Classiscam Operators Use Automated Malicious Sites to Steal Financial Data

Classiscam, an automated scam-as-a-service operation, has been identified as a significant threat in Central Asia, leveraging sophisticated techniques to defraud users of online marketplaces and e-commerce platforms.

This fraudulent scheme, highlighted in the High-Tech Crime Trends Report 2025, utilizes Telegram bots to generate fake websites that mimic legitimate services, effectively deceiving victims into sharing their financial details.

Anatomy of the Scam

The Classiscam operation typically begins with fraudsters posing as interested buyers on online marketplaces.

They initiate contact with legitimate sellers and persuade them to continue communications on Telegram, moving the conversation to a less secure environment.

Once on Telegram, the scammers introduce a fake delivery service, complete with a phishing website that closely resembles reputable logistics platforms.

These phishing sites are designed to collect sensitive information such as login credentials, banking card numbers, and other financial data.

The fraudsters often provide fake proof of payment or delivery invoices to build trust and convince sellers to proceed with the transaction.

Unaware of the deception, many sellers unknowingly provide their financial information, resulting in unauthorized transactions and theft.

Technical Infrastructure and Methodology

The technical sophistication of Classiscam is evident in its use of Telegram bots for generating phishing links.

One such group, known as Namangun Team, offers a wide range of options for creating fake pages targeting specific countries and services.

The bot provides ready-made phishing links that are distributed across social networks.

Analysis of the phishing sites reveals several key functionalities:

1. Fake login forms designed to harvest usernames and passwords.
2. IP address tracking for user session monitoring.
3. Image upload mechanisms to collect additional documents or photos.
4. Repeated AJAX calls simulating customer support interactions.

The scammers also employ API services, such as the “Falcon” API, which allows for the connection of custom servers or Telegram bots to generate fake websites.

According to the Report, this infrastructure enables the rapid creation and deployment of convincing phishing pages across multiple domains.

As online platforms continue to gain popularity in developing countries, particularly in Central Asia, the threat posed by Classiscam and similar operations is likely to grow.

Users and businesses alike must remain vigilant and adopt robust security practices to protect themselves from these increasingly sophisticated and automated scams.

Are you from SOC/DFIR Teams? – Analyse Malware, Phishing Incidents & get live Access with ANY.RUN -> Start Now for Free.