OP 03 November, 2024 - 12:44 AM
From Armenia to Kazakhstan, fake websites are growing every month.
![[Image: 8hpri1h3hgj6plmsemyr8d2sn0bcoj67.jpg]](https://i.ibb.co/bgz5MRD/8hpri1h3hgj6plmsemyr8d2sn0bcoj67.jpg)
Over the past three years, cybercriminals have significantly improved the Mammoth scam, which originally appeared in 2019. According to cybersecurity experts, attackers are actively expanding the geography of attacks and mastering new methods of stealing funds.
https://www.facct.ru/blog/mammoth-attacks-banks/
![[Image: 8slglzzh8og7krqpkrtmneil8uenagll.png]](https://i.ibb.co/n3KQmBJ/8slglzzh8og7krqpkrtmneil8uenagll.png)
Number of groups operating under the Mammoth scheme
To date, experts have identified 16 large criminal groups employing over 20,000 fraudsters. From July 2023 to June 2024 alone, criminals stole over 1.2 billion rubles from residents of Russia and the CIS countries. The total damage from criminals' actions in all countries since the beginning of 2021 has exceeded 8.6 billion rubles.
![[Image: acq6as2ksg8i810rhzfjrdf998zsi9mt.png]](https://i.ibb.co/QfWyby1/acq6as2ksg8i810rhzfjrdf998zsi9mt.png)
Choosing a bank on a phishing site
Analysts have noted three main trends in the development of the scheme over the past year. First, fraudsters have begun to use a new method of delivering malicious software to users' devices. After paying on a phishing site, the victim is offered to download an application supposedly to track the delivery of an order. The installed program allows the attackers to gain full control over the device, issue loans in the victim's name and withdraw funds from all bank accounts.
The second trend is associated with the expansion of the list of banks in the CIS countries, whose brands are used to create fake pages. Fraudsters actively use phishing sites with imitation personal accounts of banks in Armenia, Kyrgyzstan, Uzbekistan, Azerbaijan and Kazakhstan.
![[Image: 327yrdtmdjo414vm1are10e2ob9y43vg.png]](https://i.ibb.co/zR15ySX/327yrdtmdjo414vm1are10e2ob9y43vg.png)
Page with entering bank data
The third significant change was the inclusion of the "Antikino" scheme in the arsenal of some large groups. The attackers register on dating sites under the guise of girls and after a short conversation offer the victim to buy tickets to the cinema or theater, directing them to a phishing site.
![[Image: oka9jeln39xhcbbm8libp4d7bbg5qrr0.png]](https://i.ibb.co/31mYVPF/oka9jeln39xhcbbm8libp4d7bbg5qrr0.png)
Areas of activity, brands of which scammers use to create phishing pages in the "Mammoth" scheme
At the end of September 2024, an important event occurred that affected the activity of scammers. After the statement of the founder of Telegram Pavel Durov about the possibility of disclosing the data of violators to law enforcement agencies, many groups began to leave the platform. One of the largest groups with an audience of more than 10,000 participants announced the transition to its own web platform and the launch of an anonymous site on the darknet.
![[Image: k363820gnaqi861tj3erm4yrn9r7dvp7.png]](https://i.ibb.co/YZZBhhh/k363820gnaqi861tj3erm4yrn9r7dvp7.png)
A message in one of the fraudulent groups about leaving Telegram
As a result, the income of 70% of fraudulent groups decreased by an average of 22% in four weeks - from 58 to 45 million rubles. The situation was aggravated by the blocking of accounts by the CryptoBot platform, which the attackers used to withdraw funds.
Experts calculated that from the beginning of 2020 to the first half of 2024, 1,566 different groups operating under the Mammoth scheme were created. Although most groups do not exist for long, new ones constantly replace those that ceased operations. The average amount stolen in Russia was 9,008 rubles.
To create phishing pages, criminals use 97 unique brands in the CIS countries. Russia was the leader in the number of bait brands (42), followed by Armenia (30), Azerbaijan (18), Kazakhstan (16), Uzbekistan (11), Kyrgyzstan (6) and Tajikistan (5).
Analysts note that the development of fraudulent services simplifies the entry of new participants into the criminal business, as it does not require technical knowledge. To protect against fraudsters, experts recommend that users check the date of creation of sites through whois services, be wary of large discounts, correspond only through official channels of trading platforms and do not transfer communication to instant messengers.
source : https://www.facct.ru/blog/mammoth-attacks-banks/
Over the past three years, cybercriminals have significantly improved the Mammoth scam, which originally appeared in 2019. According to cybersecurity experts, attackers are actively expanding the geography of attacks and mastering new methods of stealing funds.
https://www.facct.ru/blog/mammoth-attacks-banks/
Number of groups operating under the Mammoth scheme
To date, experts have identified 16 large criminal groups employing over 20,000 fraudsters. From July 2023 to June 2024 alone, criminals stole over 1.2 billion rubles from residents of Russia and the CIS countries. The total damage from criminals' actions in all countries since the beginning of 2021 has exceeded 8.6 billion rubles.
Choosing a bank on a phishing site
Analysts have noted three main trends in the development of the scheme over the past year. First, fraudsters have begun to use a new method of delivering malicious software to users' devices. After paying on a phishing site, the victim is offered to download an application supposedly to track the delivery of an order. The installed program allows the attackers to gain full control over the device, issue loans in the victim's name and withdraw funds from all bank accounts.
The second trend is associated with the expansion of the list of banks in the CIS countries, whose brands are used to create fake pages. Fraudsters actively use phishing sites with imitation personal accounts of banks in Armenia, Kyrgyzstan, Uzbekistan, Azerbaijan and Kazakhstan.
Page with entering bank data
The third significant change was the inclusion of the "Antikino" scheme in the arsenal of some large groups. The attackers register on dating sites under the guise of girls and after a short conversation offer the victim to buy tickets to the cinema or theater, directing them to a phishing site.
Areas of activity, brands of which scammers use to create phishing pages in the "Mammoth" scheme
At the end of September 2024, an important event occurred that affected the activity of scammers. After the statement of the founder of Telegram Pavel Durov about the possibility of disclosing the data of violators to law enforcement agencies, many groups began to leave the platform. One of the largest groups with an audience of more than 10,000 participants announced the transition to its own web platform and the launch of an anonymous site on the darknet.
A message in one of the fraudulent groups about leaving Telegram
As a result, the income of 70% of fraudulent groups decreased by an average of 22% in four weeks - from 58 to 45 million rubles. The situation was aggravated by the blocking of accounts by the CryptoBot platform, which the attackers used to withdraw funds.
Experts calculated that from the beginning of 2020 to the first half of 2024, 1,566 different groups operating under the Mammoth scheme were created. Although most groups do not exist for long, new ones constantly replace those that ceased operations. The average amount stolen in Russia was 9,008 rubles.
To create phishing pages, criminals use 97 unique brands in the CIS countries. Russia was the leader in the number of bait brands (42), followed by Armenia (30), Azerbaijan (18), Kazakhstan (16), Uzbekistan (11), Kyrgyzstan (6) and Tajikistan (5).
Analysts note that the development of fraudulent services simplifies the entry of new participants into the criminal business, as it does not require technical knowledge. To protect against fraudsters, experts recommend that users check the date of creation of sites through whois services, be wary of large discounts, correspond only through official channels of trading platforms and do not transfer communication to instant messengers.
source : https://www.facct.ru/blog/mammoth-attacks-banks/