Coupons or Victims ?
Hey Folks, as usual the end of the year is favorite time for spammers to fool people and steal their credentials, hack their devices, or blackmail them with somehow.
I noticed that there’s a malicious page that been widely spread on whatsapp Looking like this:
So, basically it’s a malicious page that I didn’t know what was its methodology what was the goal of it, but I said to myself lemme take a step and try knowing more about this wide spreaded malicious web page.
First Challenge: I will not let you IN
The first challenge I faced was that this malicious web page was developed to interact with phones but not with pc, and to do that with javascript they needed to check on the orientation of the page (to see if it’s phone or no) and if it’s bigger than being a phone it will automately forward you to another Page (Page that says error!).
So, I spoofed Android Mozilla user agent :
Mozilla/5.0 (Linux; Android 7.0; SM-G930VC Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/58.0.3029.83 Mobile Safari/537.36
And sent the request via burpsuit so I can bypass the screen orientation validating, and funny enough it was done so.
Now I started checking the page which was “Blogger” page but has a customized css design to look the way it looks.
Seeing that was “Blogger” means that the attacker will not use php but rather in his malicious process he will use Javascript “Knowing that blogger supports js”.
The Mechanism
Mainly I classified the purposes of this scam to 3 types:
1- Tricking
so when u open the page from a phone you’ll see the page has a game that when u roll the game and get the same shape 3 times you win a reward.
The attacker uses js code to tell u in the first 2 times that it’s not correct and on the third time it will work and will tell you “SUCCESS YOU WON!!”, so they use social engineering to trick people and fake a success for them so they get excited for the next 2 steps.
2- Spreading
After tricking now we go the next step which is “spreading” and this is the step where the attacker will ask the victim to share the link with others on whatsapp, now the point is that the attacker is using “Whatsapp wrapper” which only works for phones because it has the application on it ( Now we know why he just wanted phones and prevents PCs from seeing the web page).
3- Hitting
Now, after spreading we go to the most important part, which is “Hitting”.
After u share with 15 of your friends it will forward you to another page that congratulate you and ask you to dowload and install an application as a final step to win the prize.
when you download this app it will harm your device planting some backdoors, spywares or adwares or any other harmful things.
Who is doing this?
What I was able to find out in the source of the page that the attacker forgot to remove his blogger profile links from the source and it was exposed and allowed me to see the owners of the malicious web page and also all their malicious web pages that they have done before to collect information or to plant backdoors or evil extension.
Stay safe guys and don’t be tricked
