[.]com to deliver scam content to victims via mobile browsers when accessed through ad lures on social media platforms like Facebook​.
  2. T1078 – Valid Accounts
    • Procedure: The scam campaign likely created numerous fraudulent merchant accounts to process transactions. These accounts were established through major card networks and Chinese payment service providers (PSPs), such as AQAPAY and Hui, to steal payment card data and personal information from victims​.
  3. T1190 – Exploit Public-Facing Application
    • Procedure: Threat actors exploited public-facing applications by creating fake e-commerce websites that impersonated popular brands. These websites included limited-time offers and other tactics to create a sense of urgency among potential victims.
  4. T1566.002 – Phishing: Spearphishing via Service
    • Procedure: The campaign disseminated scam websites via Facebook Ads, leveraging malvertising tactics to reach a broad audience. The ads featured user testimonials and other social proof elements to lure victims into interacting with the fraudulent sites​.
  5. T1102.001 – Web Service: Domain Fronting
    • Procedure: The scam websites used domain fronting techniques to evade detection. They targeted mobile users who accessed the sites via specific ad lures, blocking access from desktop browsers or direct URL inputs unless the request imitated a mobile device’s user-agent and referrer headers from Facebook.
  6. T1484.001 – Domain Policy Modification: Domain Trust Modification
    • Procedure: The domains linked to the scam campaign were registered through Alibaba Cloud Computing Ltd. d/b/a HiChina, and the scam websites were often misconfigured with their www subdomains under Cloudflare, further complicating detection and attribution efforts.

“`

insikt-group-logo-updated-3-300x48.png

Recorded Futures Payment Fraud Intelligence team has identified a scam e-commerce network, named the ERIAKOS campaign, targeting Facebook users. This campaign, detected on April 17, 2024, involves 608 fraudulent websites using brand impersonation and malvertising tactics to steal personal and financial data. Notably, the scam websites were accessible only via mobile devices and ad lures, likely to evade automated scanners. Recorded Future recommends blocklisting suspicious merchant accounts and closely monitoring customer transactions. The use of advanced screening techniques in this campaign suggests a growing trend that might challenge current detection technologies.

ERIAKOS Scam Campaign: Unveiling a Complex Web of Fraud

On April 17, 2024, Recorded Futures Payment Fraud Intelligence team uncovered a network of 608 scam e-commerce websites, orchestrated by a single threat actor or group, targeting Facebook users. Named the ERIAKOS campaign after the CDN used (oss[.]eriakos[.]com), these scam sites employed brand impersonation and malvertising tactics to steal victims’ financial and personal data. These fraudulent sites were accessible only through mobile devices and ad lures, a tactic aimed at evading automated detection systems and our first direct observation of such a TTP.This sophisticated campaign exclusively targeted mobile users who accessed the scam sites via ad lures on Facebook. This strategic move significantly reduced the likelihood of detection by automated scanners. Merchant accounts linked to these scam websites processed payments through major card networks and Chinese PSPs, adding another layer of complexity to the fraud.

Financial institutions are at risk of financial fraud, including chargeback disputes and irrecoverable losses. Impersonated businesses face reputational damage, particularly among defrauded victims. To mitigate these risks, Recorded Future advises blacklisting the suspicious merchant accounts identified in the report and monitoring transactions for potential fraud indicators.

Mitigation Strategies

To combat this threat, financial institutions should:

  • Identify and blacklist merchant accounts associated with the scam domains.
  • Block customer transactions with these merchants.
  • Monitor historical transaction data to detect potential exposure to these scams.
  • Encourage customers to report suspicious websites and transactions.
  • Share scam website leads with Recorded Future for broader threat identification.
  • Leverage Recorded Future Payment Fraud intelligence (PFI) to detect and mitigate possible scam websites using the PFI common-point-of-purchase (CPP) dataset.
  • Leverage Recorded Future Brand Intelligence to detect and mitigate brand impersonation threats.

For consumers, the following precautions are recommended:

  • Only provide personal and payment information on secure, trusted websites.
  • Research companies thoroughly before making purchases.
  • Verify the legitimacy of e-commerce websites and their payment subdomains.
  • Be cautious of unsolicited communications or advertisements.
  • Report any scams to your card issuer and the Better Business Bureau (BBB).

Technical Analysis

Recorded Future identified four key indicators linking the 608 domains to the ERIAKOS campaign:

  1. Content Delivery Network: All scam sites used oss[.]eriakos[.]com.
  2. Domain Registrar: Domains were registered with Alibaba Cloud Computing Ltd.
  3. IP Addresses: Two specific IP addresses (47[.]251[.]129[.]84 and 47[.]251[.]50[.]19) were consistently used.
  4. Domain Misconfiguration: The scam domains exhibited specific misconfigurations between their main domains and www subdomains.

These indicators, combined with merchant account data, enabled Recorded Future to map the full extent of the scam network. The use of Chinese PSPs to process payments further complicated the detection and takedown efforts.

Outlook

The ERIAKOS campaigns use of advanced screening techniques to evade detection signals a potential trend in scam tactics. If these methods become more widespread, current detection technologies may struggle to identify and mitigate similar threats, leading to prolonged scam lifespans and increased victim exposure.

To read the entire analysis, click here to download the report as a PDF.

Source: Original Post

Tags: SCAM, SOCIAL MEDIA, CLOUD, MOBILE, MONITOR, FINANCIAL, PHISHING, EXPLOIT