Malware Intelligence
mins read

Social Media Nexus Spreads Color Prediction Games that Defraud Users

Social Media Nexus Spreads Color Prediction Games that Defraud Users

July 28, 2022
Green Alert
Last Update posted on
February 3, 2024
Don't let your brand be used to trap users through fake URLs and phishing pages

Identify and counter malicious links and phishing attempts effectively with CloudSEK XVigil Fake URLs and Phishing module, bolstering your defense against cyber threats

Schedule a Demo
Table of Contents
Author(s)
No items found.

 

Category:

Adversary Intelligence

 Industry:

Multiple

 Motivation:

Financial

 Region:

Global

Executive Summary

THREAT IMPACT MITIGATION
  • The proliferation of games that promise money for correctly predicting colors.
  • Banking credentials and PII are collected from players.
  • Monetary loss.
  • Increases risk of social engineering attacks, identity theft, etc.
  • Report the gaming apps and sites to Cyber Crime Cells.
  • Awareness campaigns to educate users.

Analysis and Attribution

  • CloudSEK’s contextual AI digital risk monitoring platform XVigil came across an engagement loop called Color Prediction gaming, a financial scam functioning under the pretext of gaming.
  • Color Prediction based platforms promise quick money by allowing users to place bets and win good returns for predicting the right color.
  • The scam is similar to Ponzi/ pyramid scheme, where the money collected from new players/ investors is used to pay profits to early adopters/investors.
  • 60 websites and several social media handles have been identified propagating this scam.
  • These scams have been prevalent for a long time and several actors have been arrested for such activities in the past 3 years.

Modus Operandi

  • Threat actors start by registering multiple domains, which contain keywords related to color prediction games. This allows them to maintain continuity even if a domain is taken down.
  • Color prediction games are also available as mobile apps. However, they are usually not available on verified stores like Google Play or Apple iOS App store.

Retail Brand Impersonation

  • Several well-known retail brand names are abused in order to gain credibility.
  • The sites use reputable payment gateways and financial services, to appear legitimate.
  • India-based payments service providers are also used to route payments.
  • Below is the sample of a malicious website having visually identical jewelry listings as that of a legitimate website selling jewelry.

Fake Domain

Legitimate website
An example of a malicious website that was utilized in the scam and had the same jewelry listings as the actual website

Spreading the Scam

  • Social media platforms (Facebook, Telegram, and YouTube) are used to popularize these games.
  • CloudSEK’s interaction with an influencer revealed that they were paid to promote one such game, pointing to the possibility of a fully organized social media nexus disseminating these games.
  • Attackers operating these games also have dedicated groups and channels on Telegram to communicate with their followers. (For more information refer to the Appendix)
Screenshot of the communication with an influencer
Screenshot of the communication with an influencer

 

Different Labels, Same Scam

  • CloudSEK uncovered multiple campaigns promoted with keywords “mall”, “game”, and “club”.
List of keywords used to promote the scam
List of keywords used to promote the scam

 

  • CloudSEK researchers identified ~60 such websites and hundreds of social media handles.
  • Information from a sensitive source revealed that one such website reportedly had 560 users. (For more information refer to the Appendix)
  • Further research on the domains revealed the identities of some of the registered users.
Scam domain displaying the user information
Scam domain displaying the user information

 

The Game

  • Once a player registers on a color prediction website or domain, they can earn money by:
    • Predicting the correct color.
    • Enrolling additional players for the referral bonus.
  • Victims begin with a small bet placed on a specific color. If they win the bet, their money is doubled.
  • This encourages players to increase the value of their bets.
  • However, the wallet, once topped up with the player’s money, is blocked from additional withdrawals.
  • Several YouTube tutorials and websites teach how to set up color prediction games and even provide the source code for the same.

Attribution

  • APKs downloaded from these websites reveal domains hosted on Alibaba Cloud Computing (Beijing) Co., Ltd. Some IP addresses can also be mapped to China.
  • The app code includes a Chinese open source Android framework named XUpdate.
  • An article by Telangana Today revealed a suspicion of the scammers operating from China, considering a majority of the victims’ calls were traced from Hong Kong-based numbers.
  • On similar lines, an article in Indian Express, in August 2020 unveiled a scam of Rs. 1600 crore unearthed by Hyderabad police, where a Chinese national was arrested. The entire technical operation was purportedly run by Beijing T Power company directors and partners.
  • However, in this case, there is no direct link between the campaign and Chinese entities.

Impact and Mitigation

Impact Mitigation
  • Such fake applications could be leveraged to deploy malware and spyware.
  • Users’ PII, such as bank details, could be leveraged for social engineering attacks and identity theft.
  • Significant monetary loss.
  • Report the phishing sites to Cyber Crime Cells.
  • Run aggressive awareness campaigns to educate users/ customers about ongoing scams.

References

Appendix

The scam website with 560 users
The scam website with 560 users

 

Static code analysis revealing ‘Xupdate’ used for developing APK
Static code analysis revealing ‘Xupdate’ used for developing APK

 

Association with Alibaba Cloud Computing(Beijing) Co. Ltd
Association with Alibaba Cloud Computing(Beijing) Co. Ltd

 

Returns on later investments being denied
Returns on later investments being denied

 

Youtube tutorials for developing platforms
Youtube tutorials for developing platforms

 

 

Images of platforms where users could download the source code and create their own color prediction games

Images of telegram channels

Screenshot of Telegram channels
Screenshot of Telegram channels

 

Facebook being used to promote the campaigns
Facebook being used to promote the campaigns

 

Facebook being used to promote the campaigns

Youtube being used to promote the campaigns
Youtube being used to promote the campaigns

 

Author

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
Blog Image
Adversary Intelligence
February 3, 2024

From Discussion Forums to Malware Mayhem: The Alarming Rise of Abuse on Google Groups and Usenet

Explore the escalating wave of cyber threats on platforms like Google Groups and Usenet, uncovering the pivotal role of cybersecurity in safeguarding online discussion forums.

Blog Image
Adversary Intelligence

Redirect Chain: Advertisement Services being Abused by Threat Actors to Redirect Users to Malware, Betting, Adult Websites

Threat actors have been abusing advertisement services to serve malware to users and redirect traffic to websites purchasing services from them.

Blog Image
Malware
December 29, 2023

Compromising Google Accounts: Malwares Exploiting Undocumented OAuth2 Functionality for session hijacking

A detailed blog on Analysis of the Global Malware Trend: Exploiting Undocumented OAuth2 Functionality to Regenerate Google Service Cookies Regardless of IP or Password Reset.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK SVigil

Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.

Learn more about BeVigil Ent
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil
Malware Intelligence

min read

Social Media Nexus Spreads Color Prediction Games that Defraud Users

Social Media Nexus Spreads Color Prediction Games that Defraud Users

Authors
Co-Authors
No items found.

 

Category:

Adversary Intelligence

 Industry:

Multiple

 Motivation:

Financial

 Region:

Global

Executive Summary

THREAT IMPACT MITIGATION
  • The proliferation of games that promise money for correctly predicting colors.
  • Banking credentials and PII are collected from players.
  • Monetary loss.
  • Increases risk of social engineering attacks, identity theft, etc.
  • Report the gaming apps and sites to Cyber Crime Cells.
  • Awareness campaigns to educate users.

Analysis and Attribution

  • CloudSEK’s contextual AI digital risk monitoring platform XVigil came across an engagement loop called Color Prediction gaming, a financial scam functioning under the pretext of gaming.
  • Color Prediction based platforms promise quick money by allowing users to place bets and win good returns for predicting the right color.
  • The scam is similar to Ponzi/ pyramid scheme, where the money collected from new players/ investors is used to pay profits to early adopters/investors.
  • 60 websites and several social media handles have been identified propagating this scam.
  • These scams have been prevalent for a long time and several actors have been arrested for such activities in the past 3 years.

Modus Operandi

  • Threat actors start by registering multiple domains, which contain keywords related to color prediction games. This allows them to maintain continuity even if a domain is taken down.
  • Color prediction games are also available as mobile apps. However, they are usually not available on verified stores like Google Play or Apple iOS App store.

Retail Brand Impersonation

  • Several well-known retail brand names are abused in order to gain credibility.
  • The sites use reputable payment gateways and financial services, to appear legitimate.
  • India-based payments service providers are also used to route payments.
  • Below is the sample of a malicious website having visually identical jewelry listings as that of a legitimate website selling jewelry.

Fake Domain

Legitimate website
An example of a malicious website that was utilized in the scam and had the same jewelry listings as the actual website

Spreading the Scam

  • Social media platforms (Facebook, Telegram, and YouTube) are used to popularize these games.
  • CloudSEK’s interaction with an influencer revealed that they were paid to promote one such game, pointing to the possibility of a fully organized social media nexus disseminating these games.
  • Attackers operating these games also have dedicated groups and channels on Telegram to communicate with their followers. (For more information refer to the Appendix)
Screenshot of the communication with an influencer
Screenshot of the communication with an influencer

 

Different Labels, Same Scam

  • CloudSEK uncovered multiple campaigns promoted with keywords “mall”, “game”, and “club”.
List of keywords used to promote the scam
List of keywords used to promote the scam

 

  • CloudSEK researchers identified ~60 such websites and hundreds of social media handles.
  • Information from a sensitive source revealed that one such website reportedly had 560 users. (For more information refer to the Appendix)
  • Further research on the domains revealed the identities of some of the registered users.
Scam domain displaying the user information
Scam domain displaying the user information

 

The Game

  • Once a player registers on a color prediction website or domain, they can earn money by:
    • Predicting the correct color.
    • Enrolling additional players for the referral bonus.
  • Victims begin with a small bet placed on a specific color. If they win the bet, their money is doubled.
  • This encourages players to increase the value of their bets.
  • However, the wallet, once topped up with the player’s money, is blocked from additional withdrawals.
  • Several YouTube tutorials and websites teach how to set up color prediction games and even provide the source code for the same.

Attribution

  • APKs downloaded from these websites reveal domains hosted on Alibaba Cloud Computing (Beijing) Co., Ltd. Some IP addresses can also be mapped to China.
  • The app code includes a Chinese open source Android framework named XUpdate.
  • An article by Telangana Today revealed a suspicion of the scammers operating from China, considering a majority of the victims’ calls were traced from Hong Kong-based numbers.
  • On similar lines, an article in Indian Express, in August 2020 unveiled a scam of Rs. 1600 crore unearthed by Hyderabad police, where a Chinese national was arrested. The entire technical operation was purportedly run by Beijing T Power company directors and partners.
  • However, in this case, there is no direct link between the campaign and Chinese entities.

Impact and Mitigation

Impact Mitigation
  • Such fake applications could be leveraged to deploy malware and spyware.
  • Users’ PII, such as bank details, could be leveraged for social engineering attacks and identity theft.
  • Significant monetary loss.
  • Report the phishing sites to Cyber Crime Cells.
  • Run aggressive awareness campaigns to educate users/ customers about ongoing scams.

References

Appendix

The scam website with 560 users
The scam website with 560 users

 

Static code analysis revealing ‘Xupdate’ used for developing APK
Static code analysis revealing ‘Xupdate’ used for developing APK

 

Association with Alibaba Cloud Computing(Beijing) Co. Ltd
Association with Alibaba Cloud Computing(Beijing) Co. Ltd

 

Returns on later investments being denied
Returns on later investments being denied

 

Youtube tutorials for developing platforms
Youtube tutorials for developing platforms

 

 

Images of platforms where users could download the source code and create their own color prediction games

Images of telegram channels

Screenshot of Telegram channels
Screenshot of Telegram channels

 

Facebook being used to promote the campaigns
Facebook being used to promote the campaigns

 

Facebook being used to promote the campaigns

Youtube being used to promote the campaigns
Youtube being used to promote the campaigns