WhatsApp users, watch what you click on! A currently circulating fraudulent spam campaign is brand-jacking WhatsApp in an attempt to trick its users into clicking on links found in the email. Once socially engineered users fall victim to the scam, they’re automatically exposed to a fraudulent pharmaceutical site, offering them pseudo bargain deals. Let’s assess the fraudulent campaign, and expose the fraudulent infrastructure supporting it.
Sample screenshot of the spamvertised email:
Sample screenshot of the landing pharmaceutical scam page:
Redirection chain: hxxp://126.96.36.199/horizontally.html -> hxxp://viagraphysician.com (188.8.131.52)
We’re also aware of the following fraudulent domains that are known to have phoned back to the same IP (184.108.40.206):
ns1.viagraphysician.com – 220.127.116.11
ns2.viagraphysician.com – 18.104.22.168
The following fraudulent name servers are also known to have participated in the campaign’s infrastructure at 22.214.171.124:
The following fraudulent name servers are also known to have participated in the campaign’s infrastructure at 126.96.36.199:
We expect that more legitimate brands will continue getting targeted in such a way, with the fraudsters behind the campaign continuing to earn revenue through pharmaceutical affiliate programs.
Webroot SecureAnywhere users are protected from these scams.