New Delhi, March 8th, 2021: WhatsApp messages masquerading as offers from Amazon, Adidas and TATA with links luring unsuspecting users with the promise of Women’s Day presents, have been making the rounds on the app. CyberPeace Foundation along with Autobot Infosec Private Ltd., launched an investigation into the matter, to determine whether the campaign was legitimate or fraudulent.
- The campaign is pretended to be an offer from Amazon or Adidas but hosted on the third party domain instead of the official Amazon or Adidas website which makes it more suspicious.
- The domain names associated with the campaign have been registered in very recent time.
- Multiple redirections have been noticed between the links.
- No reputed site would ask its users to share the campaign on WhatsApp.
- The prizes are kept really attractive to lure the laymen.
- Grammatical mistakes have been noticed.
**Note: The information mentioned here has been extracted during the investigation, information might be changed after generating the reports.
- On opening the link- https://oovip[.]xyz/hw/?v=20210205- users are redirected to https://phonesvip[.]xyz/hw/luodi.php#XX (where XX represents a unique 13 digits number, for example 1614920821200 and 1614933135000).
- On the landing page, a pop up opens with details about the offer, and it reads thus- “Women’s Day GiftMore than 1000 units of chocolate and mobile equipment, as well as 500 cash prizes ranging from 50 to 5000 US dollars All you have to do is open the correct gift box. You have 3 tries, good luck!”
- After clicking on the OK button, the user is asked to participate in a quick survey to receive the free gifts.
- The survey starts by clicking on the ‘Start here’ option, and basic questions like ‘Do you know amazon?’, ‘Which social software do you use more often?’ and ‘Which amazon product do you want to buy as a Women’s Day gift’ are asked.
- After the completion of the survey, the user is informed that they are eligible for opening the gift box, and are given three attempts to win the prize.
- Between each attempt, a message stating the number of attempts remaining also appears.
- After all the attempts are utilized, a pop up that reads “CONGRATULATIONS! You guessed! Your prize money is: Huawei Mate 40 Pro 5G Full Netcom 8GB + 256GB (bright black)， Follow the instructions on the next page to claim your prize!” appears.
- Upon clicking the OK button, users are instructed to share the campaign on WhatsApp, with a green WhatsApp button provided for the same. After clicking on the button multiple times, a section with an instruction to complete the registration in order to win the prize is observed.
- After clicking on the green ‘Complete registration’ button, the user is redirected to a link https://www.graburprize[.]net/c/b795ebb3cf6XXXXX?&click_id=XXXXX&s1=72530&s2=1238468&s3=backuser&s5=&lp=MJ&j4=&j5=&j6=, where another loyalty program with spin wheel can be seen (Some characters are replaced with XX for security reasons)
- At the bottom of this page, a section that appears to be a social media comment section can be noticed, with users commenting about how the offer was beneficial to them.
- The wheel can be spun two times, and after completion, another congratulatory message appears with two options to choose from. During the course of the investigation, it was noticed that no matter which option was chosen, users are redirected to the same Loyalty program page once again.
- The second link https://v-app[.]buzz/adidass/tb.php?_t=1614915696 also lures laymen with an offer similar to the first one. However, instead of the Huawei phone, in this case, Adidas ‘SUPERSTAR’ is the gift that users can receive.
- After asking them to share the campaign on WhatsApp, it takes users to a spin the wheel loyalty program page similar to the one discussed earlier.
- The https://tatasamsung[.]biz/tata-bx/tb.php?_t=1615176815 link which is pretending itself as an offer from TATA actually redirected to the same type of Adidas campaign.
- Some of the other key findings include- The domain names are associated with the Cloudflare United States of America and have been registered in very recent time. The registrar and registrar IANA ID are also the same for all the domain names- NameSilo, LLC and 1479, respectively.
- During source code analysis, the title of the sites https://phonesvip[.]xyz/hw/luodi.php#XX and https://adidastore[.]xyz/adidass/#XX were found to be ‘Amazon Women’s Day Gift’ and ‘Adidas Women’s Day gift’ respectively.
- The section which seems to be a social media comment area is a static, not a dynamic one. It has been created with some HTML and CSS. Every time one visits the website, the section viz. the time of the comments always remains the same.
- It was also observed that some of the profile pictures liked in the comment section were used on the internet many times.
- Some Chinese language was also found in the source code. When translated into English, it read- Answer the questions to get Valentine’s Day gifts. I participated in this questionnaire and won a mobile phone. My friend also won prizes. To get prizes . Which means the same theme had been used for the Valentine’s Day Campaigns.
- The Google tag manager ID was found to be G-TZT1MFFLVY and the campaign was found to collect browser data and system data from the device.
- The users can win Huawei Mate 40 Pro 5G Full Netcom 8GB + 256GB (bright black) or Adidas ‘SUPERSTAR’ after completing the third attempt only.
- The campaign pretends to be an offer from Amazon, Adidas and TATA but is hosted on a third party domain instead of the official Amazon or Adidas website which makes it all the more suspicious.
- Multiple redirection was noticed between links, and the investigation was conducted in a secured sandbox environment where WhatsApp application was not installed. If any user opens the link from a device like smartphones where the WhatsApp application is installed, the sharing features on the site will open the Whatsapp application on the device to share the link.
- The prizes are attractive in a bid to lure laymen.
- All the websites have different content, but follow the same mechanism and procedure to attract users.
- The campaign collects browser and system information as well as cookie data from the victim’s device.
- CyberPeace Foundation recommends that people avoid opening such messages sent via social platforms. One must always think before clicking on such links, or downloading any attachments from unauthorized sources.
- Falling for this trap could lead to whole system compromization (Access to microphone, Camera, Text Messages, Contacts, Pictures, Videos, Banking Applications etc.) as well as financial loss for the users. One must always think before clicking on such links, or downloading any attachments from unauthorized sources.
- Do not share confidential details like login credentials, banking information with such a type of scam.
- Never share or forward fake messages containing links with any social platform without proper verification.