Category:
Adversary Intelligence |
Industry:
Multiple |
Motivation:
Financial |
Region:
Global |
---|
Executive Summary
THREAT | IMPACT | MITIGATION |
---|---|---|
|
|
|
Analysis and Attribution
- CloudSEK’s contextual AI digital risk monitoring platform XVigil came across an engagement loop called Color Prediction gaming, a financial scam functioning under the pretext of gaming.
- Color Prediction based platforms promise quick money by allowing users to place bets and win good returns for predicting the right color.
- The scam is similar to Ponzi/ pyramid scheme, where the money collected from new players/ investors is used to pay profits to early adopters/investors.
- 60 websites and several social media handles have been identified propagating this scam.
- These scams have been prevalent for a long time and several actors have been arrested for such activities in the past 3 years.
Modus Operandi
- Threat actors start by registering multiple domains, which contain keywords related to color prediction games. This allows them to maintain continuity even if a domain is taken down.
- Color prediction games are also available as mobile apps. However, they are usually not available on verified stores like Google Play or Apple iOS App store.
Retail Brand Impersonation
- Several well-known retail brand names are abused in order to gain credibility.
- The sites use reputable payment gateways and financial services, to appear legitimate.
- India-based payments service providers are also used to route payments.
- Below is the sample of a malicious website having visually identical jewelry listings as that of a legitimate website selling jewelry.
![]() Fake Domain |
---|
![]() Legitimate website |
An example of a malicious website that was utilized in the scam and had the same jewelry listings as the actual website |
Spreading the Scam
- Social media platforms (Facebook, Telegram, and YouTube) are used to popularize these games.
- CloudSEK’s interaction with an influencer revealed that they were paid to promote one such game, pointing to the possibility of a fully organized social media nexus disseminating these games.
- Attackers operating these games also have dedicated groups and channels on Telegram to communicate with their followers. (For more information refer to the Appendix)
![Screenshot of the communication with an influencer](https://cdn.prod.website-files.com/635e632477408d12d1811a64/63bead0d48236634fd331318_word-image-20091-3-1.png)
Different Labels, Same Scam
- CloudSEK uncovered multiple campaigns promoted with keywords “mall”, “game”, and “club”.
![List of keywords used to promote the scam](https://cdn.prod.website-files.com/635e632477408d12d1811a64/63bead0d4823660729331315_word-image-20091-4-1.png)
- CloudSEK researchers identified ~60 such websites and hundreds of social media handles.
- Information from a sensitive source revealed that one such website reportedly had 560 users. (For more information refer to the Appendix)
- Further research on the domains revealed the identities of some of the registered users.
![Scam domain displaying the user information](https://cdn.prod.website-files.com/635e632477408d12d1811a64/63bead0d482366624c331316_word-image-20091-5-1.png)
The Game
- Once a player registers on a color prediction website or domain, they can earn money by:
- Predicting the correct color.
- Enrolling additional players for the referral bonus.
- Victims begin with a small bet placed on a specific color. If they win the bet, their money is doubled.
- This encourages players to increase the value of their bets.
- However, the wallet, once topped up with the player’s money, is blocked from additional withdrawals.
- Several YouTube tutorials and websites teach how to set up color prediction games and even provide the source code for the same.
Attribution
- APKs downloaded from these websites reveal domains hosted on Alibaba Cloud Computing (Beijing) Co., Ltd. Some IP addresses can also be mapped to China.
- The app code includes a Chinese open source Android framework named XUpdate.
- An article by Telangana Today revealed a suspicion of the scammers operating from China, considering a majority of the victims’ calls were traced from Hong Kong-based numbers.
- On similar lines, an article in Indian Express, in August 2020 unveiled a scam of Rs. 1600 crore unearthed by Hyderabad police, where a Chinese national was arrested. The entire technical operation was purportedly run by Beijing T Power company directors and partners.
- However, in this case, there is no direct link between the campaign and Chinese entities.
Impact and Mitigation
Impact | Mitigation |
---|---|
|
|
References
Appendix
![The scam website with 560 users](https://cdn.prod.website-files.com/635e632477408d12d1811a64/63bead0d48236694e933131b_word-image-20091-6-1.png)
![Static code analysis revealing ‘Xupdate’ used for developing APK](https://cdn.prod.website-files.com/635e632477408d12d1811a64/63bead0d482366858c33131d_word-image-20091-7-1.png)
![Association with Alibaba Cloud Computing(Beijing) Co. Ltd](https://cdn.prod.website-files.com/635e632477408d12d1811a64/63bead0d482366a689331317_word-image-20091-8-1.png)
![Returns on later investments being denied](https://cdn.prod.website-files.com/635e632477408d12d1811a64/63bead0d4823663841331319_word-image-20091-9-1.png)
![Youtube tutorials for developing platforms](https://cdn.prod.website-files.com/635e632477408d12d1811a64/63bead0d482366d7e633131a_word-image-20091-10-1.png)
![]() |
![]() |
---|
Images of platforms where users could download the source code and create their own color prediction games
Images of telegram channels
![Screenshot of Telegram channels](https://cdn.prod.website-files.com/635e632477408d12d1811a64/63bead0d48236621da331327_word-image-20091-15-1.png)
![Facebook being used to promote the campaigns](https://cdn.prod.website-files.com/635e632477408d12d1811a64/63bead0d482366105033131f_word-image-20091-16-1.png)
![]() |
![]() |
---|---|
![]() |
![]() |
Facebook being used to promote the campaigns
![Youtube being used to promote the campaigns](https://cdn.prod.website-files.com/635e632477408d12d1811a64/63bead0d48236697ce331322_word-image-20091-21.png)