Phishing and no chemistry

By virtue of my work, I often encounter various manifestations of online fraud and, of course, phishing resources.



When it comes to phishing sites, the first thing that comes to mind are various schemes designed to steal passwords and other information of interest to intruders. But the vectors of phishing resources are very diverse. Therefore, the definition of phishing, given, say, on Wikipedia, does not fully reveal its essence.

')

Here, for example, twin sites, created not to steal data, but to mislead counterparties. Why not phishing? The interest of fraudsters in the creation of such sites has not been falling for 10 years. It is necessary to make a reservation here that this is not about sites like “selling construction materials cheaply, money in advance,” but about sites that are duplicates of actual enterprises.



Here are these:











In the first picture, the original site of the chemical enterprise, in the second - its clone. This example is not chosen by chance. Firstly, this clone has already attracted the attention of various researchers, and secondly, it is surprisingly tenacious. The domain name TOAZ.PW was registered back in November last year.



Let's take a closer look at this site and see how this fraudulent scheme works. The first thing that catches your eye is fonts. Apparently, they were lost somewhere in the process of copying the site by the grabber. But otherwise, the resource looks quite authentic, except that the news on it has not been updated since October 2018.



The most interesting begins in the "Contacts" section. Phones listed on the page have no relation to this enterprise. But we will return to the phones. They will serve as the main clue.



We look further. Email addresses are also different from those listed on this resource. Especially touching in this light looks like a fraud warning copied from the company's website. The attackers carefully replaced the address of the “line of trust” with their own, leaving the text almost unchanged.







The next item is price lists. On the original site they are in PDF format. In the same format, they migrated to the fake site, while losing the real phone numbers and email addresses. It is striking that the fraudsters have not even taken care of the choice of fonts. And so it will come down ...







Taking into account the fact that only contact data has undergone changes, it can be assumed that the twin site was created to deceive potential counterparties of the enterprise.



In general terms, the scheme of deception looks like this:

1. We create a website counterpart of a respected company
2. We send letters on behalf of the company to potential customers
3. We attract even more potential customers
4. We receive an advance payment for the delivery of products
5. ???????
6. PROFIT

Money is usually transferred to the accounts of one-day firms, but this is a completely different story, which, however, can be covered in a separate article.

The fraud scheme itself is as old as the world, but it still remains quite effective. With only one reservation. One twin site is not enough. The lifetime of phishing resources is short-lived (TOAZ.PW has been on the network for half a year already - an exception to the rule), which means that scammers need to constantly create new sites.



And they are quickly located. Analysis of Whois data, e-mail addresses and telephones allows to get two more twins of the desired site: toaoz.ru and toaoz.com. One of them is already dead (but the web archive remembers everything), on the second it seems that CSS has fallen off.

Interestingly, despite the mailing addresses of the format ***@toaz.pw, the attackers actually use the mail servers Mail.Ru and Yandex. It is more comfortable.



We dig further. At the same IP with the site toaoz.com hang not less interesting resources:

• uralechem.com
• min-udo.org
• agrocenter-eurochem.info

The last two at the time of this writing are no longer available, but the first - a clone of the site of the company "Uralhim" is still alive.



Further search allows you to get a dozen more domain names used to create clone sites of the chemical industry.



It would take too long to paint the entire search process, so we’ll give a simplified diagram of the interrelationships of phishing resources.







Not all resources are indicated on the diagram, moreover, personal data are intentionally hidden in it, as well as phone numbers and names of some sites that are not directly related to the criminal scheme.



Some of the illuminated phones pop up in search engines in connection with various services for anonymously receiving SMS confirmations.



A cursory analysis of resources suggests that this scheme is rooted in fraudsters who created clone sites of the EuroChem concern several years ago.



Online you can find reviews of entrepreneurs who have been victims of such sites. Many of them are quite determined, intending to defend their truth and their money in court. But they hardly understand that they will have to sue not with an unscrupulous supplier, but with a one-day firm whose assets tend to zero. In the registers of legal entities you can find a lot of such "LLC", in respect of which the enforcement proceedings are open.

Only here to take with them absolutely nothing. Money has long moved to the pocket of the organizers of this business.



Fraudsters are not limited to Russia. Many phishing sites have English versions, and in foreign forums they are actively discussing “throwing from Russia”.



Some resources even make lists of organizations that are not worth dealing with. Among them there are especially many companies in the oil and gas industry, which is understandable - the direction is very monetary. In these lists you can find including the addresses of sites that have become heroes of our today's selection .



The reasons for the popularity of this scheme quite a lot. Unlike fraudsters who profit from individuals, deception jur. individuals bears much greater benefit, allowing attackers to receive millions of rubles for several transactions.



In addition, this deception is not revealed immediately. Disruption of supply is not such a rare occurrence in business, so fraudsters try to stretch their time as long as possible, coming up with various explanations for the delays. This time they use for marking traces and withdrawing funds. When the victim finally realizes that she has been deceived, the time to investigate the crime “without delay” turns out to be hopelessly missed.







There is another reason for the success of this criminal business. Creating clones of sites of large enterprises, fraudsters do not cause them direct damage. To a certain extent, only their reputation suffers, and even that is very indirect.



Therefore, industrial giants are extremely reluctant to deal with such phishing resources. The third party to deal with them is even more difficult. After all, if a company whose website was copied by cybercriminals can use various legal levers of influence, for example, demand to stop brand misuse, then phishing victims have no choice but to prove that the site is owned by fraudsters and used for illegal purposes. And here they are faced with a number of difficulties, because the fact of fraud, or rather intent, still needs to be proved. And any lawyer knows that frauds are among the most complex crimes in terms of collecting evidence, especially when it comes to the relationship of legal entities.



What is left to do? For customers, be more careful in checking counterparties and not transferring money to the account of another Vector LLC. And industrial companies do not disregard the problem, but track the appearance of clones of their resources and take the necessary measures in a timely manner. Moreover, all the necessary tools for this are available nowadays. The question is only in the desire of the organization to take care of the safety of its potential customers.