Phishing: on Signal messaging, a fake Amazon “wins” iPhone 12s

Phishings land on the Signal app. On the menu this February 17: a fake competition with an iPhone 12 Pro at stake.

Signal, victim of its own success? Following the criticized announcements of changes to WhatsApp’s data policy, many users have switched to its competitor Signal. The flow of new users was so important that the organization suffered several technical turbulences in the early days.

This craze has not escaped the cybercriminals. They know that the more a service is used, the more it can reach a large number of targets. As a result, as of February 2021, a phishing campaign is circulating on the messaging application.

« Your Amazon subscription has been rewarded. An iPhone 12 Pro is reserved for you. Claim it here: https: // brandschix[.]space/qOiO5 “, Advances the message, here tweeted by Twitter user Karl Pineau. The sender of the message identifies himself as Amazon, and has taken the company logo as his profile picture. Next to the name is a Vietnamese number (with flag +84).

Beware of technical prejudices

As you will have noticed, this phishing is not very convincing. It pulls on rough strings, inconsistencies that can be detected from the initial message:

  • Amazon never communicates on Signal. The company sends the majority of its messages by email, and can send SMS messages relating to deliveries.
  • The link is particularly fishy, ​​since his domain name has nothing to do with Amazon.
  • The free iPhone scam is a classic phishing campaign: most people know that this kind of competition does not exist. The fact remains that if this type of campaign does not disappear, it is because some users continue to fall into the trap.

Conversely, false prejudices about cybersecurity could cause some people not to be suspicious of the message:

  • Prejudice 1: Signal is renowned for its level of “security”, so a message sent on the app is necessarily safe. No, because Signal only protects communications between its users with its end-to-end encryption. If a person (eg a hacker, or the police) intercepts the communication, they will not be able to decipher its content. On the other hand, there is no technical limit preventing sending a malicious link by message, which moreover is a link to a website.
  • Prejudice 2: the link contains the prefix “https: //”, this means that the site is validated in terms of security and that I can go there without taking any risk. No, for two reasons. First, an HTTPS certificate is relatively easy to obtain, and it only guarantees, in theory, that the flow of data sent by the user is properly protected. However, it does not promise anything about the integrity of the person who will receive this data. Then, this HTTPS site can only be a relay in the redirection scheme for criminals. By the way, when we click on the link, we are taken to another site, “stiedemannboyer[.]icu ».

If the starting point of the thugs is not very convincing, its course, on the other hand, is. To prevent you from doing that, we clicked to go through with the scam.

1 minute 30 not to miss a golden opportunity!

The first click takes us to a fake Amazon page. ” Congratulations! », She greets us cheerfully. We are explained (in correct French) why we are here: we would have been chosen at random from among 10 users in our city, on Wednesday February 17th. At stake: a chance to win a ” fantastic price: Apple iPhone 12 Pro! »

We would therefore be particularly lucky. On the other hand, we have ” that 1 minutes and 30 seconds (Sic) to participate. This timer, written in red, unfolds: 29, 28, 27 … Quick, we must hurry.

The chaaaaaance (or not). // Source: Numerama screenshot

Below the text, fake Facebook comments from pseudo-winners promote the contest. A certain Maxime Lyon, liked by 36 people, wrote: “ Thought it was a joke, but my Apple iPhone 12 Pro arrived this morning ».

We therefore rush to respond in the time allotted to the “survey” proposed by the page, an astonishing 4-question form. We include our gender, age range, number of family members, and whether we have any Apple products in our home. The answers to these questions are of little value to thugs, so it is surprising that they are asked first.

All we do is win, win, win, no matter what

« There are no previous surveys from your IP address », The page tells us. And since there are supposedly still prizes available, we get a chance to win the so-called jackpot. The new page presents 9 gift box icons, from which we have to choose. We click on the first from the top: an opening animation is triggered and… missed, it is empty. Fortunately, the site offers us a second chance! This time we open the middle one. Bingo! An iPhone 12 comes out. As you can imagine, we’ve done this mini-game over and over again, and each time the second attempt reveals winning an iPhone.

Little adrenaline boost, we just won an iPhone 12 Pro! (or not) // Source: Numerama screenshot.

A message explains the rest of the rules to us: we will be redirected to an “approved redistributor”, then we will have to give our address and pay € 2 for postage. And that’s it: the iPhone will be delivered 5-7 days later.

This scam schema takes up two of the most used phishing tricks:

  • The sense of urgency (1 minute 30 minutes to answer the “survey”), which aims to rush the target’s decision. The less time a person has to identify the inconsistencies of the page (spelling, graphic charter, situation, URL, etc.), the less likely they will be to detect the deception and avoid it.
  • The ” Too good to be true “. The thugs present you with an unmissable opportunity. If you don’t get it, you might regret it all your life. Yes, it’s suspicious, yes, the offer may turn out to be false… but should we take the risk of missing it if it is true? Here is how some victims let themselves be tempted and get into the gear.

Giving bank details over and over again

After having “won” the iPhone 12 Pro, we are redirected to the chooseandget site[.]com, another copy of Amazon, where we have to make the payment of € 1.95 that separates us from our precious smartphone.

The trap of thugs is finally closed: a form first asks us for our name, first name, email and phone number. So much information which, taken together, can be resold. Then, we are asked for our credit card information, in order to validate the transaction. Here again, this data can be exchanged or directly exploited by criminals.

No matter how many forms we fill out, none of them seem to be accepted. // Source: Numerama screenshot

Once the form is completed, an error message is displayed. We are redirected to another site, an almost perfect copy of the previous one, which asks us to fill out a similar form. We do so, so as not to miss the opportunity to win the smartphone. Again an error message pops up and we’re redirected to a third site, which asks for the same information… We fill out a form again, and again we’re kicked out to another copy of Amazon. The circle seems endless: we are encouraged to give out our banking information again and again. These pages are probably controlled by the same actor, who tries to avoid detection mechanisms. And if one page falls, the other will take over.

What if I have taken a phishing bite?

The phishing will only have a consequence if you have filled out and submitted the last form. If you’ve just clicked on the link and then closed the page, you’re not at risk. Likewise, if you have answered the “survey” questions, you have no reason to worry.

  • If you have provided your personal data, don’t panic. On the other hand, you will have to be extra vigilant, because you could be the target of other phishings. Thieves know you’ve been a phishing bite once, and think they can trick you again by playing on your gullibility. Prove them the opposite: no need for technical skills, if you follow these three tips available to everyone, you will avoid the vast majority of phishings.
  • If you have given your bank details, block your bank card without delay. Most banks have a dedicated phone line, or an operator will immediately block it.

Source: Numerama by cyberguerre.numerama.com.

*The article has been translated based on the content of Numerama by cyberguerre.numerama.com. If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!

*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.

*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!