Online criminals use some countries as testing grounds to see if they can take their attacks big time.


You don’t need to watch out for this scam, do you—an ad for super-cheap UGG boots on Facebook with writing in Czech?

“Vanocni darky,” it says—meaning “Christmas gifts” in English. And it shows, a Czech site.

The ad is not real and the cyber crooks behind it are out to steal your credit card number, according to security researchers at ESET’s WeLiveSecurity

That’s bad. But if you don’t live in the Czech Republic, you might dismiss this as a faraway scheme only affecting people in distant countries.

It may be time to change your view.


This site,, tries to steal your credit card number, according to ESET’s WeLiveSecurity. Image from


Cybersecurity experts say digital attackers often try out their cons on one country first. If successful, they may expand their reach—and hit closer to your home.

“Sometimes they start the first malicious steps in their own country because of language reasons and possible targets—banks, apps,” said ESET’s Lukas Stefanko to Archer News. 

If the scam is a winner, they can translate their cyber fraud into more languages and target more countries.

“Yes,” Stefanko said. “We see sometimes this exact scenario.”


Facebook ads for can trick people into giving their credit card numbers to crooks, said ESET’s WeLiveSecurity. Image from


No place like home

This kind of home-based scheme-testing can happen on a consumer level—like the fake UGG boots ads—or on a much bigger scale. 

“Many times, researchers will see new malware used in these areas as a test bed first, then if successful, the tool will be used in a much broader attack targeting other governments and organizations,” said security researcher Brian Batholomew with Kaspersky Lab.

He mentioned a cyber threat group called ‘Sofacy’—also known as ‘Fancy Bear’ and ‘APT28’—which targets military and government organizations around the world, according to Kaspersky Lab.

“For example, Sofacy, who is believed to be Russian-based, will target other Russian-based victims such as media and individuals considered to be a threat, before using the same malware on European and U.S.-based targets,” Bartholomew told Archer News.


The German parliament building or ‘Bundestag.’ Experts say Sofacy targeted the German Bundestag, as well as many other locations including the White House.


Not just language

Language is not the only motivator. Some malicious hacking groups may choose a certain testing ground because their guinea pigs can’t fight back. 

“This is a common tactic for many countries to ‘test’ their methods on a small audience who may be less likely to detect it or do anything to defend against it,” Bartholomew said.

The trial run could play out in a smaller country with a weaker government.

“Many of the actor groups believed to be originating out of China typically test their malware on Taiwan and Tibet before moving on to other targets such as Western governments and corporations,” said Bartholomew.


Lhasa, Tibet. Chinese-based attack groups often test their malware on smaller countries like Tibet before moving on to Western countries, according to Kaspersky Lab.Photo credit: archer10 (Dennis) 80M Views via / CC BY-SA


Like the flu

That means the cyber infection you see bedeviling another country could soon end up bedeviling yours, spreading—and mutating—like the flu, according to Claudio Caracciolo with cybersecurity company ElevenPaths.

“The same concept,” he said. “A few infections, and it starts changing.”

Caracciolo lives in Argentina and sees cyber attacks moving and modifying through Latin America.

One example—a credit card fraud scheme that started in Colombia, then passed through Chile and Argentina before moving on to other countries.

“They begin in one country, they choose it as their objective, and they test. Test it for a couple of months, a year,” he said. “That’s how it evolves.”


Sao Paolo, Brazil. Attackers may start their operation in their own country in Latin America, then take on other countries. Photo credit: Diego3336 via / CC BY


Working together

It may be one group at work, or groups that share or copy their techniques. 

Brazilian and Russian hackers are collaborating on some kinds of attacks, with Russian cyber criminals using Latin American countries as testing zones, Kasperksy’s Dmitry Bestuzhev said to Reuters last year.

Cybersecurity experts are aware that cyber crime has no borders and try to share information about threats.

“It doesn’t make sense to close yourself in a community of one country,” said Caracciolo.

But many people and businesses may not realize how quickly and easily a cyber scheme can leap continents.

“Absolutely,” said Bartholomew. “This is a common mistake made by a lot of organizations.”


Cybersecurity experts say Brazilian and Russian malicious hackers are collaborating on some attacks.


Do I make a good target?

When you hear about a cyber crime, don’t focus on geography, but on whether you would make a good target, he suggested.

Do you do business with or in the country? Is your industry considered a prime target? Do you have intellectual property another country wants?

“These are the questions that should be asked,” Bartholomew said. “Very rarely does an actor stick to ‘geography’ with regards to their victims.  It’s more so the ‘industry vertical’ that is used, i.e.: defense contractor, government, mining and materials, etc.”

It’s personal

On a personal level, be aware that the fake UGGs ad attack could migrate to your country, just as its predecessor—the fake Ray-Ban ad attack—did. 


Cyber crooks used the promise of very cheap Ray-Bans as a lure to steal people’s credit cards in fake Facebook ads, ESET’s WeLiveSecurity said.


Eventually, the fake Ray-Ban attack sites accepted currency from many different countries, including the U.S., Canada, Australia, Brazil, Sweden, Norway, Denmark, Singapore and countries in the European Union.

A malware that first hit ATMs in Eastern Europe in 2014 later spread to the U.S., India and China, Kaspersky Lab said.

popular form of ransomware now offers you language options in English, Turkish, Arabic, Italian, Dutch, Japanese, Spanish, Chinese, Portuguese, French, German and Polish.

A similar version of ransomware will even shut itself down if you are not located in a country they want to target.

“If something serious happens to one country, that can put people in this country at risk,” Caracciolo said. 

“People should be concerned,” said Stefanko. “Try to prevent it from happening in the first place and be every now and again little bit suspicious.”


Feature image of rat: Photo credit: David Noah1 via / CC BY