Cyber Crime

Authorities take down scam campaign impersonating the WHO

The group behind the campaign was one scammer collective, codenamed DarkPath Scammers, who had created a distributed network of 134 rogue websites impersonating the WHO.


A couple of days ago, authorities in the United States seized a fraud domain harvesting users’ data in the name of providing COVID-19 vaccines. Now, Group-IB and the United Nations International Computing Centre (UNICC) have shared details of another massive multistage scamming campaign that aimed at targeting users on World Health Day (on 7th April).

Exclusive: Scammers using fake WHO Bitcoin wallet to steal donation

The scammers had created fake websites impersonating the WHO branding to trick users into visiting fraudulent third-party websites. Visitors to the website were encouraged to answer a few simple questions to win a 200-euro prize on the occasion of World Health Day. 

Image: Group-IB

Group-IB researchers that the group behind the campaign was one scammer collective, codenamed DarkPath Scammers, who had created a distributed network of 134 rogue websites impersonating the World Health Organisation (WHO).

The scheme that they created was designed to target millions of users worldwide and achieved that goal with the multistage set-up that the scam had. Once the users answered the questions, they were prompted to share the link with their Whatsapp contacts.

This allowed the scheme to be distributed virally. After filling out all the questions, the users would be redirected to third-party fraudulent resources that offered to take part in another lucky draw. In worst-case scenarios, users would end up on a malicious or phishing website


What made the scam hard to detect was the fact that the victims were shown customized content based on their geolocation, user agent, and language settings. Group-IB’s DRP team discovered that this was not a one-off short-lived website impersonating the WHO but rather a sophisticated infrastructure that included a network of 134 almost identical domains. 

In a blog post, Group-IB researchers explained discovering connections between the blocked 134 websites involved in the WHO scam and at least 500 other scam and phishing resources impersonating more than 50 well-known international food, sportswear, e-commerce, software, automotive, and energy industry brands.

SEE: Fake LinkedIn job offers scam spreading More_eggs backdoor

The analysis of websites revealed that cybercriminals use scam kits. Like phishing kits, scam kits are sets of tools that help create and design scam pages.

Image: Group-IB

As shown in the screenshot above, the scammer collective, DarkPath Scammers, attracts around 200,000 users daily from the US, India, Russia, and other countries. 

To Top

Pin It on Pinterest

Share This