Cybersecurity researchers have uncovered two key service-provider categories that supply online criminal networks with the tools, infrastructure, and automation needed to power the rapidly growing pig butchering-as-a-service (PBaaS) economy.
In Southeast Asia, criminal organizations operating in Chinese have created large amounts of that type of operation there over the past ten years. They usually do their business out of special economic zones set up for the purpose of running fraudulent investment and impersonation scams. INTERPOL has identified this type of business as human trafficking-based human fraud at an industrial scale, for this type of business requires many third-party service providers to support it.
Typically, people are attracted to these businesses by the promise of a job that pays a large salary, but when they arrive in the country, they have their passports taken from them and are told that they will have to work for these businesses under the threat of violence.
PBaaS: Scams as an Off-the-Shelf Product
One of the main drivers behind pig butchering scams is the rise of PBaaS providers, who sell turnkey solutions that eliminate the need for technical expertise or physical infrastructure.
“Large scam compounds such as the Golden Triangle Economic Zone are now using ready-made applications and templates from PBaaS providers,” Infoblox said in a report published last week.
What once required skilled developers and costly infrastructure can now be purchased as a complete service package, including fake identities, front companies, mobile apps, payment processing, and victim management platforms.
Penguin Account Store: A Crimeware Marketplace
The Penguin Account Store is one of the major players in the Crimeware ecosystem. They have been identified as one of the main actors in the Crimeware ecosystem as well.
The Penguin Account Store operates as a Crimeware as a Service (CaaS) company and sell the following items:
1. Pre-registered Social Media Accounts
2. Scam Templates / Fraud Kits
3. Stolen Identity Datasets (‘shè gōng kù’)
4. Bulk purchased SIM Cards, 4G / 5G routers
5. IMSI Catchers and Stolen Photo Sets to impersonate
Accounts such as Twitter, Tinder, Facebook, Instagram, YouTube, Netflix, Apple Music, Spotify, and even ChatGPT can be purchased for as little as $0.10, depending on the age and authenticity of the account.
The credentials are likely sourced from information-stealer logs that are sold on Underground Markets. It is currently unknown if Penguin Account Store operates these stealer accounts directly or is acting only as a broker.
Automated Scams with AI and CRM Platforms
Penguin has developed an SCRM (Social CRM) for building a social media-centric CRM solution for scam companies. Scam companies can use this platform to connect with victims via the social media channels and to communicate with them at scale.
Additionally, Penguin promotes BCD Pay as an anonymous peer-to-peer payment service associated with Bochuang Guarantee that has historical ties to illegal online gambling and cryptocurrency laundering.
Another important support service for PBaaS is a CRM (customer relationship management) and agent management software solution. Several vendors, including UWORK, offer pre-built website templates for scam websites, agent dashboards, and content management tools specifically designed for use in investment fraud.
These platforms allow administrators to:
1. Centralized victim/agent management
2. Profitability tracking
3. Assigning specific victims to specific scammers
4. Reviewing chat/email records
Many scam websites are integrated into legitimate trading platforms like MetaTrader, showing current market pricing to create the appearance of legitimacy, while victims may have to provide identity documents using fake "KYC" panels to lend additional credibility.
Mobile Apps, Fake Regulators, and Low Costs
PBaaS suppliers also distribute malicious Android and iOS apps, often bypassing app store controls by using testing programs or disguising trading apps as harmless news applications. Some apps only reveal scam functionality after a secret password is entered.
The cost of entry is shockingly low:
1. Scam website templates with hosting: ~$50
2. Full scam packages (website, VPS, mobile app, fake trading platform, shell company, and fake regulatory registration): starting around $2,500
“PBaaS provides the mechanisms to scale an operation with relatively little effort and cost,” researchers noted.
Parked Domains and Traffic Laundering
There is little doubt that most park domain redirects to scam/malware websites. Infoblox discovered that 90% of parked domains are actually redirected users to scams. Typical parked domain traffic servers gather information on the user's and visitor's location with an IP geo-location lookup, device fingerprinting, browser cookies and so forth. The parked domain traffic servers will usually redirect the residential user to a malicious or otherwise harmful website while displaying a benign or innocent page to either academic/associate researchers, or VPN users trying to bypass corporate/network restrictions.
A Growing Criminal Shadow Economy
Combined with a far-reaching array of PBaaS platforms and the growing trend of criminal enterprises outsourcing their fraud-related activities through social networking, "AitM" phishing frameworks, like EvilGinx, and the dizzying proliferation of gambling/malware ecosystems, this trend illustrates the evolution of the cybercrime economy from a single-tiered monolithic structure to a multi-tiered globalized service-driven economy where "criminal syndicates" operate with the same level of agility and efficiency as Silicon Valley start-up companies, but operate in many cases as insulated from direct law enforcement intervention as those start-ups will become.
Source: The Hacker News