WhatsApp messages masquerading as the offers from various giant entities with links luring unsuspecting users with the promise of transport subsidy, medical subsidy, recharge offer, free travel tickets etc., have been making the rounds on the app recently. If you receive such messages try to stay away from these, as these can be a scam.
Images above show Fake WhatsApp Messages (Screenshots)
The Research Wing of CyberPeace Foundation, Autobot Infosec Private Limited along with CyberPeace Center of Excellence (CCoE) have conducted six different studies based on these WhatsApp messages that contained links pretending to be a free subsidy, recharge offer and travel tickets from Indian Railways, Apollo Hospitals, Haldiram, Emirates Airlines, Various Telecom giants and Tata Group which ask users to participate in various offers and survey in order to get a chance to win the prizes.
Warning Signs
CyberPeace Advisory
The campaigns are pretended to be the offer from various big brands but hosted on the third party domain instead of the official website of the respective brands which make it more suspicious
The domain names associated with the campaigns have been registered in very recent times.
Multiple redirections have been noticed between the links.
No reputed site would ask its users to share the campaign on WhatsApp.
The prizes are kept really attractive to lure the laymen.
Grammatical mistakes have been noticed.
CyberPeace Foundation recommends that people should avoid opening such messages sent via social platforms.
Falling for this trap could lead to whole system compromise such as access to microphone, Camera, Text Messages, Contacts, Pictures, Videos, Banking Applications etc as well as financial loss for the users.
Do not share confidential details like login credentials, banking information with such a type of scam.
Never share or forward fake messages containing links to any social platform without proper verification.
Never install an application from a third party source instead of the official app store.
There is a need for International Cyber Cooperation between countries to bust the criminal gangs running the fraud campaigns affecting individuals and organizations to make the Cyberspace resilient and peaceful.
On the landing page a Congratulations message appears with the attractive photo of the offers and ask users to participate in a quick survey or questionnaires in order to avail the said offers. All the links showcase the respective logos of the said entities and ask users to take the survey to win recharges and subsidies.
Also at the bottom of the page a section comes up which seems to be a comment section where many users have commented about how the offers are beneficial.
All the surveys start with some basic questions like Do you know the above mentioned companies How old are you What do you think of Emirates Airlines or Haldiram’s Are you male or female etc.
Once the user answers the questions a “congratulatory message” is displayed. After Clicking the OK button users are given three attempts to win the prizes.
After completing all the attempts it says that the user has won the respective offers.
Image 2: Fake congratulatory messages
Clicking on the ‘OK’ button, it instructs users to share the campaign on WhatsApp. Strangely enough the user has to keep clicking the Whatsapp button until the progress bar completes. After clicking on the green ‘WhatsApp’ button it shows a section where a “Congratulations” appears once again.
During the analysis the research team found a JavaScript code called hm.js was being executed in the background from the host hm[.]baidu[.]com which is a subdomain of Baidu and is used for Baidu Analytics, also known as Baidu Tongji. The important part is that Baidu is a Chinese multinational technology company specializing in Internet-related services, products and artificial intelligence, headquartered in China.
The campaign, pretending an offer from TATA, insists users to download an application from a third party app store.
To read the detailed reports, visit www.cyberpeace.org/publications
The detailed study helped CyberPeace and AutoBot Infosec Pvt Ltd to come to the following conclusions:
The whole research activity was performed in a secured sandbox environment where the WhatsApp application was not installed. If any user opens the link from a device like smartphones where WhatsApp application is installed, the sharing features on the site will open the WhatsApp application on the device to share the link.
The campaign collects browser and system information from the users.
Most of the domain names associated with the campaign have the registrant country as China whereas the campaign that offers free 30GB of internet data has the registrant country as Pakistan.
Cybercriminals used Cloudflare technologies to mask the real IP addresses of the front end domain names used in the campaigns. But during the phases of investigation, the research team has identified a domain name that was requested in the background and has been traced as belonging to China.
