rss-bridge 2025-04-30T13:02:00+00:00

Active Subscription Scam Campaigns Flooding the Internet

Bitdefender researchers have uncovered a surge in subscription scams, both in scale and sophistication, spurred by a massive campaign involving hundreds of fraudulent websites.

What sets this campaign apart is the significant investment cybercriminals have undertaken to make these fake sites look convincingly legitimate.

Gone are the days when a suspicious email, SMS, or basic phishing link could easily fool users. As people grow more cautious and cyber-aware, scammers are stepping up their

For HomeFor BusinessFor Partners

Răzvan GOSA
Alexandru Paul MARINESCU
Silviu STAHIE

April 30, 2025

[Active Subscription Scam Campaigns Flooding the Internet]

Bitdefender researchers have uncovered a surge in subscription scams, both in scale and sophistication, spurred by a massive campaign involving hundreds of fraudulent websites.

What sets this campaign apart is the significant investment cybercriminals have undertaken to make these fake sites look convincingly legitimate.

Gone are the days when a suspicious email, SMS, or basic phishing link could easily fool users. As people grow more cautious and cyber-aware, scammers are stepping up their game. They have already begun crafting more complex and convincing schemes to bypass skepticism and lure victims into handing over sensitive information, especially credit card data.

Key Findings

Incredibly convincing websites, selling everything from shoes and clothes to diverse electronics, are tricking people into paying monthly subscriptions and willingly give away credit card data.
Many of the websites are linked to a single address in Cyprus, likely home to an offshore company.
The scam encompassed more than 200 different websites, including many that are still up and running.
Criminals create Facebook pages and take out full ads to promote the already classic "mystery box" scam and other variants.
Facebook is used as the main platform for these new and enhanced mystery box scams

Content creators are being impersonated to promote mystery boxes or fraudster create new pages that look a lot like the originals.

Scammers try to take advantage of people's lack of attention

Scammers know that if a victim has reached the payment step, they're already convinced the scam is real. At that point, hesitation is low, and critical thinking is off.

That’s when scammers strike again, slipping in a second scam right before the victim hands over the money. It’s not just about closing the deal at that point, but rather about stacking the fraud..

What is a mystery box scam?

In real life, the allure of a mysterious box of items on a shelf just waiting for someone to pick it up for a few bucks seems like a scam that would never work. But on the Internet, it really does work - otherwise scammers wouldn't put so much effort into promoting them.

There are quite a few variations of these scams, from boxes left at the post office to bags left at the airport and even to clearance sales from large shopping centers. They all share the same tell-tale sign: all the victim has to do is to pay a minimal sum of money.

The goal, of course, is to collect personal and financial information. Victims willingly provide all that precious information, believing they've made a fantastic purchase. Here's an example from one such scam campaign targeting Facebook users in Romania:

The Mystery Box Scam is evolving

Like most scams, these fraudulent schemes lower their allure as people get used to them, and fewer people fall victim. This drives criminals to devise new ways to obtain money or financial information.

The first step in this evolutionary ladder was the moment scammers added surveys "to ensure" you're a real person and not a bot. When users see a company taking such steps, it makes the enterprise look more legitimate.

Now, the mystery box scam has evolved in a new way. Right before you agree to give them money and financial information, you also agree to a subscription model (written in a tiny font) that turns your current mystery shopping adventure into recurring payments.

*[A store with boxes of clothes

Description automatically generated]*

Of course, other countries are targeted as well. Here's one for Canada or the United States:

*[A person standing behind a box with a face on it

Description automatically generated]*

*[A screenshot of a phone

Description automatically generated]*

As our past research shows, these scams have flooded social media, and it's all made possible by sponsored ads.

You will notice that the payment page also references a website called naillr[.]com, where you get a loyalty membership card that gives you discounts and perks. However, this is where the research pointed us in another direction.

The mystery box scam is expanding into new territories

Some of these ads with mystery boxes point to various online shops for a variety of products, like clothes, electronic equipment, beauty products, and many others. At one point, we identified around 140 websites that shared the same business model. This is just one example:

*[A silver toaster with a price tag

Description automatically generated]*

"Buy at member price and get FREE access to the best prices in Europe with an account top-up of 44.00 EUR/every 14 days. Skip or shop the top-up" read the fine print.

The online shop appears to offer many tiers with all kinds of perks. By following the URLs related by tracker ID, Bitdefender researchers found more than 200 websites in this campaign, many of which are currently still online.

Basically, people might be tempted to pay one of these subscriptions, believing that it will provide them with discounts across the entire website. The shop owners even offer various subscription tiers, but the sums vary from one website to another.

This is what the VIP tier looks for on one of these websites:

*[A screenshot of a cellphone

AI-generated content may be incorrect.]*

The discounts offered are based on store credits, which are transformed using a 1:1 ratio. So if you invest €68 you get 68 credits. If you want to buy something like a piece of furniture, for example, this is what it would look like.

*[A screenshot of a website

AI-generated content may be incorrect.]*

It's all very complicated to follow, with store credits, discounts, credits that you can top up every 14 days, and so on. The basic idea is to have a process as convoluted as possible and make it sound like a good idea at the same time. By the time the victim actually pays for a subscription, it already seems like an investment.

They often promise all the best products money can buy, but their offers are ridiculous. This one electronic store sold old cables, obsolete technologies, and other devices that could be bought for a fraction of the price from Chinese stores.

It's also important to mention that the contact address mentioned in most of these hundreds of websites (Andrea Kalvou 13, 3085 Limassol) that are still up and running also appears in conjunction with a Cypryorecord in the International Consortium of Investigative Journalists (ICIJ) Offshore Leaks Database that is associated with the Paradise Papers leak.

The subscription allure is too strong

Criminals have been pumping funds in ads promoting impersonated content creators, using the same subscription model that seems to be now the driving revenue stream of these scams.

Scammers often change the impersonated brands, and they've begun expanding past the existing mystery boxes. They are now trying to sell low-quality products or imitation articles, fake investments, supplements, and much more.

We have observed several techniques used to evade automatic detection:

Multiple versions of the ad, with only one being malicious, while the others display random product images.
Uploading images directly from Google Drive (so they can be replaced later).
Using cropped images to alter visual patterns.
Relying exclusively on images in ads, with no text in the description (text appears only in the image itself).
Classic homoglyph techniques.

[...]

Original source