My Close Call with a Carousell Smishing Scam This Christmas
8 min read

My Close Call with a Carousell Smishing Scam This Christmas

My Close Call with a Carousell Smishing Scam This Christmas
Cybercriminals on a carousel

Not even your friendly neighborhood cybersecurity analyst is immune to phishing and e-commerce scams. This Christmas season while using popular e-commerce and P2P selling platform Carousell I encountered a malicious fraud campaign targeting Hong Kong and Asia shoppers.

The Encounter

Christmas is the time of year people all around the world engage in e-commerce activity. We buy gifts for friends and loved ones or sell whatever we feel we might have outgrown. It all started when I listed an item for sale on Carousell. A potential buyer quickly showed interest, claiming they were disabled and wanted to purchase the item as a gift for their daughter. They seemed genuine and even offered their WhatsApp number, asking me to send pictures of the product.

Initial contact with fraudster on Carousell

At first, everything seemed normal. I sent the requested images, thinking it was just another routine transaction...

The Red Flags

However, things took a suspicious turn when the buyer sent me a link via a URL shortener. The link redirected to a domain with an irregular top-level domain: carousell-fps.easyfps.run. This was my first red flag.

Initial contact with fraudster on WhatsApp
Threat actor sending link over WhatsApp
Threat actor Smishing link masquerading as Carousell
Observe URLScan capture showing the Smishing link is the same as the fraudster provided link.

Upon clicking the link, I was taken to a page that displayed my product and the price the buyer claimed they would pay. The page even included a screenshot of my product as well as its listed price along with prefilled name and order number making it seem like a legitimate service.

Screenshot of the fraudulent site masquerading as Carousell

The Scam Unveiled

The final step was to confirm the transaction, which redirected me to a page listing multiple Hong Kong and Mainland China banking providers.

List of banking phishing forms

 Here, I was asked to provide my e-banking information. This was the moment I realized something was seriously wrong.

Citi phishing portal
CITI masquerading phishing portal
SC masquerading phishing portal
ICBC phishing portal
ICBC masquerading phishing portal
DBS masquerading phishing portal

Interacting with these domains showed that none of the buttons were interactive and more importantly they were not redirecting to their respective banking sites. All of the pages were hosted on the malicious domain (carousell-fps.easyfps.run).

To understand the scam better, I entered some dummy information to see where it would lead. 

Entered dummy credentials to test the phishing form
Analyzing the network traffic and observing credentials sent in plain text
Observe the site sending the credentials to VPS web server with default proxy port

The webpage made a request to:

  • Request URL: https://carousell-fps.easyfps[dot]run/api/submitLk
  • Request Method: POST
  • Status Code: 200 OK
  • Remote Address: 172.188.9.125:3128

What Happened

  • Request URL: This is the web address where your information was sent. In this case, it’s a part of a phishing scam pretending to be a legitimate service.
  • Request Method: POST: This means that data (in this case, the information you entered) was sent to the server. POST requests are commonly used when submitting forms on websites or interacting with Application Programming Interfaces (APIs).
  • Status Code: 200 OK: This indicates that the server successfully received and processed the request. In other words, the server got the information you entered without any issues.
  • Remote Address: This is the IP address of the server that received your data. It’s like the server’s “home address” on the internet with the specific port 3128 (default port for many proxy applications).

Implications

  • Data Capture: The fact that the server responded with “200 OK” means that it successfully captured the information entered. Even though I used dummy data, if it had been real, the scammers would now have access to it.
  • Phishing Success: This is a clear indication of how phishing scams work. They create fake websites that look real to trick people into entering sensitive information, like credit card details or e-banking credentials.

The Investigation

Curious about the extent of this scam, I tracked the campaign and discovered it had been active from June 3, 2024, to December 20, 2024. During this period, at least 85 submissions of these fraudulent websites were posted to URL scan alone. 

Mapping the Threat Actor’s Reach

As I delved deeper into the data, I noticed an interesting pattern. The geographical distribution of these phishing attempts reveals telling insights into our threat actor’s scope of operation.

Table showing count of URL submissions of fraudulent pages to URLScan

The data paints a clear picture of where this threat actor is most active:

  1. Hong Kong and Singapore: These two territories stand out as the primary targets, accounting for the majority of submissions.
  2. Mainland China: Following closely behind, indicating a significant presence in the region.
  3. Other Countries: Smaller but still notable submissions from various other nations.

This regional footprint likely arises from the threat actor’s strategy of targeting individuals on Carousell, reflecting the platform’s popularity in these areas. This is particularly concerning during the holiday season, a time when online scams are known to surge.

IOC’s, Key Patterns and Tactics

# | Malicious domain
1 | carosell[dot]bankfps[dot]shop
2 | carousel[dot]transwallet[dot]shop
3 | carousell[dot]asiafps[dot]shop
4 | carousell[dot]asia-fps[dot]shop
5 | carousell[dot]asiawallet[dot]shop
6 | carousell[dot]asia-wallet[dot]shop
7 | carousell[dot]bankfps[dot]shop
8 | carousell[dot]bank-hk[dot]shop
9 | carousell[dot]bank-verify[dot]shop
10 | carousell[dot]bank-wallet[dot]shop
11 | carousell[dot]byfps[dot]shop
12 | carousell[dot]choose-fps[dot]shop
13 | carousell[dot]fastfps[dot]world
14 | carousell[dot]fps-asia[dot]shop
15 | carousell[dot]fps-from[dot]shop
16 | carousell[dot]fpsget[dot]shop
17 | carousell[dot]fps-get[dot]shop
18 | carousell[dot]fpsprocessing[dot]shop
19 | carousell[dot]fpsquick[dot]shop
20 | carousell[dot]fps-recieve[dot]shop
21 | carousell[dot]fpssecure[dot]shop
22 | carousell[dot]fpstrade[dot]shop
23 | carousell[dot]fps-wallet[dot]club
24 | carousell[dot]get-fps[dot]shop
25 | carousell[dot]getfps[dot]world
26 | carousell[dot]moment-fps[dot]shop
27 | carousell[dot]payprocessign[dot]shop
28 | carousell[dot]paywithbank[dot]shop
29 | carousell[dot]recievefps[dot]shop
30 | carousell[dot]s-walet[dot]pro
31 | carousell[dot]s-walet[dot]shop
32 | carousell[dot]tradefps[dot]shop
33 | carousell[dot]trade-fps[dot]shop
34 | carousell[dot]trafferwallet[dot]shop
35 | carousell[dot]transfer-verify[dot]shop
36 | carousell[dot]transferwallet[dot]shop
37 | carousell[dot]transfer-wallet[dot]shop
38 | carousell[dot]trans-wallet[dot]shop
39 | carousell-fps[dot]easy-fps[dot]shop
40 | carousellorder[dot]easy-fps[dot]digital
41 | carousellorder[dot]fps-wallet[dot]com
42 | carousellorder[dot]fps-wallet[dot]life
43 | carousellorder[dot]fps-wallet[dot]live
44 | carousellorder[dot]momentfps[dot]digital
45 | carousellorder[dot]momentfps[dot]world
46 | carousellorder[dot]moment-fps[dot]world
47 | carousels[dot]fps-trade[dot]shop

As I delved deeper in my investigation of these scams, the naming conventions of the malicious domains stood out as a critical component of this and other previously encountered campaign strategies. These domains are crafted to mimic legitimate services, thereby luring unsuspecting victims into a false sense of security.

  1. Use of Target Brand Name(s): The domains predominantly incorporate “carousell,” a well-known e-commerce platform and likely victim platform of choice. This tactic is designed to deceive users into believing they are interacting with Carousell’s site, which is consistent throughout the fraudulent user experience where we see Carousell's brand and logos being used in the initial fraudulent order forms.
  2. Financial and Transactional Keywords: Words like “bank,” “wallet,” “transfer,” and “pay” are prevalent across these domains. 
  3. Technical Jargon and Abbreviations: The repeated use of “fps” (known to locals and residents of Hong Kong; the popular payment system “Faster Payment System” (FPS)). This is intended to mislead users into thinking they are interacting with a known and familiar service.
  4. Regional Indicators: Some domains include regional identifiers such as “asia” and “hk,” which may be intended to target users in specific geographic locations, aligning with the observed regional focus of the threat actor.

Lessons Learned

This experience served as a reminder to always remain vigilant when conducting online transactions. Here are a few tips to help others avoid falling victim to similar scams:

Think Before You Click: Never click or tap on links from unknown/ unverified sources. This simple yet powerful practice can be your first line of defense against cyber threats.

Verify URLs: Always check the URL for irregularities or unfamiliar domains.

Protect Personal Information: Never provide sensitive information unless you’re certain of the recipient’s legitimacy.

Always Use 2FA: By requiring a second form of verification, 2FA makes it significantly harder for unauthorized users to access your accounts, even if they have your password.

Be Skeptical: If something feels off, trust your instincts and investigate further.

Conclusion

As we dive into the holiday season, let’s stay informed and cautious. Scammers are becoming increasingly sophisticated, and it’s up to us to protect ourselves and others. Share this post to raise awareness and help prevent others from falling victim to these scams.

I have been tracking this and similar campaigns targeting Hong Kong, Dubai and Malaysia. The increased sophistication of these operations is a continuing trend. Seeing an operation involving pictures of my own advertised items hosted on malicious infrastructure to be used in phishing was truly surprising. Individuals and organisations must practice continued vigilance especially around seasonal holidays.

I was very pleasantly surprised to find that Carousell identified and removed the malicious actor from their platform on the same day I encountered and researched this campaign.

Cybercriminal’s account is suspended on Carousell

Stay safe and happy holidays!
Medium Post: https://medium.com/@binhashm/my-close-call-with-a-carousell-smishing-scam-this-christmas-39639b4988da

P.S:
If you are in HK and interested in a well used JUTHOLMEN IKEA sofa please get in touch!!