Group-IB, in coordination with the United Nations International Computing Centre (UNICC), has taken down a massive fake websites campaign in which 134 fraudulent websites were observed to be impersonating the World Health Organization (WHO) with an intent of duping people. The multistage scam campaign was specifically run on and around April 7, 2021, for leveraging the occasion of “World Health Day.”
The Modus Operandi
The scammers had created a distributed network of 134 fraudulent websites impersonating the World Health Organization (WHO) on its health awareness day. The campaign asked users to take a fake survey with the promise of getting a 200-euro prize for completing the survey. Once users answered the questions, they were prompted to share the link with their WhatsApp contacts. This way, the scammers orchestrated a multistage scheme that could be distributed virally. To make it look more authentic, scammers also added fake Facebook comments about receiving the gift prize.
To be more convincing, the victims were additionally shown customized content depending on their geolocation, user agent, and language settings. One such example, which Group-IB’s researchers found, was the currency changer. This meant the currency of the reward money shown would change depending on the user’s location.
Upon detection, Group-IB’s Digital Risk Protection team reached out to UNICC’s Common Secure team as a trusted contact for cyberthreat intelligence matters within the UN ecosystem. Group-IB collectively with UNICC then took down all the recorded scam domains.
The Scam Syndicate
The researchers ran the discovered connections between the blocked 134 websites involved in the WHO scam and their other data sources and surprisingly established that one scammer collective, codenamed DarkPath Scammers, is likely to be behind the campaign.
This scammers’ group is known to have at least 500 other scam and phishing resources impersonating more than 50 well-known international brands. However, it is worth noting that after the takedown efforts by UNICC and Group-IB, the scammers were forced to stop using the WHO branding across their entire network.
To avoid falling prey to such schemes, Group-IB’s experts suggested online users to “carefully examine the website they visit.” It said, “It is never a waste of time to check whether the link you will click on is identical to the domain of the organization’s official website — fraudsters often register domain names mimicking official ones. Anyone who wants to keep their personal data and money safe should foster a habit of always being suspicious of any website on which they plan to enter their data.”