RESEARCH REPORT ON :
“Amazon 30th anniversary celebration, Free gifts for everyone!” scam Research report on “Amazon 30th anniversary celebration, Free gifts for everyone!” scam :
The Research Wing of CyberPeace Foundation received some links via WhatsApp which tells users free gifts are being distributed on the occasion of the 30th anniversary of Amazon.
Case Study :
The Research wing at CyberPeace foundation along with the Research wing of Autobot Infosec Private Limited started an in-depth investigation on the links to reach a conclusion that the campaign is either legiti- mate or an online fraud.
During the investigation both the links http://hdldjas[.]cn/amazonhz/tb.php?v=ss1616912 and http://hfcsivo[.]cn/amazonhz/tb.php?v=ss1617011 redirected us to a same landing page https://vipepls[.]xyz/amazonhz/index.php#XX
** where XX represents a unique 13 digits number, for example 1614920821200 and 1614933135000 etc.
On the landing page a Congratulations!! appears with a paragraph which says about remaining time to take the gift followed by a section with some survey questions.
Research Also at the bottom of this page a section comes up which seems to be a Facebook comment section where many users have commented about how the offer is beneficial.
In the survey section some questions were being asked like ‘Are you male or female?, How old are you?, How do you rate Amazon services?, Which smartphone are you using?’
After completing the survey it said that You have a chance to win gifts.
Research After that the user is given three attempts to win the prize.
After completing the attempts it said the user has won a Huawei Mate 40 Pro 5G phone.
“Congratulations!
You did it! You won the Huawei Mate 40 Pro 5G!”
In between each attempt it flagged some message which said how many attempts were left.
Research After that it instructed users to share the campaign over WhatsApp.
After clicking on the green WhatsApp button multiple times a section appeared where instructions were given to complete registration in order to get the prize.
After clicking on the green ‘Complete registration’ button, it redirected users to a link https://www.youthewinner[.]net/c/b795XXXXXX?&click_id=q- makuXXXXXX&s1=72530&s2=1249598&s3=backuser&s5=&lp=MJ&j4=&j5=&j6= where another loyalty program with spin the wheel was seen.
**[Some characters are replaced with XX for security reasons.]
Research Users can spin the wheel 2 times and after completion it shows another congratulations message with two options to choose from.
During the investigation we noticed whichever option is chosen it redirects to the same Loyalty program page again.
Research In Depth Investigation:
Some key findings can be mentioned as :
Domain Name hdldjas[.]cn
HTTP Status Code 200 [ Active ]
IP Address 35.228.5.118
ISP Google Cloud
ASN 15169
Country Finland
Continent Europe
ROID : 20210301s10001s34605335-cn Domain Status : ok
Registration Time : 2021-03-01 21:47:26 Expiration Time : 2022-03-01 21:47:26
Registrant : 李会 ( Lee Kai ) Registrant Contact Email : [email protected]
Sponsoring Registrar : 阿里云�算有限公司(万网)( Alibaba Cloud Computing Co., Ltd. (Wanwang) )
Name Server : ns0she.stackpathdns.net Name Server : ns8d8c.stackpathdns.net
DNSSEC : unsigned
** Chinese language detected. Alibaba Cloud also known as Aliyun, is a Chinese cloud computing company, a subsidiary of Alibaba Group
Research Domain Name hfcsivo[.]cn
HTTP Status Code 200 [ Active ]
IP Address 34.87.15.228
ISP Google Cloud
ASN 15169
Country Singapore
Continent Asia
ROID : 20210301s10001s34605363-cn Domain Status : ok
Registration Time : 2021-03-01 21:47:35 Expiration Time : 2022-03-01 21:47:35
Registrant : 李会 ( Lee Kai ) Registrant Contact Email : [email protected]
Sponsoring Registrar : 阿里云�算有限公司(万网)( Alibaba Cloud Computing Co., Ltd. (Wanwang) )
Name Server : nset13.stackpathdns.net Name Server : nstdu9.stackpathdns.net
DNSSEC : unsigned
** Chinese language detected. Alibaba Cloud also known as Aliyun, is a Chinese cloud computing company, a subsidiary of Alibaba Group
Research Domain Name vipepls[.]xyz
HTTP Status Code 200 [ Active ]
IP Address 172.67.214.83, 104.21.35.59
ISP Cloudflare
ASN 13335
Country United States
Continent North America
Registry Domain ID : D230359359-CNIC
Registrar WHOIS Server : whois.namesilo.com
Registrar URL : https://www.namesilo.com
Updated Date : 2021-03-29T17:00:29.0Z
Creation Date : 2021-03-29T16:46:57.0Z
Registry Expiry Date : 2022-03-29T23:59:59.0Z
Registrar : NameSilo, LLC
Registrar IANA ID : 1479
Name Server : MEERA.NS.CLOUDFLARE.COM
Name Server : PIOTR.NS.CLOUDFLARE.COM
DNSSEC : unsigned
Research In source code analysis we found some information like --
Title of the site https://vipepls[.]xyz/amazonhz/index.php#XX is “ Amazon 30th anniversary cele- bration ”.
The images that appeared on the title bar and on the top left side of the page were similar to the logos of Amazon, by which the campaign tried to pretend itself as an offer from Amazon.
Note : Both the images were hosted on the blogspot.
The section which seems to be a social media comment area is static and not a dynamic one. The section has been created with some HTML and CSS. Everytime the website is visited, the section viz. the time of the comments always remains the same.
Research Users are insisted to share the campaign with WhatsApp friends and groups.
We found some Chinese language written in the source code.
The campaign collects browser data and system data from the device.
Research During the analysis we found, in the background a javascript code called hm.js was being executed from the host hm[.]baidu[.]com which is a subdomain of Baidu and is used for Baidu Analytics, also known as Baidu Tongji.
Note: “Baidu is a Chinese multinational technology company specialising in Internet-related services, prod- ucts and artificial intelligence, headquartered in Beijing's Haidian district, China.”
Query URL : hm[.]baidu[.]com/hm.js?9c00d60763ab1c981b7bf2343c65c06a
Research Domain Name hm.baidu.com
HTTP Status Code 200 [ Active ]
IP Address 103.235.46.191
ISP Beijing Baidu Netcom Science and Technology Co.
ASN 55967
Location Hong Kong
Continent Asia
Domain Name : baidu.com Registry Domain ID : 11181110_DOMAIN_COM-VRSN Registrar WHOIS Server : whois.markmonitor.com Registrar URL : http://www.markmonitor.com
Updated Date : 2020-12-09T04:04:41Z Creation Date : 1999-10-11T11:05:17Z Registry Expiry Date : 2026-10-11T11:05:17Z Registrar : MarkMonitor Inc. Registrar IANA ID : 292
Registrant Organization : Beijing Baidu Netcom Science Technology Co., Ltd. Registrant State/Province : Beijing Registrant Country : CN (China)
Research Some of the other domain names found to be associated with the hm.js file are :
Domain Name tongji.baidu.com
IP Address 182.61.200.90
ISP Beijing Baidu Netcom Science and Technology Co.
ASN 38365
Country China
Continent Asia
Domain Name hmcdn.baidu.com
IP Address 110.185.186.48 and others
ISP China Telecom
ASN 38283
Country China
Continent Asia
Domain Name datax.baidu.com
IP Address 111.206.210.170
ISP China Unicom Beijing
ASN 4808
Country China
Continent Asia
Research Domain Name sjh.baidu.com
IP Address 112.34.111.34
ISP China Mobile Guangdong
ASN 9808
Country China
Continent Asia
Domain Name ls.wejianzhan.com
IP Address 157.255.77.151 and others
ISP China Unicom Guangdong
ASN 136958
Country China
Continent Asia
Domain Name bs.wejianzhan.com
IP Address 183.232.232.112 and others
ISP China Mobile Guangdong
ASN 56040
Country China
Continent Asia
Research Domain Name product.weijianzhan.com
IP Address 219.234.31.163
ISP West263 International Limited
ASN 139021
Country China
Continent Asia
Domain Name qianhu.weijianzhan.com
IP Address 219.234.31.163
ISP West263 International Limited
ASN 139021
Country China
Continent Asia
Domain Name aisite.wejianzhan.com
IP Address 183.232.232.112 and others
ISP China Mobile Guangdong
ASN 56040
Country China
Continent Asia
Research Domain Name ers.baidu.com
IP Address 220.181.33.68
ISP China Telecom
ASN 23724
Country China
Continent Asia
Domain Name ada.baidu.com
IP Address 112.80.248.191
ISP China Unicom Liaoning
ASN 4837
Country China
Continent Asia
Conclusive Summary :
The campaign pretends to be an offer from Amazon but hosted on the third party domain instead of the official Amazon website which makes it more suspicious.
The domain names associated with the campaign have been registered in very recent times.
During the investigation multiple redirections have been noticed between the links.
We have investigated the URLS in a secured sandbox environment where WhatsApp application was not installed. If any user opens the link from a device like smartphones where WhatsApp application is installed, the sharing features on the site will open the WhatsApp application on the device to share the link.
The prizes are kept really attractive to lure the laymen.
Research The campaign collects browser and system information as well as the cookie data from the users.
Chinese language is found as comments in the source code of the site.
Cybercriminals used Google Cloud service and Cloudflare technologies to mask the real IP addresses of the front end domain names used in this ‘Amazon 30th anniversary celebration, Free gifts for everyone!’ campaign. But during the investigation, we have identified some domain names that were requested in the background and have been traced as belonging to China.
CyberPeace Advisory :
CyberPeace Foundation recommends that people should avoid opening such messages sent via social platforms. One must always think before clicking on such links or downloading any attachments from unauthorised sources.
Falling for this trap could lead to whole system compromisation (access to Microphone, Camera, Text Mes- sages, Contacts, Pictures, Videos, Banking Applications etc) as well as financial loss to the users.
Do not share confidential details like login credentials, banking information with such types of scams.
Never share or forward fake messages containing links with any social platform without proper verification.
Issued by :
Research Wing, CyberPeace Foundation Research Wing, Autobot Infosec Private Ltd.
Research www.cyberpeace.org [email protected]
/cyberpeacefoundation /cyberpeacengo /cyberpeacefoundation