The ESET company warned WhatsApp users that a fraudulent message is circulating around the app, claiming that to celebrate an anniversary, WhatsApp is giving away 1000GB for internet navigation via WiFi.
The site to which the fraudulent message links invites the user to share the offer with at least another 30 users before being able to access the prize. ESET even detected a script on the website that detects how many times the offer is shared, in order to maximize the message’s viral and fraudulent reach.
The fraud’s purpose is to show Ads during the entire process. That is to say, no evidence was found of malicious software or stolen data. This means that the campaign’s profitability depends entirely on the massive display of Ads to users.
During their investigation, ESET also found evidence of a new website used to con thousands of innocent users via phishing.
After analyzing the total amount of websites indexed to that domain, a least 66 different “offers” were found each pretending to belong to a different brand, including Adidas, Nescafé, Sopas Sorrel, and Rolex, among others. Even when the domain is different, as it happens with the fake Nescafé campaign, it still a similar phishing campaign to the one reported a couple of weeks ago, under the Nespresso name, pretending to offer free coffee machines.
6 keys to identifying fake phishing e-mails
- Pay attention. Does the message really display knowledge about the person to whom it was sent? Is it a known sender? Service providers do not address messages to “Esteemed clients”, and will instead customize them. Though it is also important to learn to identify “fake customizations”, such as the use of fake identifying numbers that cannot be verified.
- Do not trust attached files or linked URLs. Service providers will rarely ask anyone to login through a linked URL, even if the message is otherwise properly customized. If you ever receive a message like this, you need to first check that the linked URL is reputable. Still, it is highly recommended not to trust unwanted files, either attached to e-mails or linked through URLs on the message, even if they come from trusted friends.
- Basic precaution: Hovering over the link to see the URL is key when checking on its legitimacy. On the other hand, if you receive an offer that seems too good to be true, check on the official social media accounts of the brand to make sure it’s real.
- Don’t be afraid of potential threats: you must avoid panic and reactionary measures when threatened with the possibility of the suspension or elimination of an account. Most companies do not do this.
- Don’t go click-crazy: don’t blindly accept any software’s terms and conditions because you trust your antivirus of choice. New code can always be written, that still hasn’t been added to all antivirus’ databases. Because of this, it is important to identify malicious sites or files in order to avoid them. Knowing the risks is the best way to avoid being conned.
- Pay attention to details: Rudimentary phishing e-mails, comprised of nothing but text and typos are rare nowadays. Though their method of attack didn’t change, what improved was the quality of the social engineering used to create them. Attack vectors have moved onto other messaging platforms such as SMS, social media like Facebook and Twitter, and even voice mail.