hendryadrian.com
The Recorded Future Payment Fraud Intelligence team uncovered the ERIAKOS campaign, a sophisticated scam e-commerce network targeting Facebook users. Detected on April 17, 2024, this campaign involves 608 fraudulent websites using brand impersonation and malvertising tactics to steal personal and financial data.
#ERIAKOS #AlibabaCloudComputingLtdhendryadrian.com
Keypoints
- Campaign Name: ERIAKOS campaign
- Detection Date: April 17, 2024
- Number of Fraudulent Websites: 608
- Target Audience: Facebook users
- Tactics Used: Brand impersonation and malvertising
- Access Method: Mobile devices via ad lures
- Mitigation Recommendations: Blacklist suspicious merchant accounts, monitor customer transactions, and encourage customers to report suspicious activities
MITRE Techniques
[T1071.001] Application Layer Protocol โ The ERIAKOS scam campaign utilized web protocols to host and distribute fraudulent e-commerce websites. The campaign exploited legitimate content delivery networks (CDNs) like oss[.]eriakos[.]com to deliver scam content to victims via mobile browsers when accessed through ad lures on social media platforms like Facebookโ.
[T1078] Valid Accounts โ The scam campaign likely created numerous fraudulent merchant accounts to process transactions. These accounts were established through major card networks and Chinese payment service providers (PSPs), such as AQAPAY and Hui, to steal payment card data and personal information from victims.
[T1190] Exploit Public-Facing Application โ Threat actors exploited public-facing applications by creating fake e-commerce websites that impersonated popular brands. These websites included limited-time offers and other tactics to create a sense of urgency among potential victims.
[T1566.002] Phishing: Spearphishing via Service โ The campaign disseminated scam websites via Facebook Ads, leveraging malvertising tactics to reach a broad audience. The ads featured user testimonials and other social proof elements to lure victims into interacting with the fraudulent sites.
[T1102.001] Web Service: Domain Fronting โ The scam websites used domain fronting techniques to evade detection. They targeted mobile users who accessed the sites via specific ad lures, blocking access from desktop browsers or direct URL inputs unless the request imitated a mobile deviceโs user-agent and referrer headers from Facebook.
[T1484.001] Domain Policy Modification: Domain Trust Modification โ The domains linked to the scam campaign were registered through Alibaba Cloud Computing Ltd. d/b/a HiChina, and the scam websites were often misconfigured with their www subdomains under Cloudflare, further complicating detection and attribution efforts.
Indicators of Compromise
- [Domain] oss[.]eriakos[.]com โ used as Content Delivery Network to host scam content
- [IP Address] 47[.]251[.]129[.]84, 47[.]251[.]50[.]19 โ consistently used by scam sites
- [Domain Registrar/Org] Alibaba Cloud Computing Ltd (d/b/a HiChina) โ registrar for scam domains
Read more: https://www.recordedfuture.com/research/eriakos-scam-campaign-detected