Recorded Futures Payment Fraud Intelligence team has identified a scam e-commerce network, named the ERIAKOS campaign, targeting Facebook users. This campaign, detected on April 17, 2024, involves 608 fraudulent websites using brand impersonation and malvertising tactics to steal personal and financial data. Notably, the scam websites were accessible only via mobile devices and ad lures, likely to evade automated scanners. Recorded Future recommends blocklisting suspicious merchant accounts and closely monitoring customer transactions. The use of advanced screening techniques in this campaign suggests a growing trend that might challenge current detection technologies.
ERIAKOS Scam Campaign: Unveiling a Complex Web of Fraud
On April 17, 2024, Recorded Futures Payment Fraud Intelligence team uncovered a network of 608 scam e-commerce websites, orchestrated by a single threat actor or group, targeting Facebook users. Named the ERIAKOS campaign after the CDN used (oss[.]eriakos[.]com), these scam sites employed brand impersonation and malvertising tactics to steal victims’ financial and personal data. These fraudulent sites were accessible only through mobile devices and ad lures, a tactic aimed at evading automated detection systems and our first direct observation of such a TTP.This sophisticated campaign exclusively targeted mobile users who accessed the scam sites via ad lures on Facebook. This strategic move significantly reduced the likelihood of detection by automated scanners. Merchant accounts linked to these scam websites processed payments through major card networks and Chinese PSPs, adding another layer of complexity to the fraud.
Financial institutions are at risk of financial fraud, including chargeback disputes and irrecoverable losses. Impersonated businesses face reputational damage, particularly among defrauded victims. To mitigate these risks, Recorded Future advises blacklisting the suspicious merchant accounts identified in the report and monitoring transactions for potential fraud indicators.
Mitigation Strategies
To combat this threat, financial institutions should:
Identify and blacklist merchant accounts associated with the scam domains.Block customer transactions with these merchants.Monitor historical transaction data to detect potential exposure to these scams.Encourage customers to report suspicious websites and transactions.Share scam website leads with Recorded Future for broader threat identification.Leverage Recorded Future Payment Fraud intelligence (PFI) to detect and mitigate possible scam websites using the PFI common-point-of-purchase (CPP) dataset.Leverage Recorded Future Brand Intelligence to detect and mitigate brand impersonation threats.
For consumers, the following precautions are recommended:
Only provide personal and payment information on secure, trusted websites.Research companies thoroughly before making purchases.Verify the legitimacy of e-commerce websites and their payment subdomains.Be cautious of unsolicited communications or advertisements.Report any scams to your card issuer and the Better Business Bureau (BBB).
Technical Analysis
Recorded Future identified four key indicators linking the 608 domains to the ERIAKOS campaign:
Content Delivery Network: All scam sites used oss[.]eriakos[.]com.Domain Registrar: Domains were registered with Alibaba Cloud Computing Ltd.IP Addresses: Two specific IP addresses (47[.]251[.]129[.]84 and 47[.]251[.]50[.]19) were consistently used.Domain Misconfiguration: The scam domains exhibited specific misconfigurations between their main domains and www subdomains.
These indicators, combined with merchant account data, enabled Recorded Future to map the full extent of the scam network. The use of Chinese PSPs to process payments further complicated the detection and takedown efforts.
Outlook
The ERIAKOS campaigns use of advanced screening techniques to evade detection signals a potential trend in scam tactics. If these methods become more widespread, current detection technologies may struggle to identify and mitigate similar threats, leading to prolonged scam lifespans and increased victim exposure.
To read the entire analysis, click here to download the report as a PDF.