The International Energy Agency has a clone
Global consumers are talking about rising energy prices- It’s such a hot topic that scammers have started using it as a clickbait driver to draw users to malicious scams.
This month, we’ve seen a massive tech support scam targeting US-based users, luring them with a simple yet effective ad:
This campaign is a classic fake news ad that makes anyone who’s worried about rising fuel prices want to click to read more.
The advertiser name (appearing as NewssW, Newsstand, or NswWow) has no connection to the landing page the user is about to be directed to. That’s when things get interesting.
Scammers run fingerprinting on the user’s device to see if it matches the user profile they seek to attack. They also determine whether an anti-malvertising scanner is hiding behind the ad request.
If scammers determine that the client is worth scamming, a web page takes over their entire screen. It sends an alarming message stating that Windows Defender detected Trojan spyware and that access to their PC has been blocked. This is usually a gateway to a ransomware attack that ends with the user being extorted in an attempt to regain access to their own PC.
On the other hand, if the scammers find something suspicious, they’ll redirect the user through a cloaking mechanism to a dummy landing page.
This page is a nearly perfect copy of the International Energy Agency’s homepage.
See if you can spot the differences:
In this clever social engineering move, scammers cloned the IEA’s homepage to create a contextual connection between the ad and the landing page. Users sent to this page won’t suspect that anything is wrong. What’s more, the links on this page are all live, so if a user clicks on anything, they’ll simply be redirected to the IEA’s actual site and won’t notice any difference.
A close look shows minor differences between the sites. Some of the more recent articles are missing on the dummy site. Further inspection reveals that the domain amysicat.info was registered only very recently – on July 14 – and the owner’s identity is redacted for privacy. Someone clearly has something to hide.
New financial scam floods the German market
Deceptive campaigns in which celebrities allegedly endorse crypto trading apps have been widespread on the internet for quite some time. Still, every now and then, a new breed crops up.
These days, we’re tracking a campaign that has gathered momentum on native ad platforms serving German publishers.
The ads feature TV host Thomas Gottschalk, Federal Minister of Health Karl Lauterbach, and Popstar singer Lena Meyer-Landrut (Lena). They lead with clickbait titles such as “Lena loses everything” and “Tragic Accident”.
Once the ad is clicked, the user is redirected to one of the fake articles that seem to be published on one of Germany’s most trusted media brands:
Those are mockups of ZEIT ONLINE (www.zeit.de) and Axel Springer’s BILD (www.bild.de), which scammers decided to misspell as BLID, perhaps to evade IP infringement claims.
In the articles, each of the celebrities tells readers how they discovered a “Vermögens-Schlupfloch”- a wealth loophole that made them rich overnight.
Any click on the page, including the popup that takes over the screen after a few seconds:
Even the back button, leads users to the BitQT registration page that claims:
It’s easy and anyone can join. You don’t need any knowledge or skills. Sign up with your smartphone, computer or tablet and start today. Don’t miss your chance to get rich.
- Automated trading software
- Available on all devices
- 100% sure
- Pay out again at any time
- Only $250 First Deposit
- Plug & Play – Get started today
- Free support
The truth is that BitQT is a cloned version of the BitXT and BitQS apps.
Those are merely replicas of the Bitcoin ERA and Bitcoin Evolution app scams that we’re seeing globally.
The name and design may be different, but the scam is the same. You register and deposit a minimum of $250 USD or more and then you wait for the magic to happen and make you rich.
By the time you start wondering where your earnings are, you discover that there’s no one to talk to. You send an email to customer support and it bounces. The brokers behind the app are unregistered and located offshore. Your money is long gone.
For now, this scam is not being hidden behind a cloaking mechanism. The scammers seem to be more focused on lead generation than they are worried about being caught. We suspect that they will soon add some level of post-click fingerprinting that will let them avoid scanners and malvertising protection systems. When that happens, rest assured that GeoEdge will be ready.
