Investigating Scam/Phishing links campaign circulating in Whatsapp.
Today, morning when I woke up I opened my WhatsApp and found a link sent by my father 😐, the link looks this way-: https://fluentolive.xyz/suzuki/tb.php?t=16317659251631766398769
The thumbnail says as its Gift link by Maruti Suzuki, it’s Obvious Maruti will never do such type of Lottery. So, I got up and thought to Investigate the link. Let’s do it together and follow me. Firstly, I searched the whois information and I got the registrar info as NameSilo, LLC
Before proceeding, I reported to Namesilo about the phishing page that running on their service. It has been registered on 12 May 2021 and will expire on 12 May 2022.
https://www.namesilo.com/report_abuse.php
Well, now let’s break the phishing link. The domain is xyz and the main website is fluentolive.xyz
When we see it seems like suspicious but people gets tricked by the word /Suzuki, non-technical peoples get tricked here.
Then I opened the link in a safe virtual environment, the results doesn’t seem suspicious though it was spam but no sign of any downloadable file, so it starts with saying ‘Congratulations!’ that I have a chance of winning to get Mi 11X Pro 128 GB, 8 GB RAM, Cosmic Black and continues with this survey.
When you will examine the website thoroughly you will realize it is spam. Below the survey, there are numerous reviews obvious it’s fake. They are saying that they too got their gifts, claiming that the link is genuine, lol!
The reviews are not using any services like randomuser.me but they are embedding the reviews in the source code itself.
While analyzing the Source Code I found no such suspicious information that can be mention here.
Then I tried to open the link in another browser, then it got redirected to another website with the same survey and same gift but this time it’s not Suzuki but reliance digital, so probably it’s from India.
So, that Probably means the links redirect and I need to do a detailed investigation on the links. So, I Completed the survey and got to the page where I can claim the price by sharing the link to other contacts through WhatsApp, and that’s how it spreads.
I was expecting malicious content, so I scanned with Virus Total and anyrun malware analysis tool. Virus Total flagged the URL as Malicious by the Fortinet antivirus vendor. Report link-: https://www.virustotal.com/gui/url/9f7bc9f401421e25aad20a6cc4fee2980b417925862 cced01f9a974edd2aef22/detection
Then I scanned with Urlscan.io where I got a lot more juicy information. Report link-: https://urlscan.io/result/55233187-ef03-4665 a40d0d2291691eac/#summary
It is found that 41 Similar pages on different IPs, domains, and ASNs Found. The Similar List is enclosed in this link-: https://urlscan.io/result/55233187-ef03-4665- a40d-0d2291691eac/related/
More information on the IP of the website-: https://urlscan.io/ip/104.21.10.146
At the time of writing, there’s no such malicious thing but it is Phishing Page that takes user information, also I dig deeper into the Source Code.
While reviewing the Source Code, I found that the JavaScript code was embedded and its location was set to WhatsApp, which means that you can share it only through WhatsApp.
Not much information, but the usual Javascript Coded page, with static reviews. Cookies can be used for tracking and the website contains more cookies, but as per me it’s not a threat but it is always recommended to use cookies blocker extension in the browser, and I use Ublock origin, and it's good.
Not to ignore but the report of anyrun malware analysis, if you want to go through-: https://app.any.run/tasks/636e6738-48e2-4b30-b9dd-f80cdd596a9a#
Conclusion of my Investigation-:
Right now, the website seems only like a spam phishing page but as per user interaction, the scammer can change that they can adapt their tactics and change it to another more malicious page, which can be a phishing page that takes credentials to malware dropping page on user’s device.
As More People report the page, the more hosting provider will remove the page and blacklists it. Do report the page here-: https://www.namesilo.com/report_abuse.php
The Website lures people for some gifts and it takes a short easy survey, takes your basics data, and asks you to share other members through WhatsApp to claim your winning prize which eventually you fall into a spam page getting nothing. Never fall to such spam page, Companies never do such lottery contest through such type of links and most importantly, do not forward to other.
DO NOT SHARE FAKE LINKS, IF YOU CARE!
Thank you for reading my article on this…😊
DO SHARE IF YOU LIKED IT!