How Avito identifies scammers and fights fraud

Hey Habr. I am Igor, the head of the team that fights scammers on Avito. Today we will talk about the eternal battle with the villains who try and even sometimes deceive online shoppers with the help of goods delivery.

We have been fighting fraud for a long time. Today's scammers deceive people by imitating the interfaces and functions of online trading platforms. For example, they come up with schemes for courier delivery on marketplaces.

In January 2020, ready-made instructions for scammers and all the necessary tools appeared on the Internet. Then self-isolation added fuel to the fire: those who used to cheat and steal on the streets and in apartments were forced to go online. Perhaps you have been receiving heavy calls lately, writing in instant messengers, sms and letters by those same “scammers”. They pose as employees of banks and law enforcement agencies, distant relatives or notaries. Write in the comments what type of scam you encountered the last time.

Standard Scam Schemes

The most common scheme for deceiving a buyer with the delivery of goods looks like this:

1. The scammer publishes an ad with a popular product in the middle price category. For example, with the sale of electric scooters - they are popular in the summer.
2. By any means persuades a potential buyer for delivery. The pretexts can be different: I left the city during the pandemic, or I’m just too busy and I can’t come to the meeting.
3. After receiving consent, the scammer sends a fake payment link. The link page is similar to the standard Avito form.
4. The victim pays for the purchases and says goodbye to the money.
5. The scammer is trying to make more money by offering to refund the payment. He sends the buyer a new form for a refund, but in fact writes them off again. The return page is the same checkout page, but the text on the button has been changed from "pay" to "return".

Below is an example of a fake page that a scammer can send. The domain mimics Avito, and the site itself looks like an ordering page in an online store. Fake pages are often on the https protocol, and it is impossible to distinguish them on this basis. After filling in the data, the user is taken to the order payment page, where he is prompted to enter bank card details.

Fake payment and refund pages

We block suspicious sellers. Therefore, in order to carry out such operations, scammers need to constantly create new accounts on Avito. They either register them themselves via SMS to a temporary virtual number, or buy stolen accounts. A virtual SIM card costs from 60 kopecks, someone else's account on the shadow market - from 10 rubles. The cost of both is incomparably less than even a one-time income from deceiving users.

It was Avito Scam 1.0, but versions 2.0, 3.0 and even 4.0 have already appeared. These are not our designations - they are used by the scammers themselves.

They deceive not only buyers, but also sellers. The second diagram looks like this:

1. The buyer allegedly sent the money through a secure transaction.
2. He sends the seller a fake link where he can get paid.
3. The seller gets to a page that asks for his card details, and as a result, the amount is debited from his account.

The Scam 3.0 scheme works like this:

1. The seller publishes ads with activated delivery via Avito.
2. When the buyer pays for the goods, the scammer sends him a screenshot, in which Avito allegedly asks for a confirmation code.
3. Using the code, the seller enters the user account. In the profile of the buyer, the scammer ticks the box as if he received the goods. The buyer is left without money and purchases.

And scheme 4.0 is arranged as follows:

1. The buyer pretends to pay for the goods and sends a fake receipt. Checks are sent anywhere: by e-mail or to a third-party messenger. Depends on what contact the seller gave to the scammer.
2. The seller receives an SMS that mimics a bank transfer.
3. A few minutes later, the buyer writes that the product of another seller is better for him, and asks for a refund. Often the argument “return, you are not a scammer” is used. The seller sends the buyer the amount, but from his own pocket, because there was no payment.

What are the scammers doing

The five most popular contexts in which people fall into the clutches of scammers:

1. Unique selling proposition. The price or product compares favorably with other offers.
2. hype. The seller has several people who want to buy the goods, so he forces you to make an advance payment.
3. Urgency. The buyer offers to urgently buy goods for any money and asks for all bank card details in order to transfer money.
4. Kindness. The scammer asks for help in buying the goods: for example, the buyer has health problems or he cannot personally pick up the goods. The fraudster asks for card details in order to transfer money, and the courier will allegedly pick up the goods.
5. Various towns and cities. In this case, prepayment is a prerequisite for the transaction, and this opens up a huge field of activity for scammers.

The scheme of "work" of scammers

There are three groups of people involved in the fraudulent scheme: workers, support, and TS.

Workers, from the word worker, are the largest group of people, mainly schoolchildren and students. They independently create accounts on Avito and look for victims, who are called mammoths. Then, with the help of social engineering skills, they convince the victims to pay for something and send a fake link. If the victim pays for the “goods”, then the task of the workers, with the help of support, is to transfer the victim to a refund, referring to some kind of technical error.

Support is people who help novice workers to deceive users for a fixed income. They give advice, recommend "profitable" goods, often for a certain percentage of a fraudulent transaction they are ready to provide other services, for example, prepare a passport in Photoshop, call the victim, write to her on behalf of technical support.

TS, from Topic Starter on the shadow forums, where the hiring of workers was originally, are essentially the organizers. They download or buy software, which consists of two parts:

1. Telegram bot, which is the main tool of scammers. In it, you can get a fake link to the product, receive notifications about transitions or payments.
2. Web version, which is responsible for displaying the payment/return/acceptance page. A payment system is also connected to it for receiving payments.

The organizers earn on a percentage of each transfer of the victim, which is called profit. Therefore, they try to advertise their project and pay support to train newcomers. They also bear all the costs associated with the purchase of new domains and cards for which the money comes.

After looking at the sources of many variants of fraudulent scripts, we came to the conclusion that most of them are written in PHP, but at a very poor level. Almost all scripts collect information about their users, including workers. One of the assumptions why they do this is that when law enforcement agencies come to the organizer, he will meet the investigation and try to reduce the punishment as much as possible by revealing the workers.

In addition to scripts, scammers use bombers. These are bots that provide the ability to spam the phone with text messages and calls. Bombers work like this: they go to different sites and request registration or password recovery using a phone number. Usually scammers connect them to victims for 2-72 hours. And this is an important reason not to show your phone number on the Internet.

Some TCs also hire developers who make improvements to the bot or site. For example, they screw up the rating of workers or protect scripts from vulnerabilities that are in free versions. However, in pursuit of a quick profit, the TS can take all the proceeds for itself, deceiving its own workers. At the same time, there is a group of guys who make money on the scammers themselves, throwing them into various services.

The average daily income of a fraudulent performer is 20 rubles, and a fraudulent organizer is 000 rubles. The main thing to remember is that despite the seeming impunity and benefit of "business", all this activity falls under under article 159 of the Criminal Code of the Russian Federation. Fraudsters are detained and given real terms even in cases where the damage from deceit is 5-7 thousand rubles.

We pass on all information we have about the facts of fraud to law enforcement agencies. We are convinced that despite the apparent profitability and ease of the scheme, our readers understand that only narrow-minded people who are not aware of all the risks are engaged in fraud.

Epic battle between antifraud and scammers

We will tell you what steps we took in the first months of 2020 to protect our users, and how the scammers responded.

The main metric that we were guided by to evaluate the effectiveness of the work is the number of calls to support with delivery paid to the scammer. We block most of the fraudulent ads before they reach the site. But when almost all trade moved online, we recorded a surge in requests. Banks also confirm this information: in April and May, they massively sent out warnings about the growth of fraud in online purchases.

In order to get quick feedback on new tools, a person from our team infiltrated dozens of closed groups of scammers. In one of them, he passed an interview for a developer and got access to the source codes of scam bots, and also got into the group of organizers. Thanks to this, we always had fresh first-hand information.

Understanding the risks due to the beginning of self-isolation, we started work before the active growth in requests. One of the first technical measures was the implementation of an anti-hack to snatch user accounts from the clutches of intruders. To do this, with the correct login and password, but a suspicious geolocation, we requested a code from the SMS that came to the account owner. In response, the scammers began to register more independent accounts. This is to our advantage - fresh accounts of sellers inspire less confidence in everyone.

Then we started to warn users about following suspicious links in the messenger. So we reduced the number of clicks by a third, but this had almost no effect on our main metric: those who were deceived by scammers were not stopped by any warnings.

Next, we introduced a whitelist of links. We have stopped highlighting unknown links in the Avito messenger, you can no longer follow them in one click. When copying a suspicious link, a warning was also shown. This decision had a positive impact on our metric for the first time.

We have begun to actively punish for the transmission of suspicious links in the Avito messenger: block or reject the seller's ads. In response, scammers began to take users away from our chat to third-party messengers. Then we rolled out a warning not to go to another messenger if we see it mentioned in the chat. This function started with a regular expression search, then we replaced it with an ML model.

Then the scammers began to take users to e-mail. To do this, they needed the same thing that we all need - trust. They began to send images to potential victims, where Avito supposedly asks for the buyer's email. This is a scam - we don't need buyers' emails.

Here our support supposedly answers that the buyer's email is needed for delivery

And here in our interface, it’s as if a new field for entering e-mail has appeared

If someone else could distinguish the fake link, then the letter is easy to forge qualitatively, and it inspires more confidence. We began to delete the message with the email and show the user a warning about the danger of such an action. If the user sends the email again after the warning, we don't delete it.

The scammers began asking buyers to send their email address in multiple messages or with the @ symbol replaced with another one. Then we began to display a warning even when requesting mail. The complex of these measures made it possible to almost completely prevent users from leaving the mail from the Avito messenger.

Our current mechanics are quite efficient but not user friendly. The email message is deleted completely, and it often contains other text. But it was the fastest and cheapest solution to develop. We think how to remake and improve it.

One of our latest initiatives is calling a number. Usually the numbers of scammers to which they register accounts do not live long. We call the seller's number after submitting an ad on Avito. If you can't get through, moderation rejects the ad. The scammers started changing the phone number right before it was posted so we could call while it was still available.

And here is the feedback from the scammer

In suspicious cases, we lower the priority of the ad in the search results and remove it from the recommendations. At the same time, we set a delay in the issuance of up to 48 hours in order to ensure that everything is carefully checked and delivered a little more inconvenience to scammers.

This is just the tip of the iceberg, there are many more types of scams.

Unfortunately, it is impossible to describe all types of fraud in one article. When we learned about the introduction of the self-isolation regime, it immediately became clear that the scammers who made money offline would run online. They will not want to change their behavior patterns for a few months and become good citizens. This has led to a real boom in fraud on all online platforms and over the phone.

Among the types of fraud, there are rare and even funny ones. For example, here the scammer pretends to be a robot to reduce communication costs:

Despite the fact that there are fewer and fewer scammers on Avito every day, and raids are taking place throughout the country, where law enforcement officers find them, despite proxies and VPNs, detain them and lead to real terms of up to 2 years in prison for cheating on 2500 -5000 rubles, it is impossible to completely get rid of fraud.

We will not publicly talk about other ideas and innovations, so as not to make it easier for scammers. We understand that this battle will continue. Our task is to make life as difficult as possible for scammers, to make this kind of activity on our resource simply unprofitable and too dangerous, while at the same time harming good users as little as possible.

The results

Here's a timeline for shipping fraud support. In recent weeks, it has been at a consistently low level:

How to avoid becoming a victim of a scammer

Fraudsters are a fly in the ointment in a barrel of profitable offers. To always stay safe, just follow the following rules:

1. Do not share sensitive data. None: full name, phone number, address, email, date and place of birth, family and income information, card details, contacts in other instant messengers. Never say codes from SMS and push notifications.
2. Keep all communication only within our messenger, then we will be able to warn you in case of danger.
3. Check seller rating and profile age. Suspicion is caused by low prices, a recent date of registration on the site and negative reviews.
4. If the "Buy with delivery" button is inactive, there is no delivery of goods through Avito's verified partners. Other delivery methods are always a risk.
5. Don't follow links. A link to pay or receive money should come to the built-in Avito messenger as a system message. A real link always starts with the www.avito.ru domain. Any other combination of words and symbols is a scam.
6. Take your time and make all purchases sober. Be attentive to every little thing. Fraudsters often put pressure on potential buyers and threaten to sell the product to another. Honest sellers are loyal and ready for additional questions.
7. Do not transfer prepayment for any services if you are not sure about the seller.
8. Do not install any third-party extensions and programs.
9. If you see a suspicious profile or ad, write about it in our support. We will check the seller. On the Internet, it is better not to trust anyone and do additional checks.

Source: habr.com