WhatsApp users, watch what you click on! A currently circulating fraudulent spam campaign is brand-jacking WhatsApp in an attempt to trick its users into clicking on links found in the email. Once socially engineered users fall victim to the scam, they’re automatically exposed to a fraudulent pharmaceutical site, offering them pseudo bargain deals. Let’s assess the fraudulent campaign, and expose the fraudulent infrastructure supporting it.
Sample screenshot of the spamvertised email:
Sample screenshot of the landing pharmaceutical scam page:
Redirection chain: hxxp://18.104.22.168/horizontally.html -> hxxp://viagraphysician.com (22.214.171.124)
We’re also aware of the following fraudulent domains that are known to have phoned back to the same IP (126.96.36.199):
ns1.viagraphysician.com – 188.8.131.52
ns2.viagraphysician.com – 184.108.40.206
The following fraudulent name servers are also known to have participated in the campaign’s infrastructure at 220.127.116.11:
The following fraudulent name servers are also known to have participated in the campaign’s infrastructure at 18.104.22.168:
We expect that more legitimate brands will continue getting targeted in such a way, with the fraudsters behind the campaign continuing to earn revenue through pharmaceutical affiliate programs.
Webroot SecureAnywhere users are protected from these scams.