This is how the attacker uses the victims as a means to distribute the scam campaign among their contacts. In addition to this, when the victim shares the promotion with their contacts, a new URL with a different scam-related domain is shared too, this making it more difficult to mitigate the campaign due to the usage of multiple domain names. The next step (step 5) of this scam campaign consists in randomly redirecting the victim through a variety of URLs containing different types of fraud and malicious promotions.
The fraudulent sites use the same design as the official websites that the attacker is trying impersonate, even imitating the official mobile applications of the affected company (given the case they exist). By using the corporate colors and brand image of the company, the scam campaign is successfully obfuscated.
We have identified that the main distribution vector in the Anniversary campaign is WhatsApp. However, the possibility that other distribution means are being used cannot be ruled out, such as, for example, posts on other social media networks or additional spam campaigns. This means that the campaign is mainly targeting mobile users, taking advantage of the trust relationship among the victims.
Second phase of the fraud
The second phase of this scam campaign begins after being shared on social networks. At this point, the victim is randomly redirected to a new, also randomly selected website, as it will be explained in a later section of this post. Numerous different fraud strategies requesting new actions from the victims in order to get the promised gift have been detected.
If a desktop computer is detected (step 5.1), the victim will be redirected, among different options, to a site where he or she will be requested to download a Google Chrome extension. This extension simulates a common Ad Blocker with different extra functions (that turn out to be malicious). For example, the user might end up downloading additional scripts from this site without being previously notified. Besides, this extension is capable of accessing the victim’s local data, sending it to the attacker afterwards. It is also capable of executing other processes in the background that store the collected information and modify the data received by the browser. In conclusion, the attacker knows what the user sends and decides what they can see.
In regards to mobile devices (step 5.2), the use of different social engineering strategies in order to collect the victims’ private information has been confirmed, for example: postal code, phone number or even credit card details. In some of the sites that the victim could be redirected to, transport companies are impersonated in order to get the victim’s physical address. In some other sites, the attacker asks for the user’s credit card details to charge them between €1 to €3, allegedly to confirm the victim's identity. Lastly, the attacker might also ask for the victim’s phone number to subscribe them to a Premium service which, in some cases, has involved a charge of up to €80 per month.
The attackers are using different TLDs such as .cn, .cyou, .shop, .top, .work to register the different fraudulent domain names. They are using services such as a DNSPod registrar (IANA: 1697) or Alibaba Cloud (IANA: 3775). Regarding the web hosting service, most of the fraudulent sites are hosted by Google Cloud servers and have Cloudflare reverse proxy service implemented with the intention of protecting the fraudulent infrastructure. Currently, over 800.000 fraudulent sites have been identified under this type of scam.
Considering the current market prices for the purchase of domain names and web hosting services, It is estimated that the cost of the investment to set up the analysed scam infrastructure could be between one million and one and a half million euros per year. Nonetheless, the technical team of Hispasec continues collecting information and finding new domains. That is why the real repercussions are still to be determined.
Affected companies and scope of the scam campaign
Although the real companies do not support, or are they related to this scam campaign, it is worth mentioning that all the detected fraudulent domain names are offering fake promotions on behalf of over 200 companies, such as Audi, Mastercard, Coca Cola, Facebook, Instagram, Netflix or Amazon, among many others. This is why the number of persons that might fall victim to the Anniversary scam campaign is very high, since the fraudulent sites adapt themselves to the language and official coin of the targeted country and because they affect many different companies from very diverse economic sectors.