WhatsApp users, watch what you click on! A currently circulating fraudulent spam campaign is brand-jacking WhatsApp in an attempt to trick its users into clicking on links found in the email. Once socially engineered users fall victim to the scam, they’re automatically exposed to a fraudulent pharmaceutical site, offering them pseudo bargain deals. Let’s assess the fraudulent campaign, and expose the fraudulent infrastructure supporting it.
Sample screenshot of the spamvertised email:
Sample screenshot of the landing pharmaceutical scam page:
Redirection chain: hxxp://188.8.131.52/horizontally.html -> hxxp://viagraphysician.com (184.108.40.206)
We’re also aware of the following fraudulent domains that are known to have phoned back to the same IP (220.127.116.11):
ns1.viagraphysician.com – 18.104.22.168
ns2.viagraphysician.com – 22.214.171.124
The following fraudulent name servers are also known to have participated in the campaign’s infrastructure at 126.96.36.199:
The following fraudulent name servers are also known to have participated in the campaign’s infrastructure at 188.8.131.52:
We expect that more legitimate brands will continue getting targeted in such a way, with the fraudsters behind the campaign continuing to earn revenue through pharmaceutical affiliate programs.
Webroot SecureAnywhere users are protected from these scams.