Fraudulent offers – claiming to be sent from companies including Amazon, Adidas, and many others – are being spread through WhatsApp on international Women’s Day.
According to a report from the Cyber Peace Foundation, along with Autobot Infosec Private, the messages appear to promote a free gift in celebration of the day.
“Women’s Day Gift”, the scam website states; “More than 1000 units of chocolate and mobile equipment, as well as 500 cash prizes ranging from 50 to 5000 US dollars. All you have to do is open the correct gift box. You have 3 tries, good luck!”
The gifts include shoes, or high-end smartphones made by manufacturers such as Huawei, but are “kept really attractive to lure the laymen”, the report states.
Users are sent to bizarre websites with telling domain names indicating that they are unofficial, such as “.xyz” or .buzz”, and told they have won a prize. It then directs the user to complete a survey, asking questions such as: “Do you know amazon?, [sic]” and “Which amazon [sic] product do you want to buy as a Women’s Day gift??”, after which users are given three changes to collect their reward.
The websites have numerous grammatical errors, and encourage users to swap between multiple addresses, revealing their false origins.
The website addresses include “oovip”, “phonesvip”, “v-app”, “adidastore”, and “tatasamsung”. Underneath the websites is usually a social media comment section – which has also been faked – where many fake users have commented about their purported winnings.
Many of the websites were created in February or March, which is another hint towards their forged nature, as Amazon, Adidas, and Samsung’s websites have been in existence for longer than a few months.
The organisations found Chinese characters written in the source code, which translated into English state: “Answer the questions to get Valentine’s Day gifts. I participated in this questionnaire and won a mobile phone. My friend also won prizes”. This indicates that the same scam has been used on multiple holiday events.
The scammers’ campaign collects browser and system data from the device, and encourage the user to share the scam with others.
The report recommends “people to always keep away from such types of messages sent through social platforms”. It also says people should “always think before clicking on any links or downloading any attachments from unauthorised sources.”
Succumbing to such a scam could compromise users’ financial data if they logged in with banking information, or “could lead the users to face whole system compromisation”.