Sophisticated Multi-Stage Wildberries Phishing Campaign: Advance-Fee Fraud and Payment Card Theft

[DavidOsipov]

Description:

This PR addresses a highly sophisticated, multi-stage phishing campaign impersonating the Russian e-commerce company Wildberries (wildberries.ru). The attack employs a complex chain of redirects, fake interfaces, social engineering, and ultimately, an advance-fee fraud scheme combined with potential payment card data theft. The campaign leverages the telegra.ph platform for initial link obfuscation and a series of professionally designed fake websites to deceive victims. Crucially, the initial redirect in the chain exhibits anti-detection behavior, serving different content based on the presence of standard browser User-Agent and Referer headers.

Attack Flow:

1. Initial Contact (Email): The attack begins with a phishing email from <[email protected]>, promising a Wildberries prize (118.950 rubles). Subject: "(ИЗВЕЩЕНИЕ: #98_1060) ...".

2. Telegram Lure (telegra.ph): The email link leads to a telegra.ph page:

   • https://telegra.ph/ZHmi-na-ssylku-i-zabiraj-svoj-priz3-02-20?1187077dvuJm3PLiVbn10004279qeisdJpatTy9P1026801FoEhaeYgK3Cri26317J7L43HTCokwEd10006810
   • This bypasses email security and presents a simple call to action.

3. Initial Redirection Chain: Clicking the link on the telegra.ph page initiates a series of redirects to evade detection:

   • 302 Redirect: http://o90456b1.beget.tech/rdk/go.php?sid=3
   • 301 Redirect: http://s925077a.bget.ru/wilber
   • 200 Response (JS Redirect): http://s925077a.bget.ru/wilber/
   • 307 Redirect: https://gdpnbloj.top/public/3669103524425720
   • 200 Response: https://cfekohm.k6q6ng67in0z.click/?partner_id=103524 (First Phishing Page)
   • Without Standard Browser Headers: The initial request to http://o90456b1.beget.tech/rdk/go.php?sid=3 redirects to a legitimate Google search results page, or is Forbidden (403). This is an anti-detection/evasion technique.

4. Fake Wildberries Prize Page (Name Input): The victim lands on a fake Wildberries page (cfekohm.k6q6ng67in0z.click) and is asked to enter their name.

5. Rigged Prize Selection: The user is presented with a "choose a gift box" game, which is always successful, leading to a "win" of a significant sum (e.g., 250,540 rubles).

6. Fake Operator Chat (Social Engineering): A fake chat interface appears, featuring a supposed "operator" named Elena Semenova. This chat is pre-scripted and designed to build trust and guide the victim. It includes fake messages from other "winners" to enhance believability.

7. Fake Consent and Further Redirection: The victim is prompted to "consent" to receive the prize, leading to another redirect (likely within the cfekohm.k6q6ng67in0z.click domain).

8. Payment Card Data Theft Attempt: The next page requests the victim's full card number, disguised as a necessary step to receive the winnings. This page includes deceptive reassurances about security.

9. Advance-Fee Fraud (Mandatory Fee): After entering a card number (or if a valid test card number is rejected), the victim is informed of a "mandatory fee" (пошлина) required by Russian law (falsely citing article 217 of the Tax Code). This is the core of the scam.

10. Fake Payment Gateway (gdpnbloj.top): The victim is redirected to gdpnbloj.top, which impersonates a legitimate "СБП" (System for Fast Payments) gateway. It offers options to pay via card or SBP.

11. Fake SBP Interface: The SBP option leads to a fake bank transfer page, providing a specific account number and the fee amount (including a commission). This is where the money is stolen.

Phishing Domains/URLs/IPs to Block:

• 0k-prizes.icepalace-smolensk.ru (Email sender)
• https://telegra.ph/ZHmi-na-ssylku-i-zabiraj-svoj-priz3-02-20?1187077dvuJm3PLiVbn10004279qeisdJpatTy9P1026801FoEhaeYgK3Cri26317J7L43HTCokwEd10006810 (Telegram lure)
• o90456b1.beget.tech
• s925077a.bget.ru
• gdpnbloj.top (Fake payment gateway and other stages)
• cfekohm.k6q6ng67in0z.click (Initial phishing page and intermediary steps)

Impersonated Domain:

• https://www.wildberries.ru/
• СБП (System for Fast Payments) - This is a real Russian payment system, and the attackers are impersonating its interface.

Key Characteristics:

• Advance-Fee Fraud: The primary goal is to trick victims into paying a fake "fee."
• Payment Card Data Theft: The campaign attempts to steal full card numbers.
• Multi-Stage Deception: The attack uses numerous stages, fake interfaces, and social engineering to build trust and lower the victim's defenses.
• Sophisticated Redirects: Uses multiple redirect types, domains, and conditional redirection based on User-Agent and Referer headers to evade detection.
• telegra.ph Abuse: Used for initial link obfuscation.
• Fake Chat/Social Proof: The pre-scripted chat with a fake operator and messages from other "winners" is a key element of the social engineering.
• Impersonation of Legitimate Brands: Wildberries and the Russian SBP payment system are impersonated.
• Exploitation of Trust and Greed: The lure of a large prize and the seemingly official "mandatory fee" exploit common psychological vulnerabilities.

Added domains and URLs to the blocklist:

*   icepalace-smolensk.ru
*   https://telegra.ph/ZHmi-na-ssylku-i-zabiraj-svoj-priz3-02-20?1187077dvuJm3PLiVbn10004279qeisdJpatTy9P1026801FoEhaeYgK3Cri26317J7L43HTCokwEd10006810` (Initial Telegram link)
*   o90456b1.beget.tech
*   s925077a.bget.ru
*   gdpnbloj.top
*   k6q6ng67in0z.click

Screenshots and videos

1. 
2. 
3. 
4. 
5. Bandicam 2025-03-06 14-35-15-4222.webm

[DavidOsipov]

I've added refined my PR to block not just subdomains, but the domains themselves.

[DavidOsipov]

Upd. Improved my text with AI to make it much more clear, than my jibberish text.

[spirillen]

Upd. Improved my text with AI to make it much more clear, than my jibberish text.

And here I was to give you A++++++ for that report... Now you only get A+

Fine piece of work @DavidOsipov and very detailed about the flow, screenshots and the video = 100 points, hoping it is a virtual machine you used.. Keep up this good style.

Merging.

[DavidOsipov]

@spirillen thank you for kind words! Yeap, I've used Sandboxie, because all the automated tools were useless :)

[spirillen]

Your welcome, you've earned it