Phishing Scams Impersonate Krasnoe & Beloe and Dodo Pizza to Promote Paid Fitness Services
Over the past two months, RTK-Solar has identified more than 2,000 domains created as part of a phishing scheme exploiting the brands “Krasnoe & Beloe” and “Dodo Pizza.” Scammers organized social media giveaways, offering prizes like pizza or a bottle of wine for just 1 ruble. In reality, they steal bank card data and link victims to a fake fitness service with recurring charges.
Experts note that similar attacks occur every 4-6 months. The latest surge in phishing activity was curbed thanks to cooperation with domain registrars and regulatory authorities. Contacting the bank that provided online acquiring services also helped reduce user losses several times over, according to RTK-Solar.
How the Scam Works
Fake promotional messages are spread through messengers and specially created social media groups. To participate, users are asked to share a link with 10-20 friends. Previously, these URLs led directly to phishing sites, but now scammers use redirects and register thousands of domains, constantly changing the chain of links.
The phishing sites all look similar and advertise an online fat-burning training course, to which visitors are forcibly subscribed. Most features on these sites do not work, subscription details are missing, and the public offer, while containing company information, is questionable.
Technical Details and Money Theft
According to Solar JSOC expert Alexander Vurasko, “The malicious domains were not tied to the brandsβthey consisted of randomly generated characters in exotic domain zones like .ml, .tk, .cf, .ga, and .gq. Registration is free and can be done automatically via API. Scripts for mass domain registration are easy to find online. The most interesting part of this new scam wave is the actual process of stealing money. By entering their card details, victims were subscribed to a service that charged 889 rubles every five days. The money went to a real company account at a top-20 bank. Such payments often go unnoticed by the bank’s anti-fraud systems, and the small amount is offset by the large number of subscribers.”
Current Status and Future Risks
RTK-Solar reports that the peak of the attack using the “Krasnoe & Beloe” and “Dodo Pizza” names has passed. The phishing sites have been blocked, and mass messaging in messengers and social networks is no longer observed. However, it is expected that this scheme may resurface in the future, possibly in a different form.