Research Report on the Scams in Names of Indian Railway and Big Brands in India released

WhatsApp messages masquerading as the offers from various giant entities with links luring unsuspecting users with the promise of transport subsidy, medical subsidy, recharge offer, free travel tickets etc., have been making the rounds on the app recently. If you receive such messages try to stay away from these, as these can be a scam.

Images above show Fake WhatsApp Messages (Screenshots)

The Research Wing of CyberPeace Foundation, Autobot Infosec Private Limited along with CyberPeace Center of Excellence (CCoE) have conducted six different studies based on these WhatsApp messages that contained links pretending to be a free subsidy, recharge offer and travel tickets from Indian Railways, Apollo Hospitals, Haldiram, Emirates Airlines, Various Telecom giants and Tata Group which ask users to participate in various offers and survey in order to get a chance to win the prizes.

On the landing page a Congratulations message appears with the attractive photo of the offers and ask users to participate in a quick survey or questionnaires in order to avail the said offers. All the links showcase the respective logos of the said entities and ask users to take the survey to win recharges and subsidies.

Also at the bottom of the page a section comes up which seems to be a comment section where many users have commented about how the offers are beneficial.

All the surveys start with some basic questions like Do you know the above mentioned companies? How old are you? What do you think of Emirates Airlines or Haldiram’s? Are you male or female? etc.

Once the user answers the questions a “congratulatory message” is displayed. After Clicking the OK button users are given three attempts to win the prizes.

After completing all the attempts it says that the user has won the respective offers.

Image 2: Fake congratulatory messages

Clicking on the ‘OK’ button, it instructs users to share the campaign on WhatsApp. Strangely enough the user has to keep clicking the Whatsapp button until the progress bar completes. After clicking on the green ‘WhatsApp’ button it shows a section where a “Congratulations” appears once again.

During the analysis the research team found a JavaScript code called hm.js was being executed in the background from the host hm[.]baidu[.]com which is a subdomain of Baidu and is used for Baidu Analytics, also known as Baidu Tongji. The important part is that Baidu is a Chinese multinational technology company specializing in Internet-related services, products and artificial intelligence, headquartered in China.

The campaign, pretending an offer from TATA, insists users to download an application from a third party app store.

To read the detailed reports, visit www.cyberpeace.org/publications

The detailed study helped CyberPeace and AutoBot Infosec Pvt Ltd to come to the following conclusions:

• The whole research activity was performed in a secured sandbox environment where the WhatsApp application was not installed. If any user opens the link from a device like smartphones where WhatsApp application is installed, the sharing features on the site will open the WhatsApp application on the device to share the link.

• The campaign collects browser and system information from the users.

• Most of the domain names associated with the campaign have the registrant country as China whereas the campaign that offers free 30GB of internet data has the registrant country as Pakistan.

• Cybercriminals used Cloudflare technologies to mask the real IP addresses of the front end domain names used in the campaigns. But during the phases of investigation, the research team has identified a domain name that was requested in the background and has been traced as belonging to China.