WhatsApp turned ten years old in 2019, and that fact has not escaped the attention of cybercriminals looking to exploit the anniversary.
Researchers from ESET have received a WhatsApp message offering 1000GB of free internet data by way of a WhatsApp birthday present to its users.
That message, unsurprisingly, is neither from WhatsApp itself as it purported to be, nor is the offer of 1000GB of free internet data genuine. It is a scam, and not a very convincing one assuming you know what to look for that is.
Unfortunately, given that this is the 10th anniversary year for WhatsApp and gifts to loyal members are not exactly unusual, it would be all too easy for the unwary user to get carried away by the fraudulent promotion.
What does the message say?
"WhatsApp Offers 1000GB Free Internet!" the message reads, with a link to click for more details. That link is the first real giveaway that all may not be as it seems; it isn't an official WhatsApp domain. However, given that many businesses still run their promotions through third party organizations, a practice that has the knock-on effect of validating fraudulent plays such as this one, it's easy to understand how people may still click through.
If they did, then they would find themselves at a landing page, carrying the WhatsApp logo, and announcing: "We offer you 1000 GB free internet without Wi-Fi! On the occasion of our 10th anniversary of WhatsApp." The poorly composed message is overlaid by a bright yellow countdown sticker warning that a limited number of rewards are left, and the first of several questions to answer regarding how you found out about the offer.
As the user starts to answer the questions, a pop-up appears that explains the promotional message must be shared with at least 30 other WhatsApp users to qualify for the promotional giveaway.
Is any malware installed?
The ESET researchers said that there was no evidence that the link itself installed any malicious software, nor scraped personal information, that could be changed by the perpetrators at any time. For now, at least, it would seem that they are happy enough in "racking up bogus ad clicks that ultimately bring revenues for the operators" of the campaign, ESET stated.
Indeed, the domain being used by the WhatsApp scammers also hosts numerous other brand-led so-called promotional offers, including ones for Adidas, Nestle and Rolex.
Can WhatsApp prevent this kind of scam?
"This is a great example of how the digital marketplace has degenerated to the point of easy exploitation by malicious actors," Ian Thornton-Trump, head of cybersecurity for Amtrust International, says. Thornton-Trump argues that the "freemium" pricing strategy by which a product or service is provided free of charge has been detrimental to both privacy and cybersecurity.
Even though, As ESET has stated, the initial scam doesn't go phishing for credentials that is not to say this will not be a possibility. "The whole 1000GB for WhatsApp 10th birthday seems legit," Thornton-Trump says, "I mean who pays for WhatsApp? It's a great attack to phish for credentials to WhatsApp and then pivot to other services on the largely correct assumption a common password will be used across all the victim's accounts."
So could WhatsApp itself do anything to stop this kind of scam? "The only thing WhatsApp can do is start a cyber counterintelligence campaign," Thornton-Trump concedes, "get the word out publicly to all users and in social media that this is a scam as education is our only hope..."
