Service Providers Enable Industrial-Scale Pig Butchering Fraud Operations

Security researchers have identified specialized service providers enabling industrial-scale pig butchering scams, revealing how criminal networks leverage turnkey solutions to defraud victims globally. These findings come alongside discoveries of weaponized parked domains and sophisticated nation-state-linked infrastructure.

The PBaaS Economy

Pig butchering scams – where criminals build trust before convincing victims to invest in fake schemes – now operate through full-service providers. Infoblox researchers detailed two key enablers:

1. Penguin Account Store: Offers:

   • Stolen social media credentials ($0.10-$5/account)
   • Bulk SIM cards and IMSI catchers
   • "Character sets" (photos for fake profiles)
   • SCRM AI platform automating victim engagement
   • BCD Pay cryptocurrency laundering service

2. UWORK CRM Platforms: Provides:

   • Pre-made scam website templates ($50+)
   • Fake trading platforms mimicking MetaTrader
   • Admin panels tracking agents/victims
   • Mobile apps bypassing app store reviews

"Sophisticated Asian crime syndicates have created a global shadow economy from their safe havens in Southeast Asia," noted researchers Maël Le Touz and John Wòjcik. "PBaaS provides mechanisms to scale operations with minimal effort."

Weaponized Parked Domains

Separate Infoblox research found 90% of parked domains redirect visitors to scams/malware. Attackers use:

• IP geolocation fingerprinting
• Device profiling
• Cookie tracking

Visitors from residential IPs see malicious content, while VPN users view legitimate parking pages.

Evilginx Phishing Evolution

Threat actors increasingly deploy Evilginx adversary-in-the-middle toolkits, now featuring:

• Wildcard TLS certificates
• JA4 fingerprint filtering
• Multi-domain phishlets
• JavaScript obfuscation

Recent campaigns targeted 18 U.S. universities using 67 malicious domains.

APT-Linked Gambling Network

Malanta uncovered a 14-year operation with:

• 328,000+ hijacked domains
• 236,000+ gambling sites
• AWS-hosted Android malware droppers
• Government website compromises

This infrastructure shows nation-state-level persistence and resources, previously documented as the Slot Gacor campaign.

Protective Measures

1. Verify Investment Platforms: Check financial regulator registrations
2. Monitor Domain Parks: Block known parking DNS providers
3. Enforce MFA: Mitigate stolen credential impact
4. Audit Cloud Assets: Prevent dangling DNS hijacking
5. Train Staff: Recognize social engineering red flags

"The industrialization of cybercrime demands equally industrialized defenses," concludes Infoblox's report. "Understanding these service models is crucial for effective countermeasures."