Social Media Nexus Spreads Color Prediction Games that Defraud Users

Social Media Nexus Spreads Color Prediction Games that Defraud Users
Published on
July 28, 2022
Blog Image

 

Category:

Adversary Intelligence

Industry:

Multiple

Motivation:

Financial

Region:

Global

Executive Summary

THREAT IMPACT MITIGATION
  • The proliferation of games that promise money for correctly predicting colors.
  • Banking credentials and PII are collected from players.
  • Monetary loss.
  • Increases risk of social engineering attacks, identity theft, etc.
  • Report the gaming apps and sites to Cyber Crime Cells.
  • Awareness campaigns to educate users.

Analysis and Attribution

  • CloudSEK’s contextual AI digital risk monitoring platform XVigil came across an engagement loop called Color Prediction gaming, a financial scam functioning under the pretext of gaming.
  • Color Prediction based platforms promise quick money by allowing users to place bets and win good returns for predicting the right color.
  • The scam is similar to Ponzi/ pyramid scheme, where the money collected from new players/ investors is used to pay profits to early adopters/investors.
  • 60 websites and several social media handles have been identified propagating this scam.
  • These scams have been prevalent for a long time and several actors have been arrested for such activities in the past 3 years.

Modus Operandi

  • Threat actors start by registering multiple domains, which contain keywords related to color prediction games. This allows them to maintain continuity even if a domain is taken down.
  • Color prediction games are also available as mobile apps. However, they are usually not available on verified stores like Google Play or Apple iOS App store.

Retail Brand Impersonation

  • Several well-known retail brand names are abused in order to gain credibility.
  • The sites use reputable payment gateways and financial services, to appear legitimate.
  • India-based payments service providers are also used to route payments.
  • Below is the sample of a malicious website having visually identical jewelry listings as that of a legitimate website selling jewelry.

Fake Domain

Legitimate website

An example of a malicious website that was utilized in the scam and had the same jewelry listings as the actual website

Spreading the Scam

  • Social media platforms (Facebook, Telegram, and YouTube) are used to popularize these games.
  • CloudSEK’s interaction with an influencer revealed that they were paid to promote one such game, pointing to the possibility of a fully organized social media nexus disseminating these games.
  • Attackers operating these games also have dedicated groups and channels on Telegram to communicate with their followers. (For more information refer to the Appendix)
Screenshot of the communication with an influencer
Screenshot of the communication with an influencer

 

Different Labels, Same Scam

  • CloudSEK uncovered multiple campaigns promoted with keywords “mall”, “game”, and “club”.
List of keywords used to promote the scam
List of keywords used to promote the scam

 

  • CloudSEK researchers identified ~60 such websites and hundreds of social media handles.
  • Information from a sensitive source revealed that one such website reportedly had 560 users. (For more information refer to the Appendix)
  • Further research on the domains revealed the identities of some of the registered users.
Scam domain displaying the user information
Scam domain displaying the user information

 

The Game

  • Once a player registers on a color prediction website or domain, they can earn money by:
    • Predicting the correct color.
    • Enrolling additional players for the referral bonus.
  • Victims begin with a small bet placed on a specific color. If they win the bet, their money is doubled.
  • This encourages players to increase the value of their bets.
  • However, the wallet, once topped up with the player’s money, is blocked from additional withdrawals.
  • Several YouTube tutorials and websites teach how to set up color prediction games and even provide the source code for the same.

Attribution

  • APKs downloaded from these websites reveal domains hosted on Alibaba Cloud Computing (Beijing) Co., Ltd. Some IP addresses can also be mapped to China.
  • The app code includes a Chinese open source Android framework named XUpdate.
  • An article by Telangana Today revealed a suspicion of the scammers operating from China, considering a majority of the victims’ calls were traced from Hong Kong-based numbers.
  • On similar lines, an article in Indian Express, in August 2020 unveiled a scam of Rs. 1600 crore unearthed by Hyderabad police, where a Chinese national was arrested. The entire technical operation was purportedly run by Beijing T Power company directors and partners.
  • However, in this case, there is no direct link between the campaign and Chinese entities.

Impact and Mitigation

Impact Mitigation
  • Such fake applications could be leveraged to deploy malware and spyware.
  • Users’ PII, such as bank details, could be leveraged for social engineering attacks and identity theft.
  • Significant monetary loss.
  • Report the phishing sites to Cyber Crime Cells.
  • Run aggressive awareness campaigns to educate users/ customers about ongoing scams.

References

Appendix

The scam website with 560 users
The scam website with 560 users

 

Static code analysis revealing ‘Xupdate’ used for developing APK
Static code analysis revealing ‘Xupdate’ used for developing APK

 

Association with Alibaba Cloud Computing(Beijing) Co. Ltd
Association with Alibaba Cloud Computing(Beijing) Co. Ltd

 

Returns on later investments being denied
Returns on later investments being denied

 

Youtube tutorials for developing platforms
Youtube tutorials for developing platforms

 

 

Images of platforms where users could download the source code and create their own color prediction games

Images of telegram channels

Screenshot of Telegram channels
Screenshot of Telegram channels

 

Facebook being used to promote the campaigns
Facebook being used to promote the campaigns

 

Facebook being used to promote the campaigns

Youtube being used to promote the campaigns
Youtube being used to promote the campaigns

 

Article by
Contributors to this Article
Author Image
Related Posts
Blog Image
December 7, 2023

Exploring the Dark Web: Understanding Cybersecurity Threats and Safeguarding Strategies

Discover how to navigate and protect against Dark Web threats. Learn about cyber risks, real-time monitoring, and securing your digital presence.

Blog Image
November 4, 2023

Underground Marketplace Unveils New Ransomware Offering QBit with Advanced Encryption & Customization

On 23 October 2023, CloudSEK’s Threat Intelligence Team detected a Ransomware-as-a-Service (RaaS) group, named QBit introducing a newly developed ransomware written in Go, boasting advanced features to optimize its malicious operations.

Blog Image
September 8, 2023

Understanding Knight Ransomware: Advisory, Analysis

Cyclops, now renamed as Knight also known as Cyclops 2.0, debuted in May 2023. The Cyclops group has successfully developed ransomware that can infect all three major platforms: Windows, Linux, macOS, ESXi and Android.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.