Adidas Whatsapp Scam Walkthrough
Whatsapp Message
Information Gathering
Domain is hosted at Cloudflare |
Attacker targets users from Hong Kong and Malaysia |
Manual Analysis
Manually browse the URL using browser |
The actual URL with punycode |
Page redirect user to com-cupons.com |
com-cupons.com redirect user to www.adidas.com-free.win later |
In order to get free shoes, we need to answer the questions |
After the completion of answering, the web application require user to share with Whatsapp friends |
The scam is target on mobile users therefore not working in PC |
Select shoe size is prohibited is no share is done on Whatsapp |
Source Code Analysis
Web application checks if the user is using mobile |
final.html is the page the attacker try to get user to access at the end |
Attacker try to get mobile user to browse final.html after the user share the scam on Whatsapp |
final.html redirects user to amazing-deals.pw/adi |
amazing-deals.pw/adi redirects user to 2018deals.life/adi |
The web application try to get user interaction |
After clicking on "Start Playing Dragonland Now!" |
HTTP request when clicking on "Confirm" button |
Trying to access to Telco API to generate token for transaction |
The web application connects to Telco API to charge use for subscription fee |
Of course the request is dropped |
Cyber Awareness
If you need the guideline on how to be safe from cyber environment, please read the article at:
Again, Now is Air Newzealand Free tickets!
http://2018deals.life again! |