Executive Summary

THREAT	IMPACT	MITIGATION
The proliferation of games that promise money for correctly predicting colors. Banking credentials and PII are collected from players.	Monetary loss. Increases risk of social engineering attacks, identity theft, etc.	Report the gaming apps and sites to Cyber Crime Cells. Awareness campaigns to educate users.

Analysis and Attribution

CloudSEK’s contextual AI digital risk monitoring platform XVigil came across an engagement loop called Color Prediction gaming, a financial scam functioning under the pretext of gaming.
Color Prediction based platforms promise quick money by allowing users to place bets and win good returns for predicting the right color.
The scam is similar to Ponzi/ pyramid scheme, where the money collected from new players/ investors is used to pay profits to early adopters/investors.
60 websites and several social media handles have been identified propagating this scam.
These scams have been prevalent for a long time and several actors have been arrested for such activities in the past 3 years.

Threat actors start by registering multiple domains, which contain keywords related to color prediction games. This allows them to maintain continuity even if a domain is taken down.
Color prediction games are also available as mobile apps. However, they are usually not available on verified stores like Google Play or Apple iOS App store.

Several well-known retail brand names are abused in order to gain credibility.
The sites use reputable payment gateways and financial services, to appear legitimate.
India-based payments service providers are also used to route payments.
Below is the sample of a malicious website having visually identical jewelry listings as that of a legitimate website selling jewelry.

Fake Domain

Legitimate website

An example of a malicious website that was utilized in the scam and had the same jewelry listings as the actual website

Social media platforms (Facebook, Telegram, and YouTube) are used to popularize these games.
CloudSEK’s interaction with an influencer revealed that they were paid to promote one such game, pointing to the possibility of a fully organized social media nexus disseminating these games.
Attackers operating these games also have dedicated groups and channels on Telegram to communicate with their followers. (For more information refer to the Appendix)

CloudSEK uncovered multiple campaigns promoted with keywords “mall”, “game”, and “club”.

CloudSEK researchers identified ~60 such websites and hundreds of social media handles.
Information from a sensitive source revealed that one such website reportedly had 560 users. (For more information refer to the Appendix)
Further research on the domains revealed the identities of some of the registered users.

Once a player registers on a color prediction website or domain, they can earn money by:
- Predicting the correct color.
- Enrolling additional players for the referral bonus.
Victims begin with a small bet placed on a specific color. If they win the bet, their money is doubled.
This encourages players to increase the value of their bets.
However, the wallet, once topped up with the player’s money, is blocked from additional withdrawals.
Several YouTube tutorials and websites teach how to set up color prediction games and even provide the source code for the same.

APKs downloaded from these websites reveal domains hosted on Alibaba Cloud Computing (Beijing) Co., Ltd. Some IP addresses can also be mapped to China.
The app code includes a Chinese open source Android framework named XUpdate.
An article by Telangana Today revealed a suspicion of the scammers operating from China, considering a majority of the victims’ calls were traced from Hong Kong-based numbers.
On similar lines, an article in Indian Express, in August 2020 unveiled a scam of Rs. 1600 crore unearthed by Hyderabad police, where a Chinese national was arrested. The entire technical operation was purportedly run by Beijing T Power company directors and partners.
However, in this case, there is no direct link between the campaign and Chinese entities.

Impact	Mitigation
Such fake applications could be leveraged to deploy malware and spyware. Users’ PII, such as bank details, could be leveraged for social engineering attacks and identity theft. Significant monetary loss.	Report the phishing sites to Cyber Crime Cells. Run aggressive awareness campaigns to educate users/ customers about ongoing scams.