Active Subscription Scam Campaigns Flooding the Internet

Bitdefender researchers have uncovered a surge in subscription scams, both in scale and sophistication, spurred by a massive campaign involving hundreds of fraudulent websites.

What sets this campaign apart is the significant investment cybercriminals have undertaken to make these fake sites look convincingly legitimate.  

Gone are the days when a suspicious email, SMS, or basic phishing link could easily fool users. As people grow more cautious and cyber-aware, scammers are stepping up their game. They have already begun crafting more complex and convincing schemes to bypass skepticism and lure victims into handing over sensitive information, especially credit card data. 

Key Findings 

• Incredibly convincing websites, selling everything from shoes and clothes to diverse electronics, are tricking people into paying monthly subscriptions and willingly give away credit card data. 
• Many of the websites are linked to a single address in Cyprus, likely home to an offshore company. 
• The scam encompassed more than 200 different websites, including many that are still up and running. 
• Criminals create Facebook pages and take out full ads to promote the already classic "mystery box" scam and other variants. 
• The "mystery box" scam has evolved and now includes almost hidden recurring payments, alongside links to websites to various shops.  
• Facebook is used as the main platform for these new and enhanced mystery box scams 

Content creators are being impersonated to promote mystery boxes or fraudster create new pages that look a lot like the originals. 

 Scammers try to take advantage of people's lack of attention 

Scammers know that if a victim has reached the payment step, they're already convinced the scam is real. At that point, hesitation is low, and critical thinking is off.

That’s when scammers strike again, slipping in a second scam right before the victim hands over the money. It’s not just about closing the deal at that point, but rather about stacking the fraud.. 

What is a mystery box scam? 

In real life, the allure of a mysterious box of items on a shelf just waiting for someone to pick it up for a few bucks seems like a scam that would never work. But on the Internet, it really does work - otherwise scammers wouldn't put so much effort into promoting them. 

There are quite a few variations of these scams, from boxes left at the post office to bags left at the airport and even to clearance sales from large shopping centers. They all share the same tell-tale sign: all the victim has to do is to pay a minimal sum of money. 

The goal, of course, is to collect personal and financial information. Victims willingly provide all that precious information, believing they've made a fantastic purchase. Here's an example from one such scam campaign targeting Facebook users in Romania:  

The Mystery Box Scam is evolving 

Like most scams, these fraudulent schemes lower their allure as people get used to them, and fewer people fall victim. This drives criminals to devise new ways to obtain money or financial information. 

The first step in this evolutionary ladder was the moment scammers added surveys "to ensure" you're a real person and not a bot. When users see a company taking such steps, it makes the enterprise look more legitimate.  

Now, the mystery box scam has evolved in a new way. Right before you agree to give them money and financial information, you also agree to a subscription model (written in a tiny font) that turns your current mystery shopping adventure into recurring payments. 

 Of course, other countries are targeted as well. Here's one for Canada or the United States:  

As our past research shows, these scams have flooded social media, and it's all made possible by sponsored ads. 

You will notice that the payment page also references a website called naillr[.]com, where you get a loyalty membership card that gives you discounts and perks. However, this is where the research pointed us in another direction. 

The mystery box scam is expanding into new territories 

Some of these ads with mystery boxes point to various online shops for a variety of products, like clothes, electronic equipment, beauty products, and many others. At one point, we identified around 140 websites that shared the same business model. This is just one example: 

"Buy at member price and get FREE access to the best prices in Europe with an account top-up of 44.00 EUR/every 14 days. Skip or shop the top-up" read the fine print.  

The online shop appears to offer many tiers with all kinds of perks. By following the URLs related by tracker ID, Bitdefender researchers found more than 200 websites in this campaign, many of which are currently still online. 

Basically, people might be tempted to pay one of these subscriptions, believing that it will provide them with discounts across the entire website. The shop owners even offer various subscription tiers, but the sums vary from one website to another.  

This is what the VIP tier looks for on one of these websites:  

The discounts offered are based on store credits, which are transformed using a 1:1 ratio. So if you invest €68 you get 68 credits. If you want to buy something like a piece of furniture, for example, this is what it would look like. 

It's all very complicated to follow, with store credits, discounts, credits that you can top up every 14 days, and so on. The basic idea is to have a process as convoluted as possible and make it sound like a good idea at the same time. By the time the victim actually pays for a subscription, it already seems like an investment. 

They often promise all the best products money can buy, but their offers are ridiculous. This one electronic store sold old cables, obsolete technologies, and other devices that could be bought for a fraction of the price from Chinese stores. 

It's also important to mention that the contact address mentioned in most of these hundreds of websites (Andrea Kalvou 13, 3085 Limassol) that are still up and running also appears in conjunction with a Cypryorecord in the International Consortium of Investigative Journalists (ICIJ) Offshore Leaks Database that is associated with the Paradise Papers leak. 

The subscription allure is too strong 

Criminals have been pumping funds in ads promoting impersonated content creators, using the same subscription model that seems to be now the driving revenue stream of these scams.  

Scammers often change the impersonated brands, and they've begun expanding past the existing mystery boxes. They are now trying to sell low-quality products or imitation articles, fake investments, supplements, and much more.  

We have observed several techniques used to evade automatic detection: 

• Multiple versions of the ad, with only one being malicious, while the others display random product images. 
• Uploading images directly from Google Drive (so they can be replaced later). 
• Using cropped images to alter visual patterns. 
• Relying exclusively on images in ads, with no text in the description (text appears only in the image itself). 
• Classic homoglyph techniques. 

Some of these account pages can be created from scratch with names generated by algorithms, or they've been hacked and taken over, after which they've been renamed.    

These stores might not seem to have anything in common, but for the most part, they use the same design, the same themes, the same AI agents, and similar registration information, pointing to Cyprus.  

While it's difficult to make a direct connection between Mystery Box Scams and this swarm of websites, the fact that the payment screens for some Mystery Boxes have links to Cyprus-registered subscription-based shops is suspicious, to say the least, especially when these scams share the same subscription idea. 

 Conclusion 

While many of these frauds are seemingly linked to the same operators, a lot of other scammers also figure out that subscription is the new normal.

With funds pumped into ads, real-looking websites, impersonations of people and brands, and all kinds of other avenues of attack, we're bound to see these kind of frauds inundate the online world. 

IOC:

'bestsoundclub[.]com',

 'egadgets[.]club',

 'betrendy[.]site',

 'allbuysport[.]com',

 'alltv[.]store',

 'allgamesinone[.]com',

 'allmakeup[.]vip',

 'dom.attentiontamers[.]com',

 'bol.bluedeutsch[.]com',

 'd.strideoflife[.]com',

 'bestkitchens[.]store',

 'aul.hyperhorizon[.]org',

 'click.purebudgets100[.]com',

 'decorstore[.]club',

 'amazitech[.]com',

 'decorhome[.]vip',

 'abeautybuffet[.]com',

 'buygadgets[.]site',

 'decorsolutions[.]online',

 'devicesair[.]com',

 'aul.honeymusic[.]org',

 'allfree[.]me',

 'aul.stellafromvalhalla[.]org',

 'dealmeon[.]club',

 'clicks.dyslexicsonfire[.]com',

 'aul.intothestory[.]org',

 'alljewellery[.]store',

 'cosykitchen[.]store',

 'apps.risetotheoccasions[.]org',

 'accelredirect[.]com',

 'clicks.ahauntedcastleuponahill[.]com',

 'dom.highoctaneavenger[.]com',

 'afterhourshobby[.]com',

 'click.maestrolanding[.]com',

 'beoutdoors[.]site',

 'beachitem[.]com',

 'brandclothesshop[.]site',

 'bestcosmetic[.]club',

 'best-dealclub[.]com',

 'email.all4tech[.]site',

 'clicks.sightseeingdragon[.]com',

 'bestlook[.]store',

 'alltoys[.]store',

 'altaprotect[.]com',

 'beoutdoors[.]club',

 'decorworld[.]shop',

 'clicks.feelthesummervibe[.]com',

 'designerhome[.]store',

 '0dgwn.bemobtrcks[.]com',

 'aul.twotearsandamoon[.]com',

 'aul.magneticstormcatcher[.]com',

 'cookskitchen[.]club',

 'clicks.offtheworld[.]org',

 'bestylish[.]club',

 'cosmeticshop[.]store',

 'clicks.hellobatchsix[.]com',

 'craftcraze[.]shop',

 'coolgarden[.]club',

 'd.snowflakepipeline[.]com',

 'clickgadgets[.]club',

 'agamingportal[.]com',

 'bestclothes[.]club',

 'alldaysgift[.]co',

 'cooltv[.]shop',

 'allyours[.]vip',

 'clotheszone[.]club',

 'beauty365[.]site',

 'daysgiftrewards[.]com',

 'clicks.stalingradrailstation[.]com',

 'belovedaroma[.]com',

 'electronicsgo[.]club',

 'allelectronics[.]club',

 'electronicshop[.]store',

 'allincosmetics[.]club',

 'cuteclothes[.]club',

 'aromascent[.]club',

 'alltechinone[.]com',

 'decor-muse[.]com',

 'bechic[.]club',

 'amazingfashion[.]club',

 'artifactenergy[.]org',

 'buzzok[.]com',

 'd.crossingthesummers[.]com',

 'allgifts[.]site',

 'allclothes[.]club',

 'clothesday[.]com',

 'electriz[.]club',

 'clicks[.]clubmastersrecordsartist[.]com',

 'adstrikers[.]com',

 'amazingtttt[.]com',

 'cheapluxery[.]com',

 'direct.newchiefdandy[.]com',

 'email.bechic[.]club',

 'allkitchen[.]shop',

 'alittledonation[.]com',

 'customer.mammothdandy[.]com',

 'sporty-you[.]club',

 'aprilhasteplus[.]com',

 'click.cookingbeasts[.]com',

 'allthegiftsforthewhole.world',

 'd.stockingfillers.net',

 'beautybuys[.]store',

 'elitesportshouse[.]com',

 'email.allclothes[.]club',

 'alladventure[.]club',

 'befantastic[.]club',

 '185[.]142[.]236[.]187',

 'bigstoregaming[.]com',

 'crazygames[.]shop',

 'clothesontherun[.]club',

 'decorinterior[.]club',

 'echo.bluehornet[.]com',

 'clicks.frenchcanadianspacemermaid[.]com',

 'dom.thecakewasdelicious[.]com',

 'bestwear[.]club',

 'alldaysgifts[.]club',

 'cutepets[.]site',

 'dreamwardrobe[.]online',

 'bestprogift[.]com',

 'buyjewellery[.]club',

 'bloomszone[.]com',

 'bestmakeup[.]club',

 'buyclothes[.]vip',

 'all4me[.]cc',

 'clubbestdeal[.]com',

 'dom.mirrormirroronthewall[.]net',

 'allpetstore[.]club',

 'cosmeticcareclub[.]com',

 'best-onlinedeal[.]club',

 'adventureactivities[.]club',

 'decorationdeal[.]com',

 'dom.icanseeforever[.]org',

 'accessories-world[.]club',

 'bebeautiful[.]club',

 'activestore[.]club',

 'allbeactive[.]com',

 'all4tech[.]site',

 'buypresents[.]store',

 'coolgifts[.]shop',

 'bestoutfit[.]store',

 'aul.onlineworkshopsandevents[.]org',

 'allgadget[.]club',

 'designdecor[.]store'