Hotline: ATM arson was forced via WhatsApp
The WhatsApp messenger played a key role in the surge of phone fraud and involvement of citizens in sabotage committed in Russia in December 2024. This was reported to Izvestia by cybersecurity experts. They note that preparations for the crimes have been underway for years: an appropriate infrastructure has even been created, allowing for traffic spoofing and other malicious schemes aimed at users. On how phone scammers recruit Russians and how you can protect yourself and your relatives from criminals - in the material "Izvestia".
Recruitment through messengers
December surge of sabotage, when people set fire to ATMs and set off firecrackers in the premises of various organizations, in many cases coordinated through the messenger WhatsApp (owned by Meta, whose activities are banned in Russia), told "Izvestia" head of investigations T.Hunter Igor Bederov.
A week ago, a wave of arson attacks on ATMs and police cars, explosions of pyrotechnics in post offices and shopping centers swept across Russia. As of December 22, there were already about 20 such cases across the country, but since then such situations have been regularly repeated. The "hooligans" were mostly citizens who succumbed to the psychological manipulations of fraudsters.
- WhatsApp remains the most widespread messenger in Russia, so the risks associated with it, such as planned sabotage and attempts to violate Russia's territorial integrity, are particularly dangerous," said Igor Bederov. - It is used to prepare sabotage actions, to throw firecrackers, and for other similar situations. This is also relevant in the case of the December surge of sabotage committed with the participation of Ukrainian security services. The attackers have long since deployed infrastructure on the territory of the Russian Federation.
According to the expert, in recent years, telephone criminals have begun to pass to foreign intelligence services information about those against whom they have committed fraud.
- For obvious reasons, such people remain a convenient option for further recruitment, blackmail, extortion and coercion to commit subversive acts on the territory of our country," said Igor Bederov.
However, he said, it is "extremely difficult" to assess the scale of such actions. Nevertheless, WhatsApp is dangerous because it transmits data both to foreign intelligence agencies and software developers for them, the expert reminded.
- In particular, in the first half of 2024, we have detected, identified and prevented 24 cases of sabotage at railway transportation facilities in St. Petersburg alone. Of course, these figures will vary dozens of times across the country," added Igor Bederov.
Criminals also use Telegram, he said. However, it is known that WhatsApp is actively used in various tracking programs: ECHO, Lavender, Locomotive and other international samples of spyware - spyware whose availability is extremely limited.
- All these methods had a priori popularity for committing technological crimes. After the beginning of the SWO, after blocking the spoofing of phone numbers and Internet traffic from abroad, after the abolition of SWIFT, these programs became more active in the activities of intelligence services using WhatsApp for recruitment," the expert said.
He recalled that in 2022, with the help of fake accounts, representatives of Ukrainian special services tried to recruit Russian officers. They always acted according to the same scenario: they introduced themselves allegedly on behalf of a mutual acquaintance and offered to tell about the coordinates of the location of equipment, troops, personnel, command posts, etc. for a fee .
Recruiters may also present themselves as UN specialists and offer to relocate to third countries under the protection of international observers or provide other information that often does not correspond to the capabilities and competencies of the experts in whose name they present themselves, Igor Bederov noted.
Messengers, including WhatsApp, are one of the most widespread channels of attacks on citizens today, agrees Roman Alabin, head of the InfoWatch Group's information security service. First of all, we are talking about social engineering and various schemes based on it: fake boss (when attackers act on behalf of the victim's management), attempts to obtain payment details and account hijacking.
- We can also recall techniques related to the distribution of phishing links. There are many schemes, but they have one thing in common - they try to intimidate people with the help of various arguments, be it the need to transfer money to a "safe account", to extend a contract with a cellular operator or to help in catching a criminal - and force them to take immediate action," the expert explained. - Recruitment for the purpose of committing illegal acts is worth mentioning separately - recently such cases have become especially frequent.
Ashot Oganesyan, the founder of the DLBI data leak intelligence and darknet monitoring service, noted that recruitment is also practiced in Telegram.
- Announcements of sabotage are published on channels dedicated to illegal earnings. Ukrainian spambots are also working there, sending offers to users directly," he said.
Alexei Gorelkin, CEO of the Phishman company, believes that WhatsApp is not in the first place as a tool for attackers.
- Telegram is in first place, and it is used as one of the possible tools to achieve the goals of social engineering attacks," he said. - But it is also used for fraudulent schemes for a certain group of citizens - for example, those who don't have Telegram, or middle-aged people who started using WhatsApp when Telegram didn't appear. For such people, WhatsApp may be more effective because of the feeling of security, its familiarity to the user.
Telegram can also sell databases - links to such accounts can be easily found on the darknet, Izvestia found out. Sellers rank subscribers' phone numbers by age, presence of children, cars and real estate. Sometimes they offer passport data, SNILS, TIN, e-mail addresses.
According to Sergey Pomortsev, an IT expert at GG Tech, gullible users are promised a reward for confidential information, but the money is only ready to be transferred when photo and video evidence of the sabotage is provided. Often a person who committed sabotage on the instructions of an informant is contacted as soon as the evidence is sent.
Where new arson attacks took place
On December 23, the Moscow Prosecutor's Office warned of criminal liability for arson attacks called in by telephone scammers. According to the agency, the callers introduced themselves as law enforcement officers and credit institutions and under various pretexts induced people to commit crimes. Victims succumbed to manipulation for the sake of returning stolen money, repayment of credit obligations, and assistance in apprehending criminals.
"The Prosecutor's Office of Moscow clarifies that law enforcement agencies never attract citizens to assist through telephone conversations and do not fight crime by illegal means", - reported in the press service of the agency.
This is how the situation is described by the investigative department of the Investigative Committee of the Investigative Committee for the Vladimir region. There, a resident of Petushkov was detained on suspicion of setting fire to the entrance to the police department building. According to the detainee's version, she was under the influence of unidentified persons, with whom she had been communicating by phone for a long time. A case was opened against the woman for willful damage to other people's property.
Two more cases of arson of ATMs were registered recently in Perm, reported in the regional department of the Ministry of Internal Affairs. In Krasnoyarsk, a girl set fire to a bank branch and was taken to hospital with a burned hand. According to preliminary data, she became a victim of fraudsters.
In the Tver region a 56-year-old man was stopped by bank employees when he tried to burn an ATM. The detainee admitted that he was working on the instructions of unknown attackers.
In St. Petersburg, Rosgvardiya officers detained a 76-year-old pensioner who had received an assignment from fraudsters to set fire to an administrative building or the official car of law enforcement officers. On the street, he asked to pour gasoline into an empty juice bottle of a passerby, while talking on the phone with his handlers. Alarmed, the man called police.
Defense against intruders
Fraudsters call hundreds of potential victims, following a well-defined algorithm, said psychologists interviewed by Izvestia.
First, the interlocutor needs to be favored, explained clinical psychologist Artem Tarayants. For this purpose, criminals present themselves as FSB officers, bank representatives or telephone operators. To arouse special trust, the attackers can write to the victim in social networks beforehand, warning about the upcoming conversation.
- During the conversation, they carefully and respectfully pronounce the name of the interlocutor to create the illusion of a good relationship, - said the expert. - Next, the rule of four yeses is used. If a person three times answered questions about himself positively, then on the fourth it will happen by inertia. To get the right answers, scammers use information about victims from their social networks.
The victim is told that he or she is in danger and warned that the situation can only be saved by quick and decisive actions.
- And this moment is decisive: the person either gets off the hook or becomes a slave and becomes dependent on the interlocutor. To influence the victim, attackers can alternate information about possible threats, - said the psychologist.
If the fraudsters manage to get money, at this stage they can reveal themselves and demand to fulfill the final task - for example, arson. Further they already just dryly instruct the victim.
It is important to remember that any incoming messages and calls should be critically analyzed and do not give in to entreaties to do something, added Roman Alabin. As a rule, attackers emphasize urgency and immediate action, so that the victim does not have a chance to think things over.
- And, of course, the classic recommendation for everyone is not to provide any data, SMS codes and passwords, as well as not to click on suspicious links, - concluded the expert.
Oleg Cherkasov, a leading lawyer of the EYUS service, reminded that deception by fraudsters may become a mitigating circumstance in court, but will not exempt from liability. Fraudsters will appear in the case as accomplices - instigators or organizers. But unlike the perpetrators, it will be almost impossible to detain them.
For arson and other similar actions the case may be initiated under the article on willful destruction or damage to property. The sanctions under this article are up to five years of imprisonment. In addition, the article on hooliganism may also be imputed - and under it the punishment will be up to eight years.
Переведено сервисом «Яндекс Переводчик»
