Desenmascara.me

How to verify whether a website is legitimate or not?: desenmascara.me

martes, 6 de febrero de 2018

Who is behind those FAKE Whatsapp campaigns supposedly giving for free Nike shoes and alike?

Update 1I did submit all this information to Facebook so they might take any "action" against the responsible behind this fraud and to signal they do not allow to abuse their infrastructure to lure its users, but apparently they do not care much about these actors, this was its response:

Hola Emilio,
We are aware of homograph URLs and the potential risks they pose. We have automated systems in place to detect and prevent abusive/malicious domains/URLs. What you're describing is a social engineering attack against people, which is not in scope for our program.
Gracias por comunicarse con Facebook,

Update 2: Also similar campaign in France targeting Air France


Today is the Safer Internet Day. It is an European initiative which has grown beyond its traditional geographic zone and is now celebrated in approximately 130 countries worldwide with the support of many stakeholders.



Some supporters of SID



Meanwhile in WhatsApp we still receive messages like the below picture:

English translation: Nike will give for free 5000 pairs of shoes due to its 55° anniversary. Get your shoes for free in: .... ) 

Fake Nike promotion in Spanish language


Fake Nike promotion in Italian language



Luring to any user who click in the link above (notice the KOI-7 encoding of nike.com - this is known as a homograph attack) going through the below redirection:


then ending end up with a survey as the below hosted in a recent created domain ( 3 days old and a risk score of 100 based on DomainTools ) and whose analysis in VirusTotal is NOT flagged by any commercial vendor.




Any unsuspected user will fill in the survey which is based on 4 basic questions. Afterwards a pre-requisite to receive the free shoes is to share the message through whatsapp with 20 of your friends. The ball keeps growing. 



The user then click on the whatsapp button to share the message. Once the message has been shared among its contacts you will be redirected to another site (bye bye Nike shoes :( )

The above redirection make sure we are arriving from the previous Whatsapp campaign (as this is a referred marketing network, otherwise a different site will be presented). As we are arriving from the Fake Nike whatsapp promotion we are presented now with the below site:




Now the user still willing to get the promised Nike shoes will fill in the above form with its personal data. But here the interesting part (as always) is in the small letter, by clicking on Patrocinadores we will see the below text:


where there are quite a few companies from different sectors willing to sink its teeth into your personal data:





and here finally we do get a mail address responsible for this "Fake" campaign, so you have now an address to write in case you have not received your promised Nike shoes:




or a postal address to write them:




Interestingly the domain greenflamingopromotions.com was also recently created, some months after the business was set up, under an anonymous whois provider and hosted in Rusia:

Correlating data with the DomainTools tool Iris


If we pivot over any IP address related with the domain to take a look into PassiveDns information we can see the malicious history of domains hosted on such IPs (most of them under the TLD .review and .win). There are hundreds of different and random domains created recently with the only purpose to host fake marketing campaigns to be spread like wildfire through social networks as the current one:


PassiveDNS information extracted with VirusTotal


Below are some of the business who this entity will collect your personal data for their commercial purposes through fake campaigns like this:








and so on, we could stay giving out personal data for free to these companies for a while:






The key factor here is that those companies are not the culprit here but the intermediate agencies like Green Flamingo Promotions and alike who are using these tactics to do their business: to collect your personal and private information in order to sell it. 

There is no need to clarify how greedy these companies might be collecting your data in order to sell you their services. Just bear in mind that even with data that you are not giving but disclosing through the kind of devices you are connecting from and correlated with data collected through the previous dubious campaigns they may infer even your social class


Today is the Safer Internet Day so keep your data private or at least do not incur in fake campaigns like these. You have been warned !!

No hay comentarios:

Publicar un comentario

Trata a los demás como te gustaría ser tratado.