SYDNEY, 1 May 2025 – Bitdefender researchers have uncovered a surge in subscription scams, both in scale and sophistication, spurred by a massive campaign involving hundreds of fraudulent websites. What sets this campaign apart is the significant investment cybercriminals have undertaken to make these fake sites look convincingly legitimate.
Gone are the days when a suspicious email, SMS, or basic phishing link could easily fool users. As people grow more cautious and cyber-aware, scammers are stepping up their game. They have already begun crafting more complex and convincing schemes to bypass scepticism and lure victims into handing over sensitive information, especially credit card data.
Key Findings:
- Incredibly convincing websites, selling everything from shoes and clothes to diverse electronics, are tricking people into paying monthly subscriptions and willingly give away credit card data.
- Many of the websites are linked to a single address in Cyprus, likely home to an offshore company.
- The scam encompassed more than 200 different websites, including many that are still up and running.
- Criminals create Facebook pages and take out full ads to promote the already classic ‘mystery box’ scam and other variants.
- The ‘mystery box’ scam has evolved and now includes almost hidden recurring payments, alongside links to websites to various shops.
- Facebook is used as the main platform for these new and enhanced mystery box scams
- Content creators are being impersonated to promote mystery boxes or fraudsters create new pages that look a lot like the originals.
Scammers try to take advantage of people’s lack of attention
Scammers know that if a victim has reached the payment step, they’re already convinced the scam is real. At that point, hesitation is low and critical thinking is off. That’s when scammers strike again, slipping in a second scam right before the victim hands over the money. It’s not just about closing the deal at that point, but rather about stacking the fraud.
What is a mystery box scam?
In real life, the allure of a mysterious box of items on a shelf just waiting for someone to pick it up for a few bucks seems like a scam that would never work. But on the Internet, it really does work – otherwise scammers wouldn’t put so much effort into promoting them.
There are quite a few variations of these scams, from boxes left at the post office to bags left at the airport and even to clearance sales from large shopping centres. They all share the same tell-tale sign: all the victim has to do is to pay a minimal sum of money.
The goal, of course, is to collect personal and financial information. Victims willingly provide all that precious information, believing they’ve made a fantastic purchase.
The Mystery box Scam is evolving
Like most scams, these fraudulent schemes lower their allure as people get used to them, and fewer people fall victim. This drives criminals to devise new ways to obtain money or financial information.
The first step in this evolutionary ladder was the moment scammers added surveys ‘to ensure’ you’re a real person and not a bot. When users see a company taking such steps, it makes the enterprise look more legit.
Now, the mystery box scam has evolved in a new way. Right before you agree to give them money and financial information, you also agree to a subscription model (written in a tiny font) that turns your current mystery shopping adventure into recurring payments.
As our past research shows, these scams have flooded social media, and it’s all made possible by sponsored ads.
You will notice that the payment page also references a website called naillr[.]com, where you get a loyalty membership card that gives you discounts and perks. However, this is where the research pointed us in another direction.
The mystery box scam is expanding into new territories
Some of these ads with mystery boxes point to various online shops for a variety of products, like clothes, electronic equipment, beauty products, and many others. At one point, we identified around 140 websites that shared the same business model.
‘Buy at member price and get FREE access to the best prices in Europe with an account top-up of 44.00 EUR/every 14 days. Skip or shop the top-up’ read the fine print in one example.
The online shop appears to offer many tiers with all kinds of perks. By following the URLs related by tracker ID, Bitdefender researchers found more than 200 websites in this campaign, many of which are currently still online.
Basically, people might be tempted to pay one of these subscriptions, believing that it will provide them with discounts across the entire website. The shop owners even offer various subscription tiers, but the sums vary from one website to another.
The discounts offered are based on store credits, which are transformed using a 1:1 ratio. So, if you invest $68 you get 68 credits.
It’s all very complicated to follow, with store credits, discounts, credits tops every 14 days, and so on. The basic idea is to have a process as convoluted as possible, and to make it sound like a good idea at the same time. By the time the victim is actually paying a subscription, it already seems like an investment.
In many cases, they promise all the best products money can buy, but their offers are ridiculous. One electronic store sold old cables, obsolete technologies, and other devices that could be bought for a fraction of the price from Chinese stores.
It’s also important to mention that the contact address mentioned in most of these hundreds of websites (Andrea Kalvou 13, 3085 Limassol) that are still up and running also appears in conjunction with a Cypriot record in the International Consortium of Investigative Journalists (ICIJ) Offshore Leaks Database that is associated with the Paradise Papers leak.
The subscription alure is too strong
Criminals have been pumping funds in ads promoting impersonated content creators, using the same subscription model that seems to be now the driving revenue stream of these scams.
Scammers often change the impersonated brands and they’ve begun expanding past the existing mystery boxes. They are now trying to sell low-quality products or imitation articles, fake investments, supplements, and much more.
We have observed several techniques used to evade automatic detection:
- Multiple versions of the ad, with only one being malicious while the others display random product images.
- Uploading images directly from Google Drive (so they can be replaced later).
- Using cropped images to alter visual patterns.
- Relying exclusively on images in ads, with no text in the description (text appears only in the image itself).
- Classic homoglyph techniques.
Some of these account pages can be created from scratch with names generated by algorithms, or they’ve been hacked and taken over, after which they’ve been renamed.
These stores might not seem to have anything in common, but for the most part they use the same design, the same themes, the same AI agents, and similar registration information, pointing to Cyprus.
While it’s difficult to make a direct connection between Mystery Box Scams and this swarm of websites, the fact that the payment screen for some Mystery Boxes have links to Cyprus-registered subscription-based shops is suspicious, to say the least. Especially when these scams share the same subscription idea.
Conclusion
While many of these frauds are seemingly linked to the same operators, a lot of other scammers also figure out that subscription is the new normal. With funds pumped into ads, real-looking websites, impersonations of people and brands, and all kinds of other avenues of attack, we’re bound to see these kind of frauds inundate the online world.
##
About Bitdefender
Bitdefender is a cybersecurity leader delivering best-in-class threat prevention, detection, and response solutions worldwide. Guardian over millions of consumers, enterprises, and government environments, Bitdefender is one of the industry’s most trusted experts for eliminating threats, protecting privacy, digital identity and data, and enabling cyber resilience. With deep investments in research and development, Bitdefender Labs discovers hundreds of new threats each minute and validates billions of threat queries daily. The company has pioneered breakthrough innovations in antimalware, IoT security, behavioural analytics, and artificial intelligence and its technology is licensed by more than 180 of the world’s most recognised technology brands. Founded in 2001, Bitdefender has customers in 170+ countries with offices around the world. For more information, visit https://www.bitdefender.com.
Trusted. Always.
PR Archives: Latest, By Company, By Date