WhatsApp Scammers




Introduction

I recently received my share of calls and messages from foreign cell phone numbers, disturbing almost everyone, especially in Turkey, who has used the WhatsApp application in recent days. Of course, as in my articles on other scams (Exposing Pig Butchering Scam, LinkedIn Scammers, Instagram Scammers), I rolled up my sleeves to investigate and write about this to raise awareness.

This story started on July 31, 2023, when I received a text message from a mobile phone number (+60 11-6436 2947) with a Malaysian country code not registered in my contacts. In this message, the suspicious person said she was conducting market research to help increase tourism data in Turkey and that I could earn 180 TL by answering 3 simple questions.

WhatsApp Scammers
WhatsApp Scammers
WhatsApp Scammers

When I looked at this person’s profile, I learned that she had been using the WhatsApp application since July 3, 2023,. Also her profile photo had been used and shared on many different social media platform when I searched on the internet using the Visual Search feature of the Yandex search engine.

WhatsApp Scammers
WhatsApp Scammers
WhatsApp Scammers

After answering all the scammer’s questions, she gave me a reward code and told me to contact a person named Nilu BALPANÇ with the username Rsp_Nilu on Telegram to pay me. When I contacted this person, who, according to Telegram Desktop, uploaded her profile photo on July 30, 2023, she told me that the bank account number I had provided was incorrect. After corresponding for a while and realizing that what she wanted an IBAN, not an account number, I gave her the information she was expecting, again incorrectly, at least in a way that she would not get an error. :)

Saying, “I defrauded the fraudster and got them to send money to my account,” or “I received the money from the fraudster and paid my electricity bill,” may mean that you are dealing with the money of an innocent citizen who has been defrauded, that is, with stolen money.

When an investigation is launched into these accounts, you may find yourself in the defendant’s seat, in defense of whether you have a relationship with fraudsters, so do not get involved in a financial relationship with fraudsters.

If the fraudsters transferred money to your account, contact your bank immediately.

WhatsApp Scammers
WhatsApp Scammers
WhatsApp Scammers

When she shared that she had received an error with the account, a question immediately began to nag at the back of my mind. Did they send some money to their victim’s bank accounts to gain their trust? For this, when I inquired whether money was transferred to the IBAN I sent to the scammer, I learned that money was transferred!

After I told him I would not do the tasks without receiving the money and the corresponding bank statement, the scammer sent it to me and took me to a Telegram group called Part-Time Task Group, consisting of 64 people. He did not neglect to mention that I could earn 60 TL per task if I fulfill the tasks shared daily in the group.

WhatsApp Scammers
WhatsApp Scammers
WhatsApp Scammers
WhatsApp Scammers
WhatsApp Scammers
WhatsApp Scammers

When I asked the fraudster if the money transfer was from X bank, he said a third party made the payments. This time a new question began to puzzle me. Were the fraudsters using the accounts of victims they had lured through other methods as a front for this fraud operation, or did they own these accounts?

I quickly set out to find answers to these and other questions nagging at the back of my mind.

  • How and where did they get our cell phone numbers?
  • How did they lure their victims?
  • Who owned the accounts used to transfer money?
  • From which country were they running this operation?
  • Did the fraudsters speak Turkish, or did they use translation tools?

  • How and where did they get our cell phone numbers?

    As in my article titled “Was Turkey’s e-Government Hacked?“, I do not think that in recent years, when our information has been passed from hand to hand in the underground world, threat actors and fraudsters have hacked somewhere by spending an extra effort to access our cell phone information and leaked this information from there.

    WhatsApp Scammers

    When I searched for a sample mobile phone number on the SOCRadar XTI platform, which monitors threat actors and fraudsters step by step in the cyber world and provides instant cyber threat intelligence to its customers, I was able to see that these mobile phone numbers were included in the data leak files shared in the underground world. It is even possible to complete missing information about a person from a mobile phone number used in common in multiple leak files.

    WhatsApp Scammers
    WhatsApp Scammers

    It is also important to remember that similar scams on WhatsApp are also carried out in other countries worldwide, so it would not be wrong to say that Turkish citizens are facing an international fraud network.

    WhatsApp Scammers
    WhatsApp Scammers

    How did they lure their victims?

    Shortly after joining a Telegram group called Part-Time Task Group, I found myself in an environment where tasks were being shared, screenshots, and correspondence were pouring in and I decided to watch what was happening on in the group.

    After watching for a while, I noticed a discrepancy between the names, profile pictures, and language of the people in the group, including the administrators. When I searched a few profile pictures on the internet, as I did at the beginning of this article, I found that they belonged to entirely different people and were fake.

    WhatsApp Scammers
    WhatsApp Scammers
    WhatsApp Scammers

    WhatsApp Scammers
    WhatsApp Scammers
    WhatsApp Scammers

    I realized that most people in the group were actually bots because of the spelling mistakes in the Turkish messages sent to the group, and the Turkish speakers sometimes used Chinese and English sentences.

    WhatsApp Scammers
    WhatsApp Scammers

    The worst part was that the profile photos used by the bots appeared to be of innocent Turkish citizens.

    WhatsApp Scammers
    WhatsApp Scammers
    WhatsApp Scammers
    WhatsApp Scammers

    The tasks, which started at 09:00 Turkey time, were renewed every 20 minutes and lasted until 20:30, involving subscribing to YouTube channels shared by the group administrator and sharing screenshots on the group or with the group administrators. It was promised that those who made these posts could also earn money from this work. You were also expected to do a merchant task to earn more money and join private rooms. For this, it was stated that you had to deposit the minimum amount of 500 TL and that you could make 650 TL in return.

    WhatsApp Scammers
    WhatsApp Scammers
    WhatsApp Scammers
    WhatsApp Scammers
    WhatsApp Scammers

    Unfortunately, I did not have the chance to find out whether these YouTube channels shared during the mission were randomly selected by the scammers to convince the victims on the group, or whether they were channels of people who purchased services to gain followers from these scammers.

    It would be useful for those who buy followers to remember that they may be inadvertently financing such scammers.

    WhatsApp Scammers
    WhatsApp Scammers
    WhatsApp Scammers
    WhatsApp Scammers

    The bots that shared screenshots of their subscribers would also occasionally share bank statements of their earnings from their posts. When I looked at the bank statements, I could see that some of them were visibly manipulated. On the other hand, since I assumed that the scammers would not bother to change every single piece of information on the statements, I was immediately struck by the inconsistencies between the recipient/sender bank name and the bank code in the recipient/sender IBAN.

    WhatsApp Scammers
    WhatsApp Scammers
    WhatsApp Scammers

    During the day, I saw scammers adding new victims to the group. Fortunately, those who realized the scam warned others and left the group immediately.

    WhatsApp Scammers

    A careful examination of the screenshots shared in the group led me to conclude from various clues that some of them were from virtual phone software (Android Emulator, etc.), while others could be real, perhaps hacked, phones because they contained gsm operator names and also ran other applications at the background.

    WhatsApp Scammers
    WhatsApp Scammers
    WhatsApp Scammers
    WhatsApp Scammers
    WhatsApp Scammers

    In some screenshots, I saw that they probably used a VPN to have an IP address from Turkey. I also noticed that the bots sometimes received an error from YouTube (Resource has been exhausted (e.g. check quota).). When I looked at the number of subscribers to the YouTube accounts that were asked to subscribe during, and after the start of the task, I saw that the number of subscribers increased by 2000. Based on this, I can say with a simple calculation that the scammers have an army of thousands of bots for this job.

    WhatsApp Scammers
    WhatsApp Scammers
    WhatsApp Scammers

    At 20:30, the so-called bots said goodnight to each other and the group fell silent until 09:00 the next morning. Again, various questions started to come to my mind. Why were they going to sleep at 20:30 when money transfers can be made 24/7 in Turkey thanks to FAST? Was it because it was late at night in the location of the fraudster/operator managing the bots, so he had adjusted his shift and the bots according to this time? I left finding answers to these questions for later and continued my research from where I left off.

    On August 4, 2023, I noticed that the Telegram group had been closed and contacted the scammer to ask him to let me back into the group. This time, when I entered the group, the list of group members was hidden. I watched the group for a while to learn the details of the scam attempt and after completing 4 tasks, I contacted the scammer to get me into a larger group and to deposit the money into my account.

    Of course, the scammer stated that I had to complete 4 merchant tasks (pay 500 TL and earn 650 TL model). When I asked where and how to make the payment, she said I could make it to her bank account. In order to prevent fraudsters from victimizing more of our citizens, I had to quickly learn these bank accounts and forward them to the authorities of those banks for monitoring and blocking. Without wasting time, I told the fraudster that I wanted to make a payment.

    WhatsApp Scammers

    After getting the first account information and informing the relevant bank official about it, I told the fraudster that my money transfer could not be realized and that there was a problem with their account. Then I tried to convince her to provide a second account information and I succeeded. :)

    WhatsApp Scammers
    WhatsApp Scammers

    At the end of the day, I quickly shared the information of 5 different accounts used by fraudsters in 4 different banks with the authorities of these banks and we prevented more citizens from being victimized in a very short time. At this point, I would like to thank the banks whose names I cannot disclose and all the officials there for their quick actions.

    In the light of all this information I have obtained, if I summarize the scam set up by fraudsters;

  • They contact the victim using a foreign number on WhatsApp and take them to a Telegram group.
  • All of the correspondence and receipts shared by the bots in the Telegram group are an important part of the scam to impress and convince the victim.
  • At first, the scammers gain trust by sending 180 TL to the victim’s account and try to convince the victim to pay for more.
  • The scammers use accounts opened in more than one bank for money transfers.
  • By getting the victim to subscribe to 26 YouTube accounts shared in the Telegram group during the day, they are likely to make either main or side profits – kill two birds with one stone!

  • Who owned the accounts used to transfer money?

    As I received the misused account information from the fraudster one by one, different questions began to plague my mind again. When I searched the names and surnames of these account holders on the social network LinkedIn, I saw that most of them were either currently, or until recently university students, even if there was a possibility of name similarity. Were they young people in their 20s who knowingly and willingly cooperated with the fraudsters, or were they students who were exploited by fraudsters for the sake of earning income due to the difficult living conditions? Unfortunately, knowing that I would not have a chance to find an answer to this question, I continued to search for answers to other questions that puzzled me.

    From which country were they running this operation?

    Since I have experienced in my similar researches such as Exposing Pig Butchering Scam that scammers, whether local or foreign, mostly do not pay attention to Operations Security, I decided to try the same method to detect the IP address of this scammer.

    For this, I used Bitly URL shortening service to share the address of the fake screenshot I uploaded to my website and tried to obtain the IP address.

    At first, the scammer was hesitant to click on the link, but since there was revenue at stake and he didn’t know that I was on the other side of the keyboard, he decided to bite the bullet and clicked. When I searched the IP address I obtained from my website’s logs on SOCRadar IOC Radar, I found that the scammer was communicating with me through Thailand with the IP address 171.102.239.190.

    WhatsApp Scammers
    WhatsApp Scammers
    WhatsApp Scammers

    When I found out that there is a 4 hour difference between Thailand and Turkey, I understood why the bots say good night to each other at 20:30 Turkey time and 00:30 Thailand time :)

    Of course, from the records on my website, I not only learned about the scammer’s country of origin, but I also learned from 007scrm/4.58.8 in the User-Agent header that the scammer used an application called SCRM Windows to manage multiple social media accounts and communicate with his victims.

    WhatsApp Scammers

    Did the fraudsters speak Turkish or did they use translation tools?

    Looking at the screenshots, it was clear that both the bots on the group and the scammer/operator were using translation tools, but just to be sure, I decided to use Anatolian dialects and spelling mistakes that translation tools would fail 100% of the time, but that only those who know Turkish can understand. As you can see from the screenshot, translation programs fail against Anatolian dialects, so I was sure that they were using translation tools. :)

    WhatsApp Scammers

    Conclusion

    Before answering calls and messages from unknown sources against fraud attempts, you should always keep in mind that there might be a potential fraudster on the other end of the line, on the other end of the keyboard.

    By muting calls from unknown numbers in WhatsApp (Settings -> Privacy -> Calls -> Silence unknown callers), you can prevent them from bothering you for at least a while.

    WhatsApp Scammers

    If you can share this article with your spouse, friends, loved ones, and those around you in order to raise awareness against this fraud method, together we can prevent more citizens from being defrauded!

    Hope to see you in the following articles.

    image_pdfShow this post in PDF formatimage_printPrint this page
    3 comments
      1. Hi, just read your article it is enlightening. It’s unfortunate but I saw this a little too late. I have been a victim, I there any way of taking but the money the was stolen? I have lot all my money. Help.

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    You May Also Like
    Read More

    Antimeter Tool

    Generally I prefer writing my articles in Turkish and I support my articles with proof of concept codes, videos and small tools. In my previous article, I created a small tool called antimeter which scans memory for detecting and also killing Metasploit’s meterpreter. I did not expect that much interest…
    Read More
    Read More

    New Job, New Me

    It’s been quite a journey, after 10 long years filled with career successes and six promotions, I started my role as a Mid-Level Security Specialist at IBTech in June 2007. Just last week, I bid farewell to my position as Technical Leader. It turns out that leaving behind colleagues you’ve…
    Read More