A new Adidas “prize” phishing campaign has been spotted on Whatsapp that lures victims with “free shoes” to celebrate the popular sports shoemaker’s 69th anniversary. The message claims Adidas is offering 2,500 pairs of shoes to celebrate the event, followed by a link to obtain the promised goods.
However, a homographic link in the spam message actually spoofs the appearance of the legitimate Adidas website by replacing one character - in this case the “i” - with a vertical line that actually has no dot.
“This is a homoglyph (often referred to as homograph) attack, incorporating a link that looks legitimate but is actually spoofed by replacing one character with another that looks the same to the unwary eye,” ESET’s WeLiveSecurity reported. This kind of attack is not new, with several articles covering the subject such as welivesecurity, thecomputerperson and Doron Segal on Medium. The structure of the message is not new either. A few similar campaigns were observed in 2016.”
“Should the mobile device checks succeed, the website then obtains geolocation data for the visitor’s IP address, and depending on the country the visitor may be redirected,” researchers noted.
The attackers seem to be targeting countries such as Norway, Sweden, Netherlands and Belgium. Meanwhile, users hailing from countries such as the U.S, India, Pakistan, Nigeria and Kenya are targeted with different brand names. However, if the victim does not fall in any of these countries, the phishing scheme aborts at the starting block.
If the victim’s device does happen to pass these checks, the user is directed to a four-question survey notifying them that they have “qualified” to receive the free pair of shoes, regardless of how they respond.
Naturally, the users are also requested to share the message with their friends via Whatsapp and Facebook.
"If they simply close this menu, it still counts as a ‘share’. If they repeat this routine 20 times, they’ll still be able to click the claim button without really sharing the ‘offer’," researchers said. To claim their “free pair of shoes” worth $199, the users are instructed to answer a few more obvious questions before they can claim their new shoes of $1.
Finally, they are redirected to a well-known scam domain that asks them to enter their payment details. At the bottom of the page is a message that informs the user their account will be charged $50 per month if they don’t cancel their account after seven days.
Victims who fall for the scam not only never receive the coveted shoes, but are left with a recurring charge that they are forced to deal with.
“This research demonstrates yet again that phishing attacks are still taking place and continuing to evolve,” researchers said. “Of course, there are a lot of similar domains and domain name homoglyph attacks are unlikely to stop, but by being a bit careful it is possible to avoid falling for this kind of deceit.”