Over the last few weeks we’ve seen an increase in fake vouchers – purporting to be from different shops – being spread throughout the world via WhatsApp. This is not the first time that we have seen users receive these kinds of vouchers but, on analysis of this recent flurry of activity, we can be almost certain that, this time, we are talking about an organized scam campaign that is operating on a global scale.

First examples

It was mid-August when we first observed that people were receiving links sent by their WhatsApp contacts that pointed to some kind of survey that was sponsored by a well-known supermarket brand from numerous countries. Below you can see two examples of this scam, one for Coles Supermarket (Australia) and another for Mercadona (Spain).

supermarket2mercadona

Thanks to the guys at Hispasec, we now know that these examples were not isolated cases and that the individuals behind the scams were effective in impersonating these brands (and gain the confidence of users). Some of the supermarkets used to this effect included Lidl in Italy, 7-Eleven in the US, Albert Heijn in the Netherlands and Woolworths in Australia.

The way in which the scam works is relatively simple. Some WhatsApp users receive a message with a link that redirects them to a fake website that is mimicking the supermarket in question, promising then voucher of a certain worth. To benefit from this deal, the user needs to register their personal data, including their name, email, mobile phone number, address and so forth.

Mercadona_whatsapp

All this data is then collected and subsequently used in spam campaigns. However, in addition to this, it’s also possible that the scammers will try and lure the victim into subscribing to a premium SMS service that will cost him or her money.

Other variants

It seems that this initial campaign was quite profitable for the scammers because, since then, we have seen similar cases materialize (at least a new one every week). For example, last week we observed a new scam campaign using the same strategy but this time claiming to be Starbucks. Of course, the vouchers were adapted to the local currency.

In this case, the scammers didn’t bother themselves in translating the message for other non-English speaking countries. Even then, people filled in the fields that requested their personal data.

starbucks_whatsapp2

Just yesterday, Pablo Ramos, head of LATAM research lab at ESET, analyzed another campaign that was impersonating the Spanish fashion firm Zara.

zara_scam_whatsapp

In this instance, the scammers weren’t looking for personal data. Instead, they were trying to convince the victim that their Android device was infected and needed urgent attention. They would then aim to lure them to download a fake antivirus app by subscribing to a SMS premium service.

zara_infeccion

Conclusion

These new scam campaigns adapt and reuse other techniques that we have seen in recent years when analyzing mobile focused malware. The use of a recognizable brand to convince the victim of authenticity, the false voucher promising an interesting prize - these are examples of strategies that have been previously deployed. But what makes these new campaigns dangerous is how fast they are spreading through instant messaging apps like WhatsApp.

It reminds us of a time when Microsoft Messenger was used to share links that would redirect users to a malicious website, and, as these recent cases have proven, if it has worked before, then it can work again. It’s our job as security conscious individuals to make sure that we people won’t fall into this trap and not only avoid clicking onto these links but also warning our contact to do the same.