Since I was exposed to three different online scam campaigns in the last three weeks, without having to go out and search for them, I thought that today might be a good time to take a look at how some of the current online scams work.
All of the campaigns we’ll mention seemed to target people in the Czech Republic, although not exclusively, as one of the landing pages I found had at least 20 different regional variants set up for countries from all over the world. In cases where I was unable to find an English version of a page, I had Chrome translate it – the results are not always pretty, but should be sufficient for our purposes.
Everything started a couple of weeks ago, when I was searching for a website of a certain small town theater on my phone. Having found it on Google, I tapped the relevant link and was surprised when, my browser didn’t stop at the intended destination, but rather was redirected to a site proclaiming me a "lucky visitor" of the day with a "chance to win Apple iPhone 11 Pro".
Given all the ad blockers and script filters I usually use, I didn’t see any similar pages or pop-ups similar to this one (not counting phishing pages, of course) for a long time, so I decided to take a closer look at it. After clicking through four questions related to my preference in browsers, I was informed that I had a chance to win a brand new iPhone (although it wasn’t quite obvious that the offer was to enter a contest and not to buy the phone at an incredibly low price, as you may see for yourself).
After clicking the button, browser was redirected to another domain where it seemed, once again, as if a user had the option to buy an iPhone for a small fraction of its usual price.
Next, the site asked for some personal information – a full name and an address along with an e-mail and a phone number.
What wasn’t obvious at first glance, but would be really important to anyone actually trying to order the phone, was a small paragraph hidden at the end of the page, explaining that the customer wasn’t actually buying an iPhone, but was merely entering a prize draw for it. By itself, that wouldn’t be so bad, but the rest of the text mentioned that, besides confirming his participation in the contest, the user would be subscribing to an unnamed pre-paid service with a €75 monthly fee.
The last thing required of a user at that point, would be to fill in his credit card details in order to confirm the payment. Not the €75 subscription, which would later be charged against users account, but the "price" for the iPhone (or rather for a participation in the iPhone lottery) of approximately €1.5.
About a week after I found the previously mentioned website, a colleague of mine asked me, laughing, whether I wanted to buy a new iPhone for €2. My first guess was that he managed to end up on the same site I did. This, however, didn’t turn out to be the case as the second campaign was a straightforward phishing. Nevertheless, what caught my attention was the use of the same graphical style I saw in the previous campaign.
Apart from the stripe at the top, the landing page (and other pages, all the way to the payment form) was nearly identical to those used in the first campaign as well.
Unlike in the first campaign, however, there was no paragraph on any of the pages explaining whether the user was actually subscribing to any service, so it is hard to say what unexpected things one might be charged for if one actually tried to buy an iPhone in this way.
Although the second campaign comes much closer to a phishing style of operation than to a classic scam, re-use of the same assets in both campaigns is interesting. Use of the same phishing kits (or "scamas" as they are sometimes called) on multiple sites is not too unusual – many such kits are actually open-sourced and some may even be found on GitHub. Nevertheless, one usually doesn’t expect to see the same kit used twice within a couple of weeks for two different campaigns with different modes of operation…much less three.
On Saturday, I was looking for information about a vulnerability in a certain software product and one of the results, which Google returned, ended up pointing my browser to another site with the same landing page offering iPhones for €2. At first glance, it looked like another campaign simply re-using the same kit, however, after a bit of digging around, I discovered that this campaign was actually much more complex than the previous ones.
The first and second campaigns used couple of forced redirects each to get a user to the landing page.
The third campaign had multiple starting pages on multiple domains redirecting to a couple of domains/IP addresses, which finally redirected to multiple landing pages (or, under some conditions, to Google). I only mapped out a small part of the starting and landing pages, but the following diagram should give you an idea of the inner workings of this campaign.
Since all three parts of the redirection chain were interesting, let’s take a look at each one in turn.
The initial/starting pages used cloaking (i.e. serving different content to search engine spiders than to regular users), which was the reason I landed on one of these pages in the first place – Google had it indexed as containing information which wasn’t actually there. In addition to the cloak, a referrer check was implemented on the servers serving the initial pages to make things a little more complicated. The behavior and responses of the servers did therefore differ quite significantly based on a couple of factors.
Given the behavior of the servers described above, it is almost certain that any real user would be redirected to another URL after visiting one of the initial pages. That would start a chain of multiple forced redirections between the domains and IP addresses mentioned in the diagram above (and potentially others as well).
Although many of these appear to be suspicious at first glance, not all of them are necessarily malicious – one of the domains, ladsblue.com, actually belongs to a commercial advertising network named Adsterra. A quick Google search for Adsterra led to a number of claims that this network doesn’t always operate ethically, however, hoping that these claims are not correct, I did let the company know about the misuse of their ad network with the hope that they will block it.
The redirection chain would end on one of a number of different landing pages, chosen based on geolocation of the IP address from which the user was connected (and potentially other factors). It is possible that not all of the pages one might land on after the redirects end are related to scams. One of the redirection chains, for example, led to a page for a certain betting site, and even though Google results seem to indicate that it might not be a completely legitimate service, I can’t be sure of that without further research I wasn’t willing to put in.
The one site we can be quite sure was a scam, however (apart from the site using the "iPhone for €2" kit we saw in the first two campaigns), was hosted at the domain hxxps://financialwealthnow.net. The reason we may be certain of the fraudulent nature of the site is that this site was a copy of the official website of a Czech 24 hour news TV station.
This is the real site...
...and this is the fake one.
The text on the site tries to get visitors to register with a cryptocurrency trading platform with promises of instant wealth and with the help of a fake interview with a well-known Czech politician and entrepreneur praising the platform. If you’d like to take a closer look at the contents of the fake page, I wrote a short post about it (in Czech) at untrustednetwork.net.
What appears to be even more interesting than the contents of the page themselves is that the site seems to be part of a much larger operation using fake celebrity interviews and deceptive ads, which is run by a group called FizzCore (thanks to @vavkamil for pointing this out to me). The description of (for lack of a better term) TTPs of this actor provided in the analysis published by Confiant fits the fake news page exactly.
Although the last campaign is quite interesting, neither it, nor either one of the previous ones, were unique. Similarly, forced multiple redirects to less than reputable sites are nothing new. Even though both of these statements are true, I found the brief look I was given into the world of current internet scams fairly informative… And I hope that you did as well.
Feb 25th 2020
Feb 25th 2020
7 months ago
Hello! Can you recall which cryptocurrency platform was that? I think it's a common rule: if someone all of a sudden promises you too much and too quick then most probably it's a fraud. Usually getting a profit from cryptocurrencies supposes making serious research, investing some time and money, and so on. No easy wins. Here you can learn about the struggles of crypto traders: https://cryptogeek.info/en/blog/how-not-to-drown-in-a-crypto-storm
Feb 27th 2020
7 months ago
The name, which was displayed on the page, was "Bitcoin Revolution", although it was set by a parameter in the HTTP request, so one could change it to anything one wanted (and due to lack of input filtering and output encoding, it meant that the site was vulnerable to reflected XSS). The domain, to which the links lead, was revolutsrevo.com and it used the same graphics as the pages in the Confiant article.
Mar 2nd 2020
7 months ago
Here is some from same crook, always same steps,
landing2 click several answers (useless no matter what you click)
coordinates, pay and get scammed 70$/month
MX = *.domain
SPAM FROM DOMAIN's IP - DOMAIN ISP
PH M3 https://www.virustotal.com/gui/url/79dd94287f1b3d2a1bb7fd07fff2cd6b68b4231dbee93e20d05791edc9e5a4d1/detection
PH2 M2 https://www.virustotal.com/gui/url/ddf31a4e40eea00759ff82d8a5e2834e55293a1507f139e0fd57162405097752/detection
PH2 M3 https://www.virustotal.com/gui/url/8817225d67543d3ed7e652b823f7799d360a7ad1c266c36f1921607ffef5bb41/detection
PH2 M3 https://www.virustotal.com/gui/url/e10315c658d0961f52584990975fff82f43a688712afc828bb688d134be764d9/detection
PH2 M3 https://www.virustotal.com/gui/url/96202b4c25e80027fe166c3cf94ff88b100d1fc67326cf3fb2b81e691cb76929/detection
DO = DIGITALOCEAN
HZ = Hetzner Online GmbH
ALL: PREFERRED REGISTRAR BY CROOKS... NameCheap!!!!!!!!!!!
CREATED: 2020 January OR February
IP Domain Country ISP
18.104.22.168 amporinya.com USA DO
22.214.171.124 aoriton.com USA DO
126.96.36.199 averringstreet.com Netherlands DO
188.8.131.52 beliciph.com USA DO
184.108.40.206 boyenoths.com UK DO
220.127.116.11 cenictarp.com UK DO
18.104.22.168 chacruater.com USA DO
22.214.171.124 cryptoonlineblog.com USA DO
126.96.36.199 detalapth.com Netherlands DO
188.8.131.52 donfamasse.com Canada DO
184.108.40.206 dyaciaten.com Netherlands DO
220.127.116.11 elloneelo.com Singapore DO
18.104.22.168 erileera.com Canada DO
22.214.171.124 esmorisans.com UK DO
126.96.36.199 flowneduc.com UK DO
188.8.131.52 getfunsolutions.com Germany HZ
184.108.40.206 gieverrerl.com Canada DO
220.127.116.11 ginsailtry.com Canada DO
18.104.22.168 guidicelah.com UK DO
22.214.171.124 guppena.com USA DO
126.96.36.199 hananinons.com USA DO
188.8.131.52 hasetaru.com Singapore DO
184.108.40.206 hombealii.com Singapore DO
220.127.116.11 icecoleek.com USA DO
18.104.22.168 jocenfean.com USA DO
22.214.171.124 judarisour.com USA DO
126.96.36.199 kamullaid.com USA DO
188.8.131.52 kandrebe.com Singapore DO
184.108.40.206 katienety.com USA DO
220.127.116.11 manhasmadeof.com Germany HZ
18.104.22.168 mewichort.com USA DO
22.214.171.124 nortsesire.com USA DO
126.96.36.199 omediaro.com Canada DO
188.8.131.52 overthinkco.com USA DO
184.108.40.206 ractentmal.com Netherlands DO
220.127.116.11 rainchak.com UK DO
18.104.22.168 rammolemia.com Germany DO
22.214.171.124 seditimsts.com UK DO
126.96.36.199 snesarot.com Singapore DO
188.8.131.52 tographygraphy.com Germany HZ
184.108.40.206 uninaisotl.com USA DO
220.127.116.11 vascoak.com USA DO
18.104.22.168 welindyl.com Netherlands DO
22.214.171.124 wesadan.com Netherlands DO
126.96.36.199 yoreirold.com Canada DO
Mar 10th 2020
7 months ago