Category:
Adversary Intelligence |
Industry:
Multiple |
Motivation:
Financial |
Region:
Global |
---|
Executive Summary
THREAT | IMPACT | MITIGATION |
---|---|---|
|
|
|
Analysis and Attribution
- CloudSEK’s contextual AI digital risk monitoring platform XVigil came across an engagement loop called Color Prediction gaming, a financial scam functioning under the pretext of gaming.
- Color Prediction based platforms promise quick money by allowing users to place bets and win good returns for predicting the right color.
- The scam is similar to Ponzi/ pyramid scheme, where the money collected from new players/ investors is used to pay profits to early adopters/investors.
- 60 websites and several social media handles have been identified propagating this scam.
- These scams have been prevalent for a long time and several actors have been arrested for such activities in the past 3 years.
Modus Operandi
- Threat actors start by registering multiple domains, which contain keywords related to color prediction games. This allows them to maintain continuity even if a domain is taken down.
- Color prediction games are also available as mobile apps. However, they are usually not available on verified stores like Google Play or Apple iOS App store.
Retail Brand Impersonation
- Several well-known retail brand names are abused in order to gain credibility.
- The sites use reputable payment gateways and financial services, to appear legitimate.
- India-based payments service providers are also used to route payments.
- Below is the sample of a malicious website having visually identical jewelry listings as that of a legitimate website selling jewelry.
Fake Domain |
---|
Legitimate website |
An example of a malicious website that was utilized in the scam and had the same jewelry listings as the actual website |
Spreading the Scam
- Social media platforms (Facebook, Telegram, and YouTube) are used to popularize these games.
- CloudSEK’s interaction with an influencer revealed that they were paid to promote one such game, pointing to the possibility of a fully organized social media nexus disseminating these games.
- Attackers operating these games also have dedicated groups and channels on Telegram to communicate with their followers. (For more information refer to the Appendix)
Different Labels, Same Scam
- CloudSEK uncovered multiple campaigns promoted with keywords “mall”, “game”, and “club”.
- CloudSEK researchers identified ~60 such websites and hundreds of social media handles.
- Information from a sensitive source revealed that one such website reportedly had 560 users. (For more information refer to the Appendix)
- Further research on the domains revealed the identities of some of the registered users.
The Game
- Once a player registers on a color prediction website or domain, they can earn money by:
- Predicting the correct color.
- Enrolling additional players for the referral bonus.
- Victims begin with a small bet placed on a specific color. If they win the bet, their money is doubled.
- This encourages players to increase the value of their bets.
- However, the wallet, once topped up with the player’s money, is blocked from additional withdrawals.
- Several YouTube tutorials and websites teach how to set up color prediction games and even provide the source code for the same.
Attribution
- APKs downloaded from these websites reveal domains hosted on Alibaba Cloud Computing (Beijing) Co., Ltd. Some IP addresses can also be mapped to China.
- The app code includes a Chinese open source Android framework named XUpdate.
- An article by Telangana Today revealed a suspicion of the scammers operating from China, considering a majority of the victims’ calls were traced from Hong Kong-based numbers.
- On similar lines, an article in Indian Express, in August 2020 unveiled a scam of Rs. 1600 crore unearthed by Hyderabad police, where a Chinese national was arrested. The entire technical operation was purportedly run by Beijing T Power company directors and partners.
- However, in this case, there is no direct link between the campaign and Chinese entities.
Impact and Mitigation
Impact | Mitigation |
---|---|
|
|
References
Appendix
Images of platforms where users could download the source code and create their own color prediction games
Images of telegram channels
Facebook being used to promote the campaigns