tl:dr
In a joint community investigation led by us, we located a phishing network out of North Africa (mostly Morocco, Tunisia, and Algeria) that uses hacking a program to create fake websites which look like social media sites and take control of people’s Instagram accounts. During the investigation, we found a Facebook page that promotes the hacking program and holds open discussions by hackers and scammers.
Lately, many Israelis, mostly influencers, have fallen victim to various scams. The hackers take control of the victim’s Instagram accounts by creating websites that look like Facebook and ask the victims to log in using username and password. The hackers immediately log into the victim’s Instagram account using the login info provided by the victim and change the password to log the owner out. They get people to enter the fake Facebook site by sending text messages claiming that ‘someone is posting your photos here ‘ and attaching a link to the site.
After taking control of the account, they demand a ransom (usually digital coins) in exchange for its return or use it as a platform to spread phishing links.
The WebintMaster community set out to investigate these scams. The community members assisted were – Ilya Ginzburg, Ron Boldor, and Amitay Dan.
The link used to lure in victims is:
https://zeroquiz[.]com/?url=Ly8vbW9iaWxlL2xvZ2luLz9p
PSZhbXA7aT1ZR000SA==&Qsoqn And it takes you to a page similar to the Facebook login page.
The domain’s main site zeroquiz[.]com is inactive but it presents an ‘unavailable’ page similar to Facebooks. This strengthens the belief that the entire site is part of the scam and not just being used by hackers without the owner’s knowledge. On the other hand, it makes the hackers look more credible in the eyes of their victims.
Visible Layer Research – Social Media
We searched the domain and found a Facebook page called – Zero Quiz, which was last active in November 2020. The page promotes a website by the same name (they offer Facebook surveys).
Using Wayback Machine, we saw that the website has not been active since 2018 and even then displayed an ‘error page’. In September 2017 the site displayed some sort of unclear search engine, and only in June 2017 there was actual content. We can see that the Facebook post from 2020 was promoting a nonactive website.
Additionally, on the ‘about’ page they state that the page is a news source for technology, game, apps, and electronics, and they link to a different website – https://tiqnianews.blogspot.com, that looks like a tech news site, but hasn’t been active since 2016.
Checking the page’s history, we found that the page was created in 2015 under the name – مدونة هتلر للمعلوميات (Hitler’s Informatics Blog – according to Google Translate). A few months later the name changed to Telescope Informatics Blogs (translated from Arabic), and in 2016 the name changed to Technology News (translated from Arabic. It suits the technology news site previously mentioned which was also active in 2016), and finally, in November 2020 the name changed to – Zero Quiz (and posted relevant content).
In addition to linking to a news site, they also posted an email address – tiqnianews@gmail.com. We searched the email on Google databases and found that it’s active and belongs to one Anas Ba***ki. We also found that the only review from 2017 on the Facebook page is from Anas Ba***ki. Anas’s Facebook profile recommends the page. From looking at his page we can see that he is a young pro Palestinian man from Morocco. We checked the technology news site again and found at the bottom of the page an app that helps Moroccan students study for tests (this strengthens the Moroccan connection).
What Happens Behind The Scenes
When listing a new website you need to submit some identifying information. With that being said, in recent years with the rise of GDPR and attention to privacy, many sites and services offer a way to hide private information so that external people can’t identify the domain’s owner. Lucky for us, sometimes it’s possible to access historical records of the site, and identify past owners of the site. In our case, we found that the site zeroquiz[.]com is currently listed in Iceland with hidden owner information. However, we were able to find that historically the site has been listed in Panama, The United States, and originally listed in Algeria by a man named Farraj Hadad, using the email – qui***x@gmail.com (It appears to be inactive).
Now that we have leads pointing to Morocco & Algeria, and can see that this case goes deeper, we decided to widen the investigation to find more relevant sites and people.
Many website owners use services like Google Analytics to measure user activity and identify various statistics of their site. Usually the website owner will have one Google Analytics account even if he owns multiple websites. Using an identification check of the website zeroquiz[.]com on Google Analytics, we were able to track more websites that are most likely owned by the same owner as zeroquiz[.]com. None of these sites are currently active, but in the past offered tools that allegedly let you find out who visited your profile (a popular trend from the past, that wasn’t based on actual technology, and was used for phishing).
We checked the historical information of the new domains we found and arrived at more possible leads (they are all from Tunisia or Algeria):
- Bornquiz.com – listed in Algeria in 2016 under the name App M***s and email address – appm***s.com@gmail.com. (there are 8 more sites listed under that name and email, all quiz related)
- Profilos.com – listed in Tunisia in 2014 using the email – ia***e@live.com.
- Buzzbip.com – listed in Tunisia in 2016 under the name Ameen Ha***ia and email address – ameen.ha***ia@gmail.com (one more site is listed under the same name and email, likely quiz related).
- Buizzo.com – listed in Algeria in 2017 under the name Tih***ti Mohamed La**ne and email address – gii***e@gmail.com (there are 9 more sites listed under that name and email, all related to social media)
The last website on the list myprofilevisitors.com has no visible historical listings, but Facebook doesn’t allow it to be posted because it’s been used for phishing.
Looking back at what we found, we can say that this scam seems to have a wide infrastructure, most likely from North-Africa (Morocco, Algeria, and Tunisia). They own dozens of websites about quizzes and social media, and it’s possible they were used for phishing.
The Technological Aspect
At last, we tried to understand the technological infrastructure on which the fake Facebook login page is built (in our previous investigation to find the criminals behind the Israeli post scam, we were able to find many clues left behind in the technological infrastructure). We looked at the page’s source code and found that after the victim enters his information (username & password) they are sent to – https://myshraidar[.]net/new_login.php. This site can’t be accessed because it is blocked by the internet service provider for fear of phishing or other cyber threats.
Searching the URL on Google led us to a Facebook page with a similar name – ShraiDar, which has an Algerian address (however on the ‘Page Transperency’ it states that the owners are from Morocco), and promotes a program called MyShraidar that creates fake pages similar to popular websites, to be used for phishing. The discussions and promotions on the site are open for all to see, and the commenters share their difficulties phishing and hacking using the program. The page’s owner updates about new links for the program (Which often gets blocked) or other new things.
The page has over 10,000 followers, and the conversation is more like that of darknet forums and cyber communities than that of a Facebook page. The number of followers, commenters, and the easy-to-use program for phishing & hacking indicate the large scale of such scams.
Additionally, they have a Telegram group, where people sell or share ‘victims’ with one another in exchange for various things. Tutorial videos are available on Vimeo and YouTube for this program as well as for other phishing and hacking programs.
In one of the explanatory videos, it can be seen that the ZeroQuiz domain is actually one of the two sites under which the fake sites can be built directly from within the system.
From another photo, we learn that the fake sites are usually offered in 4 languages: English, Arabic, French, and Hebrew, which reinforces the fear that the crooks are, among other things, trying to promote harm to Israelis.
Monitoring the page and researching the commenters can help solve other scams and locate suspects for the legal authorities.
If you’ve encountered a suspicious message and are not sure if it’s legitimate or not, send us a message at master@webintmaster.com and we will do our best to help.
