Subscription & ‘mystery box’ scams surge with new tactics

Bitdefender researchers have identified a marked increase in subscription-based and 'mystery box' frauds involving hundreds of deceptive yet highly convincing websites targeting online consumers.

According to Bitdefender, cybercriminals have adopted new strategies and technological sophistication, directing considerable resources into producing websites that closely resemble legitimate retailers to lure victims.

These fraudulent websites present a wide array of discounted goods, from clothing to electronics, ultimately deceiving consumers into ongoing subscription payments and divulging sensitive financial information.

The scale of the campaign has been underscored by the identification of more than 200 such sites, many of which remain active. Researchers noted that numerous sites are linked to a single postal address in Cyprus, suspected of being associated with an offshore entity.

The campaign also involves the creation of Facebook pages and paid advertisements to promote the so-called 'mystery box' scheme, which has become more intricate with the inclusion of almost concealed recurring payments in the transaction process.

Bitdefender outlined key findings from its investigation, highlighting that these websites often trick individuals into committing to monthly subscriptions while willingly handing over their credit card data. The company stated, "With funds pumped into ads, real-looking websites, impersonations of people and brands, and all kinds of other avenues of attack, we're bound to see these kind of frauds inundate the online world."

The 'mystery box' scam exploits the appeal of mystery packages, with offers that seem too good to be true.

Victims are typically required to pay a small fee to receive a box purportedly filled with high-value items. Bitdefender noted that whereas such tactics might seem improbable in a traditional retail context, they have proven effective online due to their extensive promotion and the anonymity afforded by the internet.

Researchers explained that there are multiple versions of the scam, including claims about boxes left at post offices, bags abandoned at airports, or clearance items from major retail centres. The methodology remains consistent, with the primary intent being the capture of personal and payment details from consumers.

An evolution in the scam has been observed. "Like most scams, these fraudulent schemes lower their allure as people get used to them, and fewer people fall victim."

"This drives criminals to devise new ways to obtain money or financial information," Bitdefender researchers stated. Initially, scammers introduced surveys to make their operations appear more legitimate. Now, recipients who proceed to payment also unknowingly agree to a subscription model, detailed in small print, which initiates recurring payments beyond the initial transaction.

The investigation also revealed the use of naillr[.]com for issuing 'loyalty membership cards', offering supposed discounts and perks as an incentive to maintain subscriptions. Ongoing analysis identified at least 140 different sites operating under similar fraudulent schemes, regularly changing their branding and featured products to evade detection.

An example of the misleading subscription model includes fine print stating: "Buy at member price and get FREE access to the best prices in Europe with an account top-up of 44.00 EUR/every 14 days. Skip or shop the top-up." Victims are led to believe that the subscription will result in lower prices across the entire website, with various tiers available. Each store utilises distinct pricing and benefits, often convoluting the process with store credits and recurring top-ups.

Despite promises of highly desirable products, Bitdefender found that items delivered, if any, tended to be outdated or low-value—such as obsolete electronics that could be bought for less elsewhere. Bitdefender's research also noted that the address used by many of the identified websites matches an entry in the International Consortium of Investigative Journalists Offshore Leaks Database, specifically associated with the Paradise Papers, adding another layer of suspicion.

The anonymity and complexity of these operations are enhanced through techniques designed to bypass automated detection systems. These include the use of multiple ad versions, image-based ads with no text, altered images, and classic homoglyph attacks. Accounts promoting the scams are often generated by algorithms or are hijacked through account takeovers and subsequently rebranded.

Although the connection between specific mystery box scams and the wider network of subscription fraud sites could not always be confirmed, the recurrence of Cyprus-registered businesses and similar subscription terms across operations raised concerns amongst researchers. Bitdefender emphasised, "While it's difficult to make a direct connection between Mystery Box Scams and this swarm of websites, the fact that the payment screen for some Mystery Boxes have links to Cyprus-registered subscription-based shops is suspicious, to say the least. Especially when these scams share the same subscription idea."

The research concluded with a warning that the model of subscription fraud is increasingly popular among cybercriminals.

"While many of these frauds are seemingly linked to the same operators, a lot of other scammers also figure out that subscription is the new normal. With funds pumped into ads, real-looking websites, impersonations of people and brands, and all kinds of other avenues of attack, we're bound to see these kind of frauds inundate the online world."