The service has become a new channel for promoting the "coronavirus" compensation scheme, devastating the accounts of Russians
In early 2021, cybercriminals who steal funds from Russian accounts using the well-known compensation payment scheme began to use Google Photos albums instead of their usual channels (mail, instant messengers, SMS). This was reported to "Izvestia" in Group-IB. Experts believe that such a distribution channel is dangerous because of the large coverage of users of the popular service, whose number has long stepped over a billion. Owners of smartphones who do not understand the functionality of storing photos and videos are at particular risk.
Attackers will become one third more active next year
The “compensation” scheme itself is not new. It became popular in the spring and fall of last year amid news about the coronavirus, cuts and the financial crisis. As the head of CERT-GIB (part of Group-IB) Alexander Kalinin told Izvestia, its essence boils down to the fact that Russians are offered to receive compensation for participating in popular fake polls, “unfair” lotteries or VAT refunds. But instead, they write off money and steal bank card data.
Group-IB first detailed this scheme in April last year, calling it "double deception."
- The attackers acted under the guise of non-existent organizations - the International Service "Single Center of Returns", "National Lottery Community", the Center for Financial Protection and others. CERT-GIB discovered a network of related sites that included more than 170 domain names registered to the same person , the cybersecurity expert explained.
Criminals have improved and updated the old crisis scheme for obtaining map data
A little later, another three dozen new domains appeared for the VAT compensation scheme. Moreover, in this case, a more sophisticated promotion model was chosen: scammers advertised in Yandex.Rion groups a fake interview from a specially created clone site of a popular publication: “A 76-year-old pensioner received 170,000 rubles of VAT compensation and spent all the money on a stripper.”
Last year, people received such messages in instant messengers, by mail or in social networks. In the same year, in addition to the usual promotion channels, scammers began using mailings with an album in Google Photos (a service for storing photos and videos). This scheme is applicable not only to owners of Android phones, whose service is installed automatically, but also to iPhone owners. The main condition, according to Alexander Kalinin, is the presence of a Google account. It is often installed when moving from one operating system to another, in order to have your collection of photos in the cloud at hand.
Technically, everything happens as follows: in the standard functionality, it is possible to share the selected album with photos with other users. When an invitation to view such an album arrives, in most cases the notification about this comes in the form of a push notification on the phone, which is impossible not to notice (on both Android and iOS phones).
The Ministry of Internal Affairs presented unexpected criminal statistics for 2020
The new album will appear in the "General" section with only one photo that the payment has been approved to the user in his name on the "Gosuslugi" service - for example, in the amount of 278,500 rubles. The amount of "support" can differ up or down, but this is always a non-round amount, which causes additional confidence in people. In addition, there is a comment on the photo, which contains instructions for receiving a payment. The full description, the "generous sponsors" promise, will be available via a link with many redirects from one site to another.
“This is done to increase the lifetime of fraudulent sites,” explained Alexander Kalinin. - Thus, when one site in the chain is blocked, it will be easily replaced by another, while the original link will remain unchanged, and all potential victims will be able to use it for a long time.
The victim is asked to pay a transfer fee of 398 rubles through a fake payment service, and this must be done as quickly as possible, since after 48 hours the amount will allegedly be returned to the sender. Time frames are an additional tool for putting pressure on a person.
Pin code in the bag: every second Russian faced fraud
Most often in 2020, the topic of coronavirus was exploited to cheat in the financial sector
- Fraudsters expect that the victim, having received the message, will hurry to follow all the instructions. After all, he received a notification from Google, which is trusted, there are no warning words in it that the account has been hacked, - said the head of CERT-GIB.
Further, the situation develops according to the classical scenario. If a person enters his data into a template to pay for a transfer, fraudsters steal his card details, and then the funds from the account.
Capture through coverage
Experts interviewed by Izvestia believe that such a channel for distributing phishing links is more dangerous than usual mail and SMS messages. First of all, its novelty , says Alexander Kalinin.
- Unlike the same letters to e-mail, this channel is not yet used by other cybercriminals. And it attracts attention with its uniqueness, - he clarified.
|Google photos Encrypted|
Modern "Yuri Detochkin" terrorize business
Associate Professor of the Department of Civil Law Disciplines of the PRUE Plekhanov Ivan Denisov also believes that citizens are already accustomed to similar messages in other messengers and are more critical of them.
- Many e-mail services successfully deal with spam by sending them to folders that clients hardly enter. The client is also gradually getting used to strange SMS messages, and the cost of sending them and the associated risks of being tracked down make them less profitable. The greater the reach of the audience, the more chances that someone will fall for their tricks , ”added Yegor Krivosheya, head of research at the Center for Financial Technologies and Digital Economy Research at Skolkovo-NES.
Indeed, the payment message is sent via Google Photos to 40 users simultaneously. And the number of those who use the popular service has already exceeded a billion people a long time ago, which speaks of the huge reach of the potential audience of cybercriminals.
Konstantin Ordov, head of the department of corporate finance and corporate governance at the Financial University under the government of the Russian Federation, believes that fraud using pre-installed applications and services is especially dangerous, since it inspires trust on a subconscious level. He also believes that young people are the main target of the scammers.
Fraudsters take advantage of the gullibility of retirees
“Moreover, attackers use vulnerabilities that even a trained user of gadgets is unlikely to recognize,” the expert emphasized.
According to Ivan Denisov, in most cases, the victims are people of the older age group, as well as adolescents and people with a low level of digital literacy.
Egor Krivosheya agrees that the key audience in this case is non-advanced users of such services. They may know that there is a photo in the phone, but they do not understand all the functionality.
The expert reminds that information about official payments is not disseminated through Google Photos or similar services, but you can check it through the portal of public services, for example. It is important not to forget this, because, as Konstantin Ordov emphasized, technological changes are constantly occurring, people simply do not have time to master them, so fraudsters always have room to maneuver - to take advantage of insufficient digital literacy.
“Today you can protect yourself from the risks of such messages,” reminded Alexander Kalinin. - In order not to receive unwanted invitations, it is enough to disable the function of shared albums in the settings.
|man with smartphone|
You can also complain about such a user and block him, added the cyber security expert.
The Central Bank's press service did not respond to Izvestia's request for a new channel for promoting fraudulent links. Google also did not provide a comment on whether they know about the use of the service to obtain map data of Russians, and whether measures will be taken to protect users.