A fake Volkswagen campaign is making its way across social media platforms, luring in victims with promises of a free Volkswagen car giveaway – but instead redirecting them to third-party ad servers.
Victims are first sent messages via WhatsApp or Facebook, purporting to be from Volkswagen and claiming it will give away up 20 free cars until the end of the year, researchers with Sucuri on Friday said. Targets of the scam are instructed to participate in the contest by clicking a link embedded in the message.
However, the link attached to the messages sent via social media does not appear to collect personal information – but instead tries to re-direct victims to various advertising networks.
“With all these leads combined, we can conclude that this is a scam site aiming at maximizing the income from various advertising networks,” Peter Gramantik, malware researcher at Sucuri, said in a post analyzing the scam.
After one of Gramantik’s colleagues received the suspicious message on WhatsApp, he dug deeper into the link used in the phishing messages.
It became clear that something was not right with the site, as several security vendors had blacklisted it as a phishing site. Also suspicious was the fact the site blocked the opening of developer tools in both Chrome and Firefox.
However, interestingly the site had none of the classic phishing characteristics – such as areas that requested personal information or payment card data. The site instead looked like a standard campaign site, and used fake hard-coded Facebook “likes” at the bottom of the page.
Once users click on any page objects (such as buttons asking users if they would like to participate), they will be redirected to a third-party ad server.
“The goal, in this case, seems to be a simple advertisement designed to spread to as many viewers as possible,” researchers said.
The message and linked site, which are in Portuguese, then request users to resend the campaign link to at least 20 friends on either Facebook Messenger or WhatsApp, researchers said. Once the campaign has been shared, the scam authors promise to contact the victims via Facebook.
These types of campaigns are nothing new – from Bitcoin to iPhones, giveaway scams are an easy way to lure in potential victims, especially during the busy online shopping holiday season. However, Gramantik said that using messages to share scam ad sites is an emerging trend.
“This has been a trending monetization method over the past year, and sharing a scam site without any other ‘malicious’ activity bundled with it is one of the ways the attackers are generating revenue,” said Gramantik. “It’s still a scam, but one based on social engineering. This is a prime example of one of the oldest and most basic techniques – making people believe that they can get something for free.”