You’re surfing the web, enjoying great content and great articles, looking for the next great, digital deal. Little did you know, that deal has found you: “Congratulations!” it says with a buzz.
Even when constantly overwhelmed by commercialization, we enjoy service providers that offer free services. Well, TINSTAAFL if you took Econ in school: “There is no such thing as a free lunch.” We generally accept the trade-off between advertisers and service providers for varying levels of service(and we sometimes endure). Occasionally, an advertiser sneaks past the “well-vetted” brand names on a site to offer ‘unbelievable’ deals…I mean ‘walking on water’ abilities for sure. Here is a breakdown of one bad redirect I receive from a very useful service, Wunderground/Weather Underground.
I’m checking out the 10-day forecast for an upcoming trip when suddenly, I’m redirected to a window of fortune:
- They lead with reputable brands using Google-esque styling like in this first case(logo, frames, colors),
- They use valid security certificates(the ones in this scenario are from Cloudflare)
- They use identifiable information such as your IP address to determine you’re a Comcast user like in my case.
- They use images/icons in this instance from Google to give the sense of safety having the feeling of being “logged in” even though you’re not.
- They give the sense of ‘limited exclusive engagement’ of a high value item with a countdown timer on some trivial questions and by listing a low number of those participants that have actually taken advantage of the offer(increasing your likelihood to gamble on winning).
If they, the malicious advertiser, had someone for oversight on branding to do polishing, you can see the damage that can be done in PII(personally-identifiable information) among other things.
We’ll ignore the URL for now even though it’s at the top of the screenshot and ignore how we got to the bad redirect and focus on the mechanics of what’s presented once you’re there:
- The Timer
- The Trivia Questions
- The Prizes
- The Corroborating “Winners”
As you can see in the shot, the countdown timer is set in a CSS style that draws attention but it’s without reference to a callback when the timer expires. So, refreshing the page endlessly gives you endless attempts. However, I do like their using lambda functions.
The Trivia Questions
To add to the feeling of proper branding(and feeling of safety), the questions are all about Google. We notice there are no actual return values assigned to the answers aside the text themselves. However, there are unique identifiers for the questions to help you believe the answers are checked(‘q1’, ‘q2’,…). As you complete each question, they’re immediately hidden from view which is not uncommon to digital test taking. However, the answers aren’t actually logged anywhere.
On completing the questions, you can see another type of timer is invoked to produce the symbolic effect of determining your prize eligibility(which by this point is, no doubt, in-question): validating your answers, checking IP address, checking prize inventory….all of which are “smoke and mirrors”:
“Hey, I won…”
If we take a look at the prize listing, we’re taken aback by the options with Playstation 4 even included. Quickly diminished, the only offer available is iPhone Xs Max…with 1 left, but guaranteed. The redirected pop-up is showing legitimacy on market pricing since a retail Samsung Galaxy S9 is $599 and even the pictures look pretty decent at least on mobile.
You’ll notice that even after that tough, timely questionnaire we have to claim the prize which takes you further down the rabbit hole seeing a separate URL on the ‘Claim’ button(bottom of the above screenshot). I tried retrieving data from the link but was given a 500 internal server error(Chinese translation per Google Translate says “Wrong location”…That possible author origin is further validated by the domain registrant info from Whois if you check yourself):
The Corroborating “Winners”
To add further to the safety blanket, there are a few “reviews” of participants who’ve taken a successful chance which is certainly a red flag for me: any product or service without critical reviews is inherently suspect. Screen-scraping social photos is not hard but what makes this interesting is given Facebook-esque comment styling at the end contradicting the initial styling. Even the code itself is giving time reference legitimacy by pulling current date/time for comments.
Tell Tale Signs…
Initially, I was curious about the domain and some of my thoughts were corroborated in at least possible origin but surprised by some of the results. The website itself has valid SSL, it’s very snappy in fact with <15ms latency with content hosted in Cloudflare, and there is decent styling. However, the pixelation in images, CSS polishing, domain-to-content, and other things I’ve described are keys to identifying phishing scams. After I had spent some time looking through this, I hit the back button on my browser to try my luck and spin the wheel a few times more!…and turned up quite a few other variations(domain and branding). Have a look…