Cybersecurity researchers at Bitdefender have identified a significant uptick in subscription-based scams, characterized by an unprecedented level of sophistication and scale.
These fraudulent operations, involving over 200 meticulously crafted websites, are designed to deceive users into divulging sensitive credit card information through recurring payment schemes.
Unlike traditional phishing attempts with obvious red flags, these scams leverage high-quality web design and targeted advertising to appear legitimate, exploiting user trust at critical moments like the payment stage.
.png
)
The websites, often linked to a single address in Cyprus, hint at the involvement of an offshore entity orchestrating this massive campaign across diverse product categories, including clothing, electronics, and beauty products.
A key component of this scam network is the evolution of the “mystery box” fraud, a deceptive tactic promising surprise items for a nominal fee, now enhanced with hidden subscription models disclosed in fine print.
These scams have proliferated on social media platforms like Facebook, where cybercriminals deploy sponsored ads, impersonate content creators, and create near-identical pages to legitimate brands to lure victims.
Evolving Mystery Box Scams and Social Media Exploitation
Beyond mystery boxes, the fraud extends to low-quality or imitation goods, fake investments, and supplements, all tied to subscription traps that appear as enticing discount programs offering store credits and VIP tiers.
Bitdefender’s investigation reveals that these schemes utilize complex payment structures and convoluted terms to confuse users, transforming a seemingly one-time purchase into recurring charges of up to 44 EUR every 14 days.
To evade detection, scammers employ techniques such as multiple ad versions (with only one being malicious), Google Drive-hosted images for easy replacement, cropped visuals to bypass pattern recognition, and homoglyph tactics to obscure malicious intent.
The connection between these scams and a Cyprus-registered address, noted in the Paradise Papers leak via the International Consortium of Investigative Journalists’ Offshore Leaks Database, raises suspicions of a coordinated operation.
Many of these fraudulent sites remain active, continuously targeting users globally, with specific campaigns observed in Romania, Canada, and the United States.
The use of AI-generated content and shared design templates across these websites further indicates a centralized effort to maximize victim reach while minimizing operational overhead.
As subscription-based fraud becomes the new norm for cybercriminals, the infusion of significant funds into advertising and brand impersonation signals a troubling trend.
Users are urged to exercise heightened vigilance, scrutinize payment terms for hidden subscriptions, and verify the authenticity of online stores before sharing financial data.
Indicators of Compromise (IOC)
| Domain/IP Address | Description |
|---|---|
| bestsoundclub[.]com | Suspected scam website |
| egadgets[.]club | Suspected scam website |
| betrendy[.]site | Suspected scam website |
| allbuysport[.]com | Suspected scam website |
| 185[.]142[.]236[.]187 | Associated IP address |
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
