After the terrorist attack at Crocus City Hall, fraudulent mailings intensified

After the terrorist attack at Crocus City Hall on March 22, malicious activity on the Internet increased, both simply from scammers and from provocateurs. Cybersecurity specialists and Crocus representatives are talking about fake donations to help victims and restore the concert hall, including from fakes from legal charities and individuals. At the same time, criminals, on the contrary, send out fake offers of payments for illegal actions, even a terrorist attack, based on the amounts named by the accused. Experts consider these actions “attempts at informational and psychological manipulation of citizens.”

FACCT (formerly Group-IB in Russia) told Kommersant that they were observing “malicious activity” related to the terrorist attack on March 22 on the network (in particular, on Telegram and VKontakte). In particular, “fake groups and channels” created on March 23 dedicated to collecting funds to help victims were discovered (“Kommersant got acquainted with several groups”).

Organizers of the resources claim that they can support victims and their families by providing a card or bank account number for the transfer. In some cases, attackers write that the funds will be used to restore the concert hall.

Crocus City Hall itself addressed citizens with a warning about scammers. Representatives of the site reported on Telegram on March 24 that in case of calls or messages from supposedly employees of Crocus City Hall, there is no need to “perform any transactions, fill out documents, transfer money.”

“Fraudsters come up with convincing stories, and also impersonate a real person or organization, replacing details in a copy of an official message, for example, a charitable foundation,” says FACCT. “To avoid getting caught, it is at least important to check the details in communities with data from official sources.” VK assured that they block all communities “that conduct collections without confirmed financial reports.” Telegram did not respond to Kommersant.

By March 25, scammers using phishing had also spread to the English-language segment of the Internet: FACCT specialists discovered sites masquerading as the British edition of The Guardian, where users were invited to donate money to Russian citizens affected by the tragedy.

Crypto wallets are offered for transfers (WalletConnect, MetaMask, etc.). The sites are distributed on pages.dev, a technical domain owned by Cloudflare, experts say.

At the same time, MegaFon says that they have not noticed a sharp increase in telephone fraud. In general, according to the operator, on March 22, the surge in voice traffic in Moscow was 40% week on week; the company also observed a doubling of activity in Telegram. MTS confirms that in the Moscow region on March 22 from 20:00 to 00:00 compared to the same period on March 15, voice traffic increased by 40%, data transmission by 5%. Tele2 also talks about traffic growth. VimpelCom declined to comment. Roskomnadzor did not respond to Kommersant’s request.

OSINT (Open Source Intelligence) specialists are paying attention to another area of ​​fraud, aimed at an alternative audience.

“Unknown people write to users, offering to earn money by performing a number of actions, including assistance in organizing a terrorist attack for 500–700 thousand rubles. (according to the video published by the security forces, one of the terrorists said during the investigative actions that he was supposed to receive 500 thousand rubles),” says T.Hunter. Such messages are sent to Telegram, WhatsApp and Viber.

“To register the accounts that we studied, virtual telephony (automatic telephone exchanges) was used.— “Kommersant”),” says Igor Bederov, head of the investigation department at T.Hunter. Based on the widespread nature and uniformity of approaches, he suggests that these are “attempts at informational and psychological manipulation of citizens.”

“While we are seeing appeals to high school students and students, mailings have been geographically recorded in large cities: Moscow, Moscow Region, St. Petersburg, Kazan, as well as in the Tula and Smolensk regions,” clarifies Mr. Bederov. This is partly a provocation of panic, partly a diversion of the attention of security forces. At the same time, the expert warns that real recruitment events are now being observed on social networks and Telegram: “They are distinguished by the absence of direct appeal, messages are distributed in chats.”

“Socially significant reasons are usually dealt with by attackers instantly, and the duration of activity depends on a number of factors,” Informzashita clarifies. “Among them are the actions of law enforcement agencies, the awareness and vigilance of users.” The company warns that “corporate risks also arise” if misinformation is spread on behalf of companies or a real charitable foundation: “Deceived citizens can subsequently sue the company, accusing them of theft, because they will have no other “feedback” after the incident “

Tatiana Isakova