Several ads with images and sexual terms were visible on the OLX classifieds platform's main ad list page and were intended to lure users to a malicious site. The publications, made on Sunday, were withdrawn by the company's response team on the same day, but had already been viewed by thousands of people.
David Mota, head of OLX's Customer Satisfaction area, confirmed to Exame Informática the malicious campaign: on September 29, eight sexual ads were identified and eliminated, and in the images promoting a website, containing adult content, and that is associated with phishing scams.
Despite saying that these fraudulent ads are no longer than 15 minutes on the OLX Portugal website due to the team's response, Exame Informática saw that one of the ads, published around noon, was more than an hour active on the platform. Still on Sunday, but at night, the ads you saw were removed in less than 20 minutes.
“Scammers are looking for a thousand and one ways to try to access an account of our user. If you are a user who has not followed the security steps we have indicated and possibly has a weak password, the scammer can log in, start using that person's account and start posting ads, ”explains the OLX manager. .
In the case of Sunday, two OLX users saw their classified platform accounts being usurped by the attackers. It was from these accounts that sexual and potentially malicious ads were made. In one case, the perpetrator even used the credit the victim had associated with the OLX profile to promote and feature one of the fraudulent ads.
According to David Mota, 90% of ads posted on OLX are verified through the company's automated mechanisms and therefore are served immediately if no irregularities are found. The remaining 10% of ads are manually reviewed because some element has been identified in the post that raises suspicions about the ad.
In the case of the eight fraudulent ads posted on Sunday, all managed to pass through the OLX automatic filtering system. “They try days and days until they get on our platform,” says David Mota. “There are situations where they can get through all the barriers and get active, which is what happened on Sunday and that has a huge impact. Even if they are (published in) two or three hours, they can impact six, seven, eight thousand people.
The company spokesman says that, on average, 30 malicious platform content per month (ie, that was shown to users) is identified and eliminated, a value that contrasts with the 3,000 ads that are effectively blocked by search engine tools. detection and never get online. “Even when this technology cannot detect, our team can manually pick them up and can automatically block these users and ads, which means that there is no regular content on this platform.”
But for this particular campaign, the authors used, for example, Cyrillic alphabet characters used in countries like Russia, Ukraine or Macedonia, to avoid OLX detection systems – even if the ad text was written in Brazilian Portuguese. This does not mean that the authors belong to these geographies.
'What happens is that these scammers are already moving within Europe itself and going to countries that tend to have no organized crime in this sense. (…) What we know is that they use advanced technologies, very based on VPN, may even be in countries like Russia or Ukraine, but using VPN they look for IP addresses that are considered legitimate and with some credibility.
But what culminated in an attempt to lure OLX users to an adult site filled with suspicious pop-ups actually began long before. According to David Mota, the authors of the fraudulent ads first created online schemas outside of OLX and through which they obtained users' email access credentials. From there they began to explore on which platforms these credentials were valid. "They (authors of fraudulent ads) create online scams on various websites, people are attracted to such content, they automatically get the information about who is the user", in what he considers to be a "very elaborate scam" ».
The malicious website that was advertised in OLX ads – which Exame Informática does not disclose for security reasons – redirected to another web address that, on the URLScan platform, used to verify web address security, is identified as dangerous and linked to phishing activities. In other similar tools it is not possible to find a danger index, as there is no registration of the site.
"By logging into this site automatically they have already been caught by these scammers and as most users always use the same email and the same password mostly for everything, so they end up being more vulnerable to this type of attacks", also confirms from OLX.
But in a business where 600,000 advertisements a day are published or edited, one of the main lines of defense turns out to be the users of the product buying and selling platform themselves. "Even if there is something that is extremely cleverly developed by scammers and able to introduce such ads, the users themselves help us detect."