Who are we dealing with?
The scammers who called their scheme “Mammoth” were most likely guided not by paleontological interest, but by the popular saying “a sucker is not a mammoth, a sucker does not die.” This is a common phrase among thieves who want to defraud as many people as possible. This means that there have always been and will be suckers, so the activities of scammers will always remain profitable.
This scheme is quite old; It was discovered in 2019 and then again in 2020. explained Experts from Group-IB, now called FACCT, at that time the program was often called “Courier”.
Scammers (from the English word fraud – scam – “socialbites.ca”) created pages of popular products with low prices on sites with special ads, redirected the victim to WhatsApp, Telegram or Viber in correspondence and sent him a link for payment.
The link opened a fake website of some popular courier service which contained a form for entering bank card details, the victim entered them to confirm the purchase but lost money. After all, under the interface of the so-called courier service website was hidden the Card2Card banking service for transferring money from card to card.
So the victim didn’t buy anything, he just transferred the money to the hacker. In fact, due to the use of popular brands of courier services, the program was initially called “Courier”.
2020 saw the COVID-19 pandemic and getting everything delivered to your home has become more important than ever. The “courier” scheme spread across Russia with dangerous viral speed. Fortunately, the platforms themselves for publishing specialized advertising (so-called classified ads) began to actively fight scammers. At that moment, “Courier” finally gave way to “Mammoth”; The attackers took over not only sites containing advertising, but also sites selling cars, renting apartments, finding travel companions and more.
The essence of the plan has not changed; scammers caught the victim selling or renting anything on an official service, redirected him to the messenger and sent them a fake payment page.
Until 2021 plan radiate It began to be used almost all over the world: against residents of Romania, Bulgaria, France, Poland, Czech Republic, USA, Ukraine, Uzbekistan, Kyrgyzstan and Kazakhstan. The rapid spread of the program was facilitated by the low barrier to entry into the ecosystem and high income.
At the beginning of 2021, several dozen groups were operating on the dark web, each led by a leader, an administrator. He developed admin scripts (a script in which the fraudster had to work with the victim – socialbites.ca), and also developed and maintained fake sites and payment pages to accept huge sums of money. Then, the administrator on the darknet or Telegram hired “workers”, the same scammers who create fake ads on the sites, find and manipulate victims.
According to FACCT, more than 5 thousand workers were active in 40 closed chats on Telegram at that moment. One group earned profits of up to 200 thousand rubles per day and millions of rubles per month. Workers took most of the profits – up to 80%.
Over time, this business developed so much that after entering the worker for money or for free, he received: accounts on sites with advertising, fake phone numbers and even access to a lawyer who is ready to oppose the fraudster in court. .
New “Mammoth”
The plan was so effective that the attackers not only abandoned it, but also improved upon Mammoth. They also scaled their work. Yes, according to the second one research The FACCT company announced that as of November 1, 2024, there are 16 groups using the “Mammoth” plan, operating only against Russia and the CIS, and involving more than 20 thousand cybercriminals. Last year they stole more than a billion rubles from Russians.
With data According to the Russian Ministry of Internal Affairs, in 2024 there was a “rebirth” of the “Mammoth” plan among cybercriminals. Law enforcement has dubbed one of the year’s major cybercrime trends “Mammoth.” This problem has become especially evident at the beginning of the pre-Christmas shopping season. One of the key technical know-how of attackers working with this scheme is the use of malware, which, once executed on the victim’s device, does all the dirty work of the fraudster. The malware is delivered to the victim’s smartphone via an app whose download link is provided by the attackers.
“Spyware hidden in the application can steal money from the accounts of Russian bank customers by capturing entered bank card data and incoming SMS codes,” the Russian Ministry of Internal Affairs said in a statement.
The applications in which the virus is hidden vary. For example, the Ministry of Internal Affairs cites fake secret clients as an example. Scammers persuade Russians to download .apk (installation file for Android application – socialbites.ca) under the pretext of a safe transaction.
In contrast, FACCT is aware of examples where the victim was offered to download a fake app from a logistics company. Supposedly to track the package.
“If a year ago the user was first asked to follow a fake GooglePlay link to download a malicious .apk file, now he is offered to download this file immediately on the payment page for a fake order. “The result is deplorable: the practice gives attackers the opportunity not only to withdraw all available funds from the victim’s accounts, but also to provide credit for subsequent thefts,” he said.
Anti-scrap techniques
The main defense against fraud attacks is to practice good digital hygiene. It is equally important to use a sober mind: you should always keep in mind the idea that very profitable offers always require verification. As a result, fraudsters find their victims at the buying and selling stage.
Therefore, whether it is a marketplace, listing site, home rental site, etc. When dealing with a seller on any platform, whether on any platform, you should in no case transfer correspondence from the service’s website or application to instant messengers or social networks. The websites and applications of the listed services have protective algorithms that block dangerous links and files.
If an offer to buy something at a profit comes in the form of a message on social networks or in a messenger, as well as by email, you should ignore it. Even if the sender calls the brand of a well-known company or introduces himself as its employee.
Otherwise, you need to compare the provided link with the address of the company’s official resource – most likely there will be a typo in the received link. In addition, it would be a good idea to look for information about a promotion or discount on the Internet – with a high probability you will find a review from a “buyer” who fell into the game of scammers and lost money. .
Sometimes links to lucrative offers come from familiar people on social networks or instant messengers. Before opening them, you should call the person back and make sure that his profile on the social network or messaging has not been hacked.
It is worth noting that ordinary citizens were not the only force fighting against the attackers using the mammoth plan. The brands on whose behalf fraudsters operate are also harmed and resist them. They often use proactive domain detection systems for fake sites. Recently, even neural networks have gotten involved in this topic – they almost instantly detect new domains and notify brand owners about them, allowing them to block malicious resources before they can be used.
It was also positive for the Russians that Telegram began disclosing to law enforcement the IP addresses and phone numbers of those who violated messaging rules.
These include scammers who use Telegram for communication, distributing “job” advertisements and tools to commit crimes. This decision of the Messenger administration frightened the users of the “Mammoth” plan: according data FACCT found that four weeks after the new policy was announced, 70% of fraud groups saw their revenue decrease by an average of 22%.
But information security experts warn that Telegram’s latest measure will only temporarily slow down attackers’ efforts. After all, they are already actively creating forums on the darknet and creating advertising sites for referral programs on the clearnet. All this only means that the “Mammoth” will definitely not “disappear” in the near future.
“The fact that fraudsters and other cybercriminals are now leaving Telegram does not in any way guarantee a reduction in the number of crimes. The attackers transferred the communication to other platforms, including dragnet, with which they initially communicated before Telegram, Igor Bederov, head of the T.Hunter investigation department, told socialbites.ca.
What are you thinking?
Source: Gazeta
Jackson Ruhl is a tech and sci-fi expert, who writes for “Social Bites”. He brings his readers the latest news and developments from the world of technology and science fiction.