What do a shortened link service (bit.ly), WhatsApp, and google’s free blog service have in common? Scammers!!! From a fake NIN registration to a fake CBN grant, scammers have been working tirelessly to replicate anything in the news that has generated considerable interest into web pages that can be easily shared on the WhatsApp platform.
Everyone loves freebies, even scammers
Looking at the speed and ingenuity with which these fake web pages come to life, you would be right to ask what has brought about this state of affairs. Well, for one we think it is because all the aforementioned services are free. Then they have other attributes that scammers find appealing. For instance, shortened link services have always been a favorite of cybercriminals. They can be used to evade security filters and hide the destination address of a site so the unsuspecting can be easily fooled into clicking a shortened link. Google’s free blog service, blogger, provides an easy way to host a site on the web free of charge, while WhatsApp being the most used social media platform in the country, presents an easy way for scammers to have a large supply of victims.
Find more statistics at Statista
These three factors combined explain why we have a barrage of forwarded messages on WhatsApps impersonating legitimate entities and trying to scam uses of the platform. To show how pervasive the problem is and how difficult it might be to stop, we examined a recent WhatsApp scam forwarded to our intelligence team.
The manifold works of the Dangote empowerment scammer
A quick view of the link behind the shortned link shows it points to the domain https://dangote-empowerment.get-fund.online
Clicking the links leads to a site impersonating the Dangote Foundation and offering a support fund
DANGOTE EMPOWERMENT GRANT
archived 19 Feb 2021 22:08:47 UTC
An inspection of the source code revealed that the domain is connected to a free blogger account.
Also, a close inspection of the domain shows that it a subdomain
A quick Google search revealed 2 more subdomains connected to the main domain.
Both these subdomains were also connected to the blogger platform. Going back to the initial blogger links found in the source code revealed a profile with more domains connected to the blogger platform.
So now we have an alias for our guy, DEXCHI. Clicking on the first link of Dexchi’s profile leads us to a site impersonating the N-power scheme. We notice that it is a subdomain
So we ran a google search on the main domain and discovered three other subdomains as well
Analyzing the source code of the first subdomain, npower.free-fund.online, we found a link to 3 other domains.
FEDERAL GOVERNMENT Npower Support Fund
archived 20 Feb 2021 01:10:40 UTC
free-datatoday.online
opay-invite-friends-programe.online
vchatme.club
Doing a Whois search on npower.free-fund.online and the above listed 3 domains revealed that they all had the Registrant State/Province listed as Akwa Ibom.
Moving on, we examined the source code for the next subdomain from the Google search, cbn.free-fund.online, and we found the email of Dexchi.
Federal Government CBN Grant
archived 20 Feb 2021 02:05:23 UTC
We also see a message that the script which makes the site function is for sale. So anyone who wants to do something similar only has to contact him via email. This means anyone without any technical expertise can have a fully functional site like this to perpetrate their scam for a fee.
Further analysis of the source code revealed a connection to 3 other websites
newsrock.com.ng
vchatme.club (which we discovered previously)
viraltalk.ml
Further review of these websites yielded a name, address, phone number, and email. The address was in Akwa Ibom state, validating previous info. A quick Google search with the details obtained yielded an about me, Dexchi claims to be a web developer, which would seem consistent with him being able to modify scripts.
Duplicator, not Originator
While we noted that Dexchi was selling the script for these sites, we found indications that he didn’t originate the scripts but only modified them. This conclusion was arrived at after further analysis of the source code for npower-ng.free-fund.online revealed other blogger profiles.
Navigating to one of the profiles, we see the same similar scripts being used for various bogus sites. This shows Dexchi copied the script but forget to delete the source during the modification process.
Putting it all together, the availability of these scripts either through being bought or modified, the popular use of WhatsApp, free link shortener services, and a free blogger platform that allows you to connect your domain, we can continue to expect more malicious WhatsApp links.
How to protect yourself
While there are many legitimate services that use shortened links, it is important to recognize that it is a red flag. Any message you received on WhatsApp containing a shortened link service such as bit.ly should immediately put you on alert.
Next, any message promising something like cash, gifts, palliatives or data, should be disregarded. Finally, Never click links in a WhatsApp message. If you get a WhatsApp message about the government, an organization, or an individual, use a search engine to determine their website and navigate there to see if the message you received is legitimate. Following these steps should keep you safe.