Attackers use whatsapp service for phishing campaign
In late August, we observed a malicious campaign to distribute fake discount coupons that were disguised as coupons from various well-known stores. Links to coupons were distributed through the WhatsApp application. We have already seen similar mailings before, but they were local in nature, however, this time, we can talk about a global campaign.
The first cases of users getting phishing links in the WhatsApp application were noticed already in mid-August. Links led to the aforementioned discount coupons. Below are two examples of coupons for stores, one for the Coles Supermarket (Australia) and the second for the Mercadona (Spain).
')
Thanks to the information of our colleagues from the Spanish company Hispasec, we learned that such a mailing was not an isolated case and that the attackers had already specialized in such mailings, masking them under various well-known supermarket brands, including Lidl in Italy, 7-Eleven in the USA, Albert Heijn in Holland and Woolworths in Australia.
The fraud implementation mechanism is fairly simple. Some WhatsApp users receive a message with a link that redirects them to a fake website disguised as a supermarket site. On this website, the user must answer questions in order to “get a discount” from the store. Answers to the questions are the user's personal data: name, email address, mobile phone number, address, etc.
The collected data will be used by attackers in the future for subsequent spam campaigns. Fraudsters can also try to sign the victim to a paid SMS-mailing, which will lead to regular deduction of money from the user's phone account.
Other options
It can be seen that the initial spam campaign was profitable enough for attackers, since it was followed by new ones. For example, we observed a new fraudulent campaign that used the same strategy. This time, Starbucks coffee company was chosen as a target. The voucher discount is adapted to the local currency.
In the case of Starbucks, the scammers did not adapt the text of the coupon to the language of the relevant region, for all English is used.
Earlier, our colleague, Pablo Ramos, head of ESET's antivirus laboratory in Latin America, published an analysis of another malicious campaign that used the Zara brand.
In this case, the fraudsters did not try to get personal data from the user; instead, they tried to convince the victim that her Android device was infected with malware. After that, the user was asked to download a fake antivirus application by subscribing to a paid SMS-list. A screenshot of the application is shown below.
Conclusion
The above malicious campaigns use such methods that we previously observed when analyzing mobile threats. The use of well-known and recognizable brands, as well as the promise of a discount, are those examples that we have previously observed several times. The malicious campaigns considered are more dangerous because they use the WhatsApp instant messaging service.
This situation reminds us of the time when attackers used a similar instant messaging service called Windows Live Messenger to distribute their malicious links. As you can see, since then the situation has not changed, only the instant messenger has changed. The attackers themselves use one rule: if it worked before, it will work again. We recommend that users do not follow phishing links and do not trust outsiders with their personal data.
The first cases of users getting phishing links in the WhatsApp application were noticed already in mid-August. Links led to the aforementioned discount coupons. Below are two examples of coupons for stores, one for the Coles Supermarket (Australia) and the second for the Mercadona (Spain).
')
Thanks to the information of our colleagues from the Spanish company Hispasec, we learned that such a mailing was not an isolated case and that the attackers had already specialized in such mailings, masking them under various well-known supermarket brands, including Lidl in Italy, 7-Eleven in the USA, Albert Heijn in Holland and Woolworths in Australia.
The fraud implementation mechanism is fairly simple. Some WhatsApp users receive a message with a link that redirects them to a fake website disguised as a supermarket site. On this website, the user must answer questions in order to “get a discount” from the store. Answers to the questions are the user's personal data: name, email address, mobile phone number, address, etc.
The collected data will be used by attackers in the future for subsequent spam campaigns. Fraudsters can also try to sign the victim to a paid SMS-mailing, which will lead to regular deduction of money from the user's phone account.
Other options
It can be seen that the initial spam campaign was profitable enough for attackers, since it was followed by new ones. For example, we observed a new fraudulent campaign that used the same strategy. This time, Starbucks coffee company was chosen as a target. The voucher discount is adapted to the local currency.
In the case of Starbucks, the scammers did not adapt the text of the coupon to the language of the relevant region, for all English is used.
Earlier, our colleague, Pablo Ramos, head of ESET's antivirus laboratory in Latin America, published an analysis of another malicious campaign that used the Zara brand.
In this case, the fraudsters did not try to get personal data from the user; instead, they tried to convince the victim that her Android device was infected with malware. After that, the user was asked to download a fake antivirus application by subscribing to a paid SMS-list. A screenshot of the application is shown below.
Conclusion
The above malicious campaigns use such methods that we previously observed when analyzing mobile threats. The use of well-known and recognizable brands, as well as the promise of a discount, are those examples that we have previously observed several times. The malicious campaigns considered are more dangerous because they use the WhatsApp instant messaging service.
This situation reminds us of the time when attackers used a similar instant messaging service called Windows Live Messenger to distribute their malicious links. As you can see, since then the situation has not changed, only the instant messenger has changed. The attackers themselves use one rule: if it worked before, it will work again. We recommend that users do not follow phishing links and do not trust outsiders with their personal data.
Source: https://habr.com/ru/post/266963/
All Articles