Group-IB, UAE Cybersecurity Council reveal scam operation

Group-IB, a global cybersecurity leader headquartered in Singapore, can reveal in coordination with the UAE Cybersecurity Council that the scam-as-a-service operation Classiscam is continuing its worldwide campaign well into 2023. In a new blog, Group-IB analysts detail how the automated scheme uses Telegram bots to assist with the creation of ready-to-use phishing pages impersonating companies in a range of industries, including online marketplaces, classified sites, and logistics operators. These phishing pages are designed to steal money, payment data, and recently in some cases, bank login credentials from unsuspecting internet users.

According to Group-IB’s findings, 251 unique brands in a total of 79 countries were featured on Classiscam phishing pages from H1 2021 to H1 2023. In addition, the phishing templates created for each brand can be localized to different countries by editing the language and currency featured on the scam pages. As a result, one particular logistics brand was impersonated by “Classiscammers” targeting users in as many as 31 countries.

Since the second half of 2019, when the Group-IB Computer Emergency Response Team (CERT-GIB) in cooperation with the company’s Digital Risk Protection unit first identified Classiscam’s operations, 1,366 separate groups leveraging this scheme have been discovered on Telegram. Group-IB experts examined Telegram channels containing information pertaining to 393 Classiscam groups with more than 38,000 members that operated between H1 2020 and H1 2023. During this period, these groups made combined estimated earnings of USD $64.5 million. Group-IB has noted how the threat actors behind Classiscam have worked, since inception, to formalize and expand the scam model’s operations. From 2022 onwards, Classiscammers have introduced new innovations, such as phishing schemes designed to harvest the credentials of victim’s online bank accounts, and some groups have begun to use information stealers.

In line with its mission of combating global cybercrime, Group-IB will continue to share its findings about Classiscam, drawn from the company’s proprietary Digital Risk Protection solution, with law enforcement authorities. The primary aim of this research is to raise public awareness about the latest scamming methods and reduce the number of victims of this scam operation.

Gone global

Classiscam originally appeared in Russia, where the scheme was tried and tested before being launched across the globe. The scam-as-a-service affiliate program surged in popularity in spring 2020 with the emergence of COVID-19 and the subsequent uptick in remote working and online shopping.

Group-IB experts noticed how the scam scheme was exported first to Europe, before entering other global regions, such as the United States, the Asia-Pacific (APAC) region, and the Middle East and Africa (MEA). As of H1 2021, Classiscammers had targeted internet users in 30 countries. Group-IB experts can reveal that, as of H1 2023, this figure has risen to 79. In the same time period, the number of targeted brands on the global market has increased from 38 to 251.

More than 61% of the Classiscam resources analyzed by Group-IB experts that were created between H1 2021 and H1 2023 targeted users in Europe. Other heavily targeted regions were the Middle East and Africa (18.7% of resources) and the Asia-Pacific region (12.2%). A full breakdown of the share of targeted brands by region can be found in Figure 2 (below).

With the MEA region being the second most targeted by Classiscam, countries in the region encountered challenges with targeted brand activities. The UAE was no exception to this, with its emphasis on technological innovation and many large and prominent brands operating in the country.

“In response to the rising amount of cyberattacks in recent years, the UAE has introduced a multifaceted approach to cybersecurity erected by five pillars. By fortifying global collaboration, encouraging Public Private Partnerships (PPPs), reinforcing cybersecurity measures, nurturing innovation, and promoting a cyber-literate society, the UAE is actively remediating the impact of cyber incidents. As the nation propels forward with digital transformation, the emphasis on responsible digitization remains paramount, ensuring a secure and thriving digital landscape” said H.E. Dr. Mohamed Al Kuwaiti, Head of Cybersecurity for the UAE Government.

The average amount lost by Classiscam victims worldwide was $353, users in APAC and MEA were less likely to fall victim to Classiscam schemes, but when they did, they saw greater losses on average.

What’s new?

Classiscam was initially launched as a relatively straightforward scam operation. Cybercriminals created fake ads on classified sites, and leveraged social engineering techniques to trick users into “buying” the falsely-advertised goods or services, whether by transferring money directly to the scammers or by debiting money from the victim’s bank card.

Classiscam operations have become increasingly automated over the past two years. The scheme now utilizes Telegram bots and chats to coordinate operations and create phishing and scam pages in a handful of seconds, and many of the groups offer easy-to-follow instructions, and experts are on hand to help with other users’ questions. A full rundown of how the Classiscam scheme works in practice is provided in the below Figure 6.

Over the past year, Group-IB researchers have seen roles within scam groups become more specialized within an expanded hierarchy. Classiscam phishing pages can now include a balance check, which the scammers use to assess how much they can charge to a victim’s card, and fake bank login pages that they use to harvest users’ credentials. At the time of writing, Group-IB experts found 35 such scam groups that distributed links to phishing pages that include fake login forms for banking services. In total, Classiscam scammers created resources emulating the login pages of 63 banks in 14 countries. Among the targeted banks were those based in Belgium, Canada, Czech Republic, France, Germany, Poland, Singapore, and Spain.

“Classiscam shows no sign of slowing down and the ranks of the Classiscammers are continuing to swell. Over the past year, we have seen scam groups adopt a new, expanded hierarchy, and roles within organizations are becoming increasingly specialized. Classiscam will likely remain one of the major global scam operations throughout 2023 due to the scheme’s full automation and low technical barrier of entry,” Sharef Hlal, Head of Group-IB’s Digital Risk Protection Analytics Team (MEA), at Group-IB, said.

Group-IB will continue to monitor global Classiscam campaigns, engaging with both law enforcement and affected brands to assist in efforts to take down these scams. Companies whose brand and likeness are impersonated by scammers are recommended to leverage Digital Risk Protection solutions that can actively monitor, identify, and take down phishing domains.

Read more exclusives and news in our latest issue here.

Never miss a story… Follow us on:
LinkedIn: Security Buyer
Twitter: @SecurityBuyer
Facebook: @Secbuyer

Media Contact
Rebecca Morpeth Spayne,
Managing Editor, Security Portfolio
Tel: +44 (0) 1622 823 922
Email: [email protected]

About Security Buyer

Security Buyer is the leading authority in global security content, delivering expert news, in-depth articles, exclusive interviews, and industry insights across print, digital, and event platforms. Published 10 times a year, the magazine is a trusted resource for professionals seeking updates and analysis on the latest developments in the security sector.

To submit an article, or for sponsorship opportunities, please contact our team below.

Rebecca Spayne picture 2025

Rebecca Spayne

Managing
EDITOR

Georgina Turner image

Georgina Turner

Sales
Manager

Afua Akoto image - Security Buyer

Afua Akoto

Marketing Manager

Read the Latest Issue

Follow us on X

Follow us on X

Click Here

Follow us on LinkedIn

Follow us on LinkedIn

Click Here

Advertise here

Reach decision makers and amplify your marketing

Advertise here

Click Here

Related News

Gallagher

Gallagher Security cultivates key partnerships in Riyadh

Organised in partnership with the New Zealand Embassy, Gallagher Security hosted an event in Riyadh to explore business…
Tecnosicurezza

Tecnosicurezza Launches AmpliSec

Tecnosicurezza has launched AmpliSec – its first connected high-security electronic locking system designed specifically for safes…
EcoOnline

EcoOnline appoints Regional Director

EcoOnline has announced its expansion into the Middle East, reinforcing its commitment to support the region’s industrial…
DuoKey at GISEC

A Breakthrough in Fraud Detection at GISEC

DuoKey will unveil its groundbreaking use case for encrypted financial intelligence at GISEC Global in Dubai next week.
Image provided by SentinelOne

SentinelOne to Spotlight AI-Power at GISEC 2025

SentinelOne announces its participation at GISEC Global 2025 (6-8 May) at the Dubai World Trade Centre. The company will highlight..
Image provided by Intersec

Messe Frankfurt Middle East appoint new Director

Messe Frankfurt Middle East, organisers of Intersec, the event for safety, security and fire protection, and Light + Intelligent Building…
Copyright: Security Buyer

ASIS UK Launches “Security is You(th)” Hackathon

ASIS International UK has launched Security is You(th), an initiative designed to engage students and early-career professionals…
Image provided by Veeam

AI and Ransomware: Cutting Through the Hype

Rick Vanover, Vice President Product Strategy, Veeam discusses how It might be the great paradox: Artificial Intelligence (AI)….
Rasheed Alzahrani

Big Interview – Rasheed Alzahrani

Rasheed Alzahrani, Director of Safety and Security at King Salman Park Foundation, shares insights into innovative safety and security… 
Copyright: Security Buyer

AmiViz Partners with Titania

AmiViz announced a strategic distribution agreement with Titania. This collaboration underscores a shared commitment to enhancing…
Scroll to Top