We recently investigated a suspicious link received by one of my colleagues on WhatsApp. The message (in Portuguese) states that Volkswagen is offering 20 free cars until the end of the year, and directs users to participate on a site that has been apparently crafted especially for this “event”.
After an initial investigation, it became clear that something was not right with the site. Several security vendors blacklisted it as a phishing site–although fishy, none of the classic phishing characteristics were present. It looks like a standard campaign site. The only thing missing is the “pro” look and feel of real campaigns when displayed on a desktop browser. The site appears okay on mobile, perhaps because it was intended to target users on these devices.
The main purpose of the site is to request users to resend the campaign link to at least 20 friends on either Facebook Messenger or WhatsApp. Once the campaign has been shared, the scam authors promise to contact you on Facebook.
We didn’t notice any places where the site collects personal information. Despite the fact that it doesn’t seem to be a classic phishing site, which usually steals personal data such a login information or credit cards. The goal, in this case, seems to be a simple advertisement designed to spread to as many viewers as possible. There are several leads, let’s take a look at them.
Random Redirects
Random redirects to various ad sites occur after clicking on any of the page objects, including buttons:
After clicking one of the page objects, there’s a big chance you will be redirected to a third-party ad server. These redirects are random and lead to a different advertisement every time.
Fake Facebook Likes
Another suspicious part about this Volkswagen campaign is a hard-coded “likes” number located at the bottom of the scam page. Even after several reloads, the number always stays the same. After a closer look, it’s clear that these images and numbers are just fake:
Based on the static image filename and the location where it’s stored, it’s apparent that it’s just a local image which is reused all the time. Also, the final text ”58,249 Outros como este.” seems to be static and not dynamically generated using the Facebook API.
Blocking Research Attempts
A third suspicious indicator that it’s a scam is the basic blocking of research attempts. The site blocks the opening of dev tools in both Chrome and Firefox. Both right-clicking functionality and the menu for opening page source are blocked.
Checking the Source
We have several hints that this is a scam. However, to confirm it, we need to check what the page really does. One piece of JavaScript, in particular, seems to be the one responsible for the main activity: It asks to send the promotional campaign message to at least 20 or 30 contacts in Messenger or WhatsApp. However, the button ID stating “FakeWin” is especially suspicious.
But what does this code really do? The snippet opens the application and prepares the message to share the campaign to your friends on Messenger or WhatsApp. After the campaign link has been sent, a simple notification is displayed informing users that they will be contacted on Facebook if they win. And that’s all:
Conclusion
With all these leads combined, we can conclude that this is a scam site aiming at maximizing the income from various advertising networks. This has been a trending monetization method over the past year, and sharing a scam site without any other “malicious” activity bundled with it is one of the ways the attackers are generating revenue. It’s still a scam, but one based on social engineering. This is a prime example of one of the oldest and most basic techniques – making people believe that they can get something for free.
Keep your eyes open and don’t believe everything you read, especially not on social networks. Stay safe!
Moe O
Victor Santoyo
Daniel Cid
Denis Sinegubko
Ashley Sand
Bruno Zanelato
Stephen Johnston