If the promise of a cash prize in return for answering a few questions sounds like a deal that is too good to be true, that’s because it is
WhatsApp users should watch out for a scam that lures victims with the promise of cash rewards from retail giant Costco in return for completing a short survey – all in honor of Costco’s “40th anniversary”.
There’s no prize to be had, of course. Instead, this recurring giveaway scam relies on an old trick – the fraudsters pose as a well-known brand and use a thematic lure to dupe unsuspecting victims into handing over their personal data or installing dodgy apps on their devices.
This particular campaign – which was spotted recently in Mexico and a few more countries in Latin America – uses other tricks to enhance its credibility. For example, the website set up by the scammers features glowing reviews and feedback from past “winners”, which, again, is not an unusual sight in these types of social engineering campaigns.
Don’t believe what you see
Once you click on a link in a WhatsApp message, you’re taken to a website that asks you to fill out the survey. As might have been expected, the survey lists several options, but only one uncovers the “prize”.
Figure 1. Fake survey
Somewhat inevitably, then, you will fail to choose the right one. A few attempts later, you’re encouraged to “select a winning option” – but only as long as you share the campaign link with your WhatsApp contacts.
Figure 2. Would you share the link?
As many people hope to believe the prize is real, many are indeed likely to share it. This is partly why these kinds of scams often ensnare many people all over the world. In addition, as the link is inadvertently shared among friends and relatives, the ruse attains an aura of “credibility” and dupes more victims.
Figure 3. Another step in the ploy
Once you reach the final step to claim your “prize”, you’ll be shown a bogus alert for the presence of malware on your device. Some flavors of these scams will go on to suggest that the victim should download an app to clean up the “compromised” device. In reality, however, it installs software that can steal their personal information. In other iterations, you may be prompted to share your banking details or other sensitive information in order to “transfer the money prize”.
Figure 4. Fake virus warning
Malware on the rise on mobile systems
Threat detections on Android devices went up 8% in the first four months of 2022 when compared with the previous four months. HiddenApps – the kind of threat that uses deceptive apps installed without a visible icon or trace – are still the most common threat in this category.
However, the biggest growth registered by ESET telemetry was an increase of 170% in spyware. This is an especially worrying trend as this kind of threat steals as much sensitive data as possible from its victims that, for the most part, are unaware of it for years.
The latest ESET Threat Report also emphasizes that just like Android devices, iOS devices are also targets of cyberthreats. For example, ESET researchers recently discovered malicious cryptocurrency wallets targeting both operating systems in order to steal victims’ seed phrases, the unique code that gives access to users’ crypto wallets.
Social media platforms continue to be a breeding ground for various kinds of fraud. Based on ESET phishing feeds, 23% of all phishing URLs detected in the first four months of 2022 were shared mainly through Facebook and WhatsApp.
Figure 5. Android threat detections, January to April 2022 (source: ESET Threat Report T1 2022).
Staying safe from scams
While both iOS and Android are working to offer a safer environment, it is important for users to do their part as well, taking control over their safety and privacy.
Watch out for offers that seem too good to be true. If you think something’s off, check if the URL really links to the original brand, but also search for simple spelling and grammar mistakes on the page. This kind of scam usually contains plenty of them.
Keep away from parent Costco surveys, giveaways or out-of-the-blue and too-good-to-be-true offers, even if the links are shared by trusted contacts. It is very likely that the sender is already a victim of the scam.
Ignore the content and delete the message. Not only will you avoid becoming a victim, but you will also help break the chain.
Make sure you have a security solution installed on your devices.
Keep the operating system and apps on your smartphone updated.
Only trust the official stores, such as Google Play and App Store.
Try to keep yourself informed about common threats – for example, unsolicited messages that ask for your personal information and co-opt the names of well-known brands are one of the most common methods in scammers’ bags of tricks.
Lastly, did we say Costco is not turning 40 this year?
Comments