A WhatsApp scam leveraged fake coupons for UK supermarkets to collect users' information and generate fraudulent pay-per-install (PPI) revenue.
Between 13 January and 15 January, several UK users received what appeared to be coupons for Sainbury, Marks & Spencer, and other supermarket chains. Those offers most commonly arrived from a friend via WhatsApp.
Each of these fake coupons asked that users send the offer to five, 10, or even more of their friends. In the meantime, they could claim their gift card by completing several surveys and sharing bits of personal information like their name, address, email address, and phone number.
Other variants of this scam asked recipients to download applications to their device. These applications were legitimate and weren't connected to the scam. The fraudsters selected them specifically so that they could generate fraudulent pay-per-install affiliate fees.
But users received nothing in return for their compliance.
Fortunately, the hosting provider for the three domains associated with this scam has pulled the plug on them. Now the links terminate at a holding page and in so doing prevent the user from reaching the scam pages that link to online surveys or apps.
No doubt there will be other schemes like this one, however, which is why users need to be on the lookout for suspicious or unbelievable offers sent from their friends.
Paul Ducklin of Naked Security agrees and says users shouldn't even take a peek at these types of scams:
"…[E]ven if all you do is to take a look, you’re taking part in something with potentially harmful side-effects on the community around you, from bombarding your friends with unwanted messages to helping crooks to earn affiliate revenues fraudulently."
With that in mind, users should be on the lookout for strange messages sent to them via WhatsApp, Facebook, or another social media platform. If they receive a suspicious piece of correspondence from a friend whom they know, they should contact that person outside of that social network, verify that they in fact sent that message, and ask if it panned out for them if they did. More often than not, they fell for a scam and realized they did so after the fact.