Security
Headlines
HeadlinesLatestCVEs

Headline

WhatsApp spam offers up “B&Q Father’s Day Contest 2022”

We take a look at a scam barbeque quiz that asks “winners” to send a lot of WhatsApp messages to qualify. The post WhatsApp spam offers up “B&Q Father’s Day Contest 2022” appeared first on Malwarebytes Labs.

Malwarebytes
#web#android#sap

Father’s Day in the UK (June 19) is almost upon us, and scammers are taking advantage of it—and the fractional possibility of some nice weather—using a barbeque-themed lure.

A mysterious WhatsApp message

The barbeque bait arrives out of the blue, from a somebody who has your number, as a random message bringing word of a supposed “B&Q Father’s Day Contest” with what looks like a very nice barbeque set up for grabs. What could go wrong? (B&Q is a British multinational DIY / home improvement company and exactly the kind of place someone in the UK might buy a nice barbeque set from.)

The message is plausible, and the only clue that something is amiss, other than it being unsolicited, is the Russian .ru domain name.

Would you spot the .ru domain?

Regular readers would know to steer clear of this missive, perhaps even ask the sender via other means if they meant to send the message. The problem with this one is that they probably did intend to send it (you’ll see why later).

If your name’s not down, you’re not coming in

The linked site really does not like you visiting from anything other than a mobile browser. Try to access from a desktop, and you’ll be told “Access Denied”. Firing up VPNs or Tor Browser, designed to help keep your online activities anonymous, seem to have a similar end result. All they want you to do is click the original link from your mobile.

As it happens, there is a reason for this. It wouldn’t be cost-effective for promotions to allow non-mobile visitors onto a mobile themed offering. This is because said mobile offerings want to take advantage of something your desktop won’t have. It could be a feature specific to Android or iPhone, or perhaps they have a certain app in their sights.

Click the link on your mobile from the correct geographic region and you’ll make it to the landing page. If not, you’ll probably be turned away.

The Father’s Day Contest landing page

Visitors are greeted by what appears to be a B&Q-themed page.

The “B&Q Father’s Day Contest”

The site says

Welcome to the B&Q Father’s Day Contest!

Take the quiz, find the hidden prize and win the new Weber gas barbeque

The Weber is a fancy bit of kit, retailing for around $1,200. Small wonder that people would be happy to take the quiz. The quiz itself is a collection of 4 questions including:

  • Do you know of B&Q?
  • How old are you?
  • How would you rate B&Q?

With these out of the way, it’s competition time.

Best out of 3?

Visitors are presented with 9 gift boxes, and have 3 chances to select the correct one.

Oops!

Sadly I failed on my first box opening, but hit the barbeque-shaped jackpot on my second attempt. Do I get my barbeque set? Not yet:

“Tap continue and claim your gift”

First, the scammers tell you to “share with 5 groups / 20 friends on WhatsApp” to claim your gift, with the offer only being valid for 500 seconds. This is why you get the message from a friend, and this is how it spreads.

Try as I might, the site wouldn’t let me progress past this stage. If you refresh the page, the number of gifts resets to the original amount of 250 and then stops at a low number. Just enough to make you think there’s a few left. Does anybody really think they’re giving away around $300,000 of barbeque equipment every few minutes?

There’s also multiple Facebook-style comments at the bottom of the page, complete with inactive Like and Reply options underneath each one of the other supposed winners.

Based on how these things usually go, you probably have to hand over personal information to an advertiser. There’s no FAQ, EULA, competition rules, or privacy policy on the landing page; merely a copyright notice at the bottom listed as “Advertorial”.

As tempting an offer as this sounds, we’d advise anyone looking for a gift this Father’s Day to keep shopping around.

Malwarebytes: Latest News

Meta takes down more than 2 million accounts in fight against pig butchering