Since early 2018, some of your WhatsApp contacts may have sent you a very interesting offer for sport shoes: “Adidas is offering 2,500 pairs of shoes to celebrate its 69th anniversary” The message is followed by a link from which to obtain the promised item. Looking closer at the link in the message, there’s no dot above the short vertical line that should be the letter “i”. This is a homoglyph (often referred to as homograph) attack, incorporating a link that looks legitimate but is actually spoofed by replacing one character with another that looks the same to the unwary eye.
When browsing the website from the spammed WhatsApp message, a few checks are made to ensure that the request is made from a mobile device such as a smartphone. Should the mobile device checks succeed, the website then obtains geolocation data for the visitor’s IP address, and depending on the country the visitor may be redirected. The countries targeted in this round were Norway, Sweden, United States, Netherlands, Belgium, Pakistan, Nigeria, Kenya, Macau and India. But as the cybercriminals expand the attack, Ireland and the UK could be next.
After being redirected, visitors see a four-question survey. Whatever the victims answer, they are rewarded with a message saying that they are “qualified” to get a free pair of shoes. Of course, they are told that they must share this offer to their friends on WhatsApp to get the “prize”. When tapping the WhatsApp share button, the victims see a list of their contacts, from which to choose further recipients of this “offer”. Victims then have a few questions to answer and are also told they have to share the ad on Facebook so they will (supposedly) be able to claim their shoes for $1.
A last form is presented to the victims, asking for their contact details. The completion of this purchase will subscribe you to the “organizejobs” service and they will charge you the cost of a premium account, which is $49.99 per month. In the end, victims will pay $1 for a pair of shoes without being able to choose the model or the size, and which the previous experience of others suggests will never be received. On top of that, victims will be charged $50/month 7 days after the payment.
What to do? How to stay safe?
Here are some tips that should help you to recognize this kind of scam:
- Upon receiving such messages, ask the purported senders if they really sent them, as it could have been sent without their knowledge by malware installed on their phone.
- Search the internet for the offer. In this case, several websites mentioned the ongoing phishing attack.
- Use your favourite search engine to get a link to the company website. If the offer is not present on the site then it’s probably a scam. Mtlblog contacted the shoe company which confirmed the scam.
- If at all unsure, do not click any links and delete the message containing them or ignore it until it scrolls off your feed.
If you receive this kind of message, don’t hesitate to report it. You can notify the abused brand and you can report phishing to ESET at http://phishing.eset.com/.
Full story with screenshots of the scam (free to use) at ESET Ireland’s official blog.