Scammers impersonating WHO website taken down by UNICC and Group-IB.
Photo: WHO

Saving World Health Day: UNICC and Group-IB Take Down Scam Campaign Impersonating the World Health Organization

UNICC, together with Group-IB, a global threat hunting and adversary-centric cyber intelligence company that specialises in investigating high-tech cybercrimes, detected and took down a massive multistage scam campaign circulating online on April 7, World Health Day. Scammers created a distributed network of 134 rogue websites impersonating the World Health Organization (WHO) on its health awareness day, encouraging users to take a fake survey with a promise of funds in return. The scheme targeted millions of users around the world with the goal of tricking them into visiting fraudulent third-party websites.

Group-IB Digital Risk Protection Team detected the campaign and reached out UNICC’s Common Secure team as a trusted contact for cyber threat intelligence matters within the UN in order to assure that competent contacts with WHO are aware of its existence. 

Group-IB Digital Risk Protection Team performed the takedown of all the scam domains. Group-IB researchers established that one scammer collective, codenamed DarkPath Scammers, is likely to be behind the campaign. The investigation is underway.

Cyber-hygiene for the Sustainable Development Goals

UNICC works with the World Health Organization and many other UN Agencies to deliver on their mandates, represented by the Sustainable Development Goals, a collection of 17 interlinked global goals designed to be a blueprint to achieve a better and more sustainable future for all. Whether it’s health, eradication of poverty or hunger, rights for women and girls, actions to take on climate change, economic justice, sustainable cities and communities, or for peace and justice around the world, UNICC provides digital business solutions, including a threat intelligence network for over 30 UN Agencies and international organizations.

After warning us, we knew Group-IB was the team to deal with this World Health Day scam. They have the expertise and tools to get the job of takedown done, in short order.

Bojan Simetic, Information Security Specialist, UNICC 

We are excited to cooperate with UNICC in the detection and elimination of scams deceiving people into thinking they are dealing with legitimate websites. 

Dmitry Tyunkin, Head of Group-IB Digital Risk Protection Team

Detecting the scam

On April 7, Group-IB alerted UNICC about a fake website impersonating WHO branding, where users were encouraged to answer a few simple questions to earn a 200 Euro reward on the occasion of World Health Day.  

Once users answered questions, they were prompted to share links with their WhatsApp contacts. This way scammers tried to ensure the viral distribution of their multistage schema. Group-IB researchers discovered that users would see several fake Facebook comments about gifts commentators supposedly received. When they then hit the Share button they would unknowingly involve friends in the scam by sharing the link with them – instead of the promised reward – with a redirect to third-party fraudulent resources offering participation in another lucky draw. 

By this time in the scam routine WHO is no longer mentioned as users would visit a hookup website, inadvertently install an extension for their browsers or subscribe for paid services. In the worst-case scenario, users would end up on a malicious or a phishing website.  

In addition to the multi-stage nature of the scam, which makes it harder to detect, victims saw customised content depending on their geolocation, user agents and language settings. For example, the currency of the reward would change depending on user location. 

What the scam looked like

Group-IB Digital Risk Protection team discovered that it was not a one-off, short-lived website impersonating the WHO brand, but rather a sophisticated distributed scam infrastructure that included a network of 134 almost-identical, connected domains hosting web pages exploiting the World Health Day theme. Within 48 hours upon discovery, Group-IB managed to block all the rogue domains. 

Screenshot of Group-IB Platform Digital Risk Protection Platform showing network of scam websites taken down with UNICC.
Screenshot from Group-IB Digital Risk Protection Platform shows the network of 134 rogue websites impersonating the World Health Organization. Credit: Group-IB

Further investigation found that the 134 domains, identified and blocked by Group-IB, are part of a larger scam network, attributed to a single scammer collective.   

Group-IB researchers discovered connections between the blocked 134 websites involved in the WHO scam and at least 500 other scam and phishing resources impersonating more than 50 well-known international food, sportswear, e-commerce, software, automotive, e​nergy industry brands. The analysis of websites revealed that cybercriminals used scam kits, similar to phishing kits, which are sets of instruments for the creation and design of scam pages. One scam kit allows impersonating multiple brands at a time using the same template. Interestingly, after the takedown efforts by UNICC and Group-IB, the scammers stopped using the WHO branding across their whole network. 

Brands impersonated by DarkPath scammers, collective involved in the WHO scam taken down by Group-IB and UNICC.
Brands impersonated by DarkPath Scammers. Breakdown by industries. Credit: Group-BI

Scam syndicate 

During the infrastructure analysis, Group-IB researchers examined the domains and other digital indicators and concluded that the whole network is likely to be maintained and controlled by a scammer collective codenamed DarkPath Scammers. Most of the domains with phishing and scam content are using CDN’s (Content Delivery Networks) to hide IP-addresses of the real servers. Thanks to its proprietary Graph Analysis system, Group-IB researchers analysed dozens of SSL certificates, SSH keys, DNS and were able to track down malicious infrastructure, unveil the IP-addresses of the real servers where phishing content was stored and connect the domains into one distributed scam network. The scammers are using the same infrastructure configuration with its own traits and misconfigurations across all their servers. Group-IB continues to monitor the scammers’ activity. 

Most of the scam websites controlled by DarkPath Scammers remain active at the moment and keep targeting millions of users around the world. The scammers advertise their resources using email blasts, paid ads and in social media. According to Group-IB estimates, the scammers’ whole network attracts around 200,000 users daily from the US, India, Russia and other locations.

Dmitry Tyunkin, Head of Group-IB Digital Risk Protection team in Amsterdam, noted that “many brands, however, still underestimate the impact of such scams on their businesses and customers. Most organizational approaches to eliminating brand abuse online seems a lot like tilting at windmills. They miss this continuous trend toward the use of multistage scams and distributed infrastructure. Scammers use smart, advanced technologies. They are successful due to the lack of comprehensive digital asset monitoring by brand owners.”

Organizations should carry out seamless online monitoring to promptly detect any cases of illicit use of their brands. Many institutions monitor only separate brand infringements, like phishing pages and domains but overlook other elements of fraudulent infrastructure. To see the comprehensive picture of all brand violations, companies should use Group-IB Digital Risk Protection solutions that will promptly eliminate all brand infringements online on a pre-trial basis without additional investment and lengthy litigation.  

To avoid falling prey to this scheme, online users should carefully check the website they are interacting with. It is never redundant to check if the link you’re going to click on is identical to the domain of the organization’s official website since fraudsters often register domain names mimicking official ones. Stay suspicious of any website on which you plan to enter your data is a habit that must be developed by everyone willing to keep their money safe.

Photo: UNICC/Thomsen

UNICC Presents Azure and M365 Services at Microsoft’s UN Tech Huddle in New York

UNICC attended and presented at the UN Tech Huddle event organized by Microsoft’s Tech for Social Impact (TSI) team at the Microsoft Technology Centre in New York on Wednesday 13 November. The goal of this day-long event was to bring together ICT experts from different UN Agencies and Microsoft leaders to share the latest cloud solutions for common challenges.

Paolo Valenza, Chief of Cloud Services and Gabriel Galati, Head of Azure and M365 Services unit presented UNICC’s Microsoft Cloud services to many of our UN Clients and other non-profit organisations.  They highlighted UNICC’s role in providing managed cloud services offering support for solutions that reside in the cloud.

Cloud services are building blocks at the base of many other UNICC services.

Paolo Valenza, Chief, Cloud Services

An example of a Data and Analytics service built on an Azure cloud foundation is the Data Lake that ICC developed for OCHA, a centralized repository to store the organization’s raw unstructured data from diverse sources in a properly secured and managed way.

Nitesh Kudva, Information Security Specialist; Leiming Yao, Information Security Specialist and Mikiann McIntosh, Intern in the Information Security team also attended the event. Other Agencies present included ICAO, PAHO, UNDP, UNFPA, UN OICT, and UN Women.

During the day, Microsoft shared the latest on comprehensive solutions and best practices. Other topics on the agenda discussed during the session were the UN’s digital transformation and cloud adoption, Terraform on Azure and the PowerApp Platform.

Our Azure Management Services provides a controlled and secure back-end for solutions that we develop on top.

Gabriel Galati, Head, Azure and M365 Services Unit

Microsoft runs UN Tech Huddles on a quarterly basis in Geneva and New York with the goal of sharing knowledge and expanding the impact of UN organizations. UNICC also attended the UN Tech Huddle in Geneva in October, where Gabriel Galati and Shashank Rai, Chief Technology Officer presented the implementation of OCHA’s Data Lake.

Photo: UNICC/Thomsen

Photo: UNICC

UNICC Presents at UN Tech Huddle at Microsoft Geneva

Prado Nieto, Chief, Business Relationship Management, Gabriel Galati, Head, Azure and M365 Services Unit and Shashank Rai, Chief Technology Officer, UNICC, attended the first UN Tech Huddle at Microsoft Geneva 7 October.

Gabriel presented UNICC’s Microsoft Azure and M365 services and Shashank presented a Data Lake implementation UNICC implemented for OCHA.

Some of the agenda topics were as follows:

  • Azure announcements and new solution areas – James Pearse (Senior Cloud Architect, TSI)
  • Modern Workplace Updates – Clint Conlin (MS Modern Workplace, TSI)
  • Cloud adoption framework – James Complin (MS Sr. Cloud Architect)
  • Cloud transformation and modernization through Microsoft CSE – Anaig Marechal (Cloud engineer, CSE)
  • UN System Digital Transformation Update – Alex Pinho (MS UN Lead, TSI).

The following was presented by MS partners:

  • Terraform on Azure – Tim Arenz (Senior solutions engineer, Hashicorp)
  • Cloud Security In Azure & O365 – Paul Keely (Born in the cloud).

Microsoft will run UN Tech Huddles on a quarterly basis in Geneva and New York focusing on Microsoft Cloud solutions, partner offerings and ISV solution areas. The next Tech Huddle will be scheduled early next year.