Group-IB uncovers wide-scale phishing campaign

Group-IB has published its research into a wide-scale phishing scheme that sees scammers impersonate one of the manpower agencies in the Kingdom of Saudi Arabia (KSA). In total, analysts from the Group-IB Computer Emergency Response Team (CERT-GIB) and Digital Risk Protection Team based at the company’s Threat Intelligence and Research Center in Dubai, UAE analyzed more than 1,000 rogue domains created to impersonate the manpower provider in question as part of a long-term scam campaign.

Group-IB analysts uncovered how one individual claimed to be offering more than 100 domain names that contained a logical connection to, or a variation of, the brand name in question. In line with Group-IB’s zero-tolerance policy towards cybercrime, Group-IB analysts notified the Saudi Computer Emergency Response Team (CERT-SA), a fellow OIC-CERT member, of their findings to assist their regional partners in taking any relevant action to combat this scheme.

Scam in action

In 2021, more than $55 billion was stolen from victims as a result of scams, according to a Global State of Scam Report that Group-IB contributed to. The need to combat scammers is all the more pertinent given that recent Group-IB research found that scams accounted for 57% of all financially motivated cybercrime, and, according to the Global Anti Scam Alliance, the number of scams is growing more than 10% year on year. The same report also revealed that users in Saudi Arabia are targeted by the most phishing scams in the Middle East.

Domain spoofing, known as the faking of a website or email domain to make malicious sites or emails look credible, has long been a tactic of cybercriminals across the globe, and we are seeing new schemes appearing with alarming regularity. This past July, Group-IB uncovered more than 270 domain names that mimicked over a dozen postal and logistics brands across the Middle East in a separate scam campaign.

However, the postage scam scheme identified by Group-IB has been dwarfed in size by a new wide-scale domain and website spoofing campaign targeting users in Saudi Arabia. Over the past 16 months, Group-IB analysts analyzed more than 1,000 rogue domains linked to a single Saudi company – a leading manpower agency that offers businesses assistance in hiring employees for the construction and services sector, and individuals can also procure the services of domestic workers through the agency. The latter of these two groups is the target of this scam campaign.

The campaign, which was launched in April 2021, appeared to peak in March 2022, when more than 200 new domains spoofing the agency in question were registered with hosting providers. Group-IB analysts believe that the surge in new domains registered in early 2022 could be a sign that a growing number of internet users had fallen victim to this scheme. As seen in other examples around the world, scammers often double down on a certain tactic once it starts to generate them money.

A full breakdown of the scheme’s timeline can be found below:

In April 2022, when the phishing campaign surged, financial bodies in Saudi Arabia warned of a sharp increase in financial fraud in the country in the preceding year. Group-IB analysts assume that the subsequent reduction in the number of new domains registered per month imitating the manpower provider has followed in the wake of warnings to users by financial authorities in Saudi Arabia, government institutions, and the brand itself. However, the creation of 32 new spoof domains in September 2022 alone shows that scammers are still attempting to impersonate the company.

According to Group-IB’s findings, the driving factor for this scam scheme is an unholy alliance between scammers and spoof domain brokers. This alliance sees the brokers purchase the rights to dozens of domain names containing a typographical or phonetic variation of the attacked brand, and offer them for sale at a low price to scammers.

Imitation – the sincerest form of flattery

The URLs and the design of the scam pages created as part of this campaign are intended to convincingly imitate the manpower provider in question and trick users into entering their credentials for banking services and online government portals. The scammers can harvest both login information and two-factor authentication (2FA) codes to gain access and complete fraudulent transactions.

The scam campaign, which rests on multiple layers of social engineering, starts with the scammers placing advertisements on social media sites such as Facebook and Twitter, and the Google search engine. Group-IB analysts discovered more than 40 individual advertisements for this scheme on Facebook alone.

To read more news and exclusive features see our latest issue here.

Never miss a story… Follow us on:
LinkedIn Security Buyer
Twitter logo @SecurityBuyer
Facebook @SecbuyerME

Media Contact
Rebecca Morpeth Spayne,
Editor, Security Portfolio
Tel: +44 (0) 1622 823 922
Email: [email protected]

About Security Buyer

Security Buyer is the leading authority in global security content, delivering expert news, in-depth articles, exclusive interviews, and industry insights across print, digital, and event platforms. Published 10 times a year, the magazine is a trusted resource for professionals seeking updates and analysis on the latest developments in the security sector.

To submit an article, or for sponsorship opportunities, please contact our team below.

Rebecca Spayne picture 2025

Rebecca Spayne

Managing
EDITOR

Georgina Turner image

Georgina Turner

Sales
Manager

Afua Akoto image - Security Buyer

Afua Akoto

Marketing Manager

Read the Latest Issue

Follow us on X

Follow us on X

Click Here

Follow us on LinkedIn

Follow us on LinkedIn

Click Here

Advertise here

Reach decision makers and amplify your marketing

Advertise here

Click Here

Related News

Tecnosicurezza

Tecnosicurezza Launches AmpliSec

Tecnosicurezza has launched AmpliSec – its first connected high-security electronic locking system designed specifically for safes…
DuoKey at GISEC

A Breakthrough in Fraud Detection at GISEC

DuoKey will unveil its groundbreaking use case for encrypted financial intelligence at GISEC Global in Dubai next week.
Image provided by Veeam

AI and Ransomware: Cutting Through the Hype

Rick Vanover, Vice President Product Strategy, Veeam discusses how It might be the great paradox: Artificial Intelligence (AI)….
Copyright: Security Buyer

AmiViz Partners with Titania

AmiViz announced a strategic distribution agreement with Titania. This collaboration underscores a shared commitment to enhancing…
Copyright: Security Buyer

Facial Recognition: Innovation vs. Accountability

Facial recognition technology is advancing with AI, IoT, and privacy-first security, but regulatory compliance, ethical AI, accountability…
Copyright - Security Buyer

What Is an Access Control Entry? The Security Must-Know for 2025

Discover how access control entry secures businesses with mechanical, digital, biometric, and AI-driven solutions, preventing unauthorised…
Chubbsafes

Chubbsafes Celebrates 190 Years of Heritage, Trust, and Innovation

Chubbsafes proudly marks its 190th anniversary in 2025. Since its first safe patented in 1835, Chubbsafes has become synonymous…
Oil and Gas

Navigating Africa’s Oil & Gas Industry

A comprehensive analysis of security strategies in Africa’s oil and gas industry, covering physical, cyber, and remote surveillance measures.
blackhat

Black Hat Europe Starts Soon

Black Hat Europe starts Monday and now is the perfect time to start planning your experience. With a full lineup of Keynotes…
Scroll to Top