In a startling revelation, a far-reaching spoofing campaign known as Webwyrm has come to light, having already extorted more than $100 million from its victims. Researchers from cybersecurity firm CloudSEK have uncovered this elaborate scheme, which involves the impersonation of more than a thousand companies, impacting over 100,000 individuals in over 50 countries.
The threat actors orchestrating this campaign have showcased their high level of skill by creating over 6,000 counterfeit websites that impersonate well-known brands. Furthermore, they have deployed hundreds of WhatsApp and Telegram handles to ensnare unsuspecting victims.
Dubbed as “Webwyrm,” this campaign is believed to have been in operation since late 2022. However, it gained significant momentum early this year as the threat actors refined their tactics.
The range of impersonated brands spans more than 10 industries, with the threat actors enticing victims with counterfeit job offers via social media, particularly on encrypted messaging service WhatsApp. CloudSEK’s report suggests that the threat actors might be using data from recruitment portals to tailor their schemes.
The fake job offers typically promise salaries averaging between $1,200 and $1,500, along with commissions based on the amount of “work” the victim completes. The job involves accomplishing 2-3 sets of tasks each day, with 40 tasks per set.
Once the victim completes a task, the money is withdrawn from their account and then redeposited, along with the promised commission. The funds are deposited into cryptocurrency exchange platforms and converted into USDT, a stablecoin pegged to the US dollar.
Victims are instructed to create accounts on counterfeit websites impersonating well-known brands. Some tasks even come in combos, requiring a double investment from the victim, and must be completed in succession, or the victim cannot withdraw their pay.
However, the elusive “streak” never reaches completion, compelling victims to invest more in a futile attempt to finalize it. Eventually, the threat actors lock victims out of their accounts. In an attempt to maintain the façade and deceive victims, they are directed to group chats where other “workers” boast about their earnings.
The impersonated companies include various businesses, with a significant number based in the United States, along with firms from India, the United Kingdom, and Singapore.
