February 17, 2020

Doctor Web warns: cybercriminals have launched a large-scale phishing campaign under the guise of nonexistent presidential decree No. 1122B dated February 11, 2020 offering a one-off payment to all Russian citizens. Information is distributed throughout Instagram and supported by fake photos and videos based on news releases from federal television channels. Attackers use phishing websites to collect users’ bank card information and also require prepayment for registering the application to receive a lump-sum payment. More than 200 thousand people have watched Instagram advertising posts to date.

Doctor Web experts warn users about the launch of a large-scale phishing campaign on Instagram, based on messages about a one-off payment to all Russian citizens. Fraudsters provide information as extracts from news releases, using relevant fragments from real broadcasts. With that, the advertising video has additional frames showing someone using a phishing website and browsing its pages.

Posts are distributed using targeted advertising via fake accounts of federal TV channels: Channel One Russia, Russia-1 and Russia-24. All posts are accompanied by deliberately false comments from users who allegedly received the specified payment. A pre-created Facebook profile is used as the advertiser for the campaign.

At the moment we know about two phishing websites used by the attackers: https://news-post.*****.net/ and https://minekonovrazv.*****.net/. These websites have a valid digital signature and are presented as official resources of the Russian Ministry of Economic Development.

To verify the payment availability, victims are invited to enter their full name and date of birth. Upon doing so, the webpage generates a random amount, which usually exceeds 100,000 rubles. To receive the money victims have to pay a fee for registering the electronic application. The check-out page contains fields for entering your phone number, name and bank card information, including the CVC code. The fee does not exceed 300 rubles. After payment, users lose the registration fee and all entered data goes to the crooks.

The mentioned websites have already been added to Dr.Web’s dangerous and non-recommended website database, and no longer pose a threat to our customers.