The voucher scam

Doron Segal
Jan 17, 2018 · 3 min read

This probably going to be my shortest post, Today (January 16, 2008) I got a whatsapp message from a friend.

Please DO NOT press the link! it’s a scam

wow $500 FREE, ya right!

I thought the same thing you’re thinking now, why would anyone will believe Home Depot will give $500 for free?!? and yet lot’s of people are pressing on those links. There is a good reason why hackers spending a lot of time on coming up with creative ways to hack to your account.

Before diving deep into technical details, when I get messages such as this. The first thing is to Google this, Google can tell us a lot about it with a simple search.

I was trying to figure out what their trying to do by downloading their website to my local computer (I don’t want to open it on my browser. If you want to use a browser make sure to use incognito mode or use Tor).

The reason I decided to not open the links via browsers (Tor or or incognito mode) is from the simple reason that I don’t trust browser security and so should you.
I was downloading the site using wget -m to my local computer and view the files using an IDE. Again make sure not to double click the *.html files your computer might try to open them in a browser.

I also notice that the domain is different so I use to check who owns the domain.

Another great tool for investigating about the domain is dig.

dig is a CLI tool for interrogating DNS name servers. It performs DNS lookups and displays the answers that are returned from the name server(s) that were queried. In the example above I was able to get original host.

The index.html

<?$agent = $_SERVER[‘HTTP_USER_AGENT’];if(($agent == “WebCopier v.2.2?)||($agent == “WebCopier v2.5?)||($agent == “WebZIP/5.0 PR1 (”)|| {header(“Location:“);exit();}?><script src="s4.min.js"></script><script type="text/javascript" language="javascript">var areYouReallySure = false;var internalLink = false;if (typeof window.orientation == 'undefined' && screen.width >= 1000){window.location.href = '';areYouReallySure=true;}</script>

Both server side code (php) and client side (Javascript) will redirect us to If you try to request this page with HTTP_USER_AGENT (you can simply edit the request user agent to one of those strings) that equal to WebCopier or WebZIP/5.0 PR1 ( the Server will redirect you to the 404 page under the domain:

Most of those scams will redirect bots or traffic that may harm them (such as their clients, or internet cops) to legit website so they won’t get caught.

s4.min.js ?? the interesting part

(function(window, location) {history.replaceState(null, document.title, location.pathname+"#!/history");history.pushState(null, document.title, location.pathname);window.addEventListener("popstate", function() {if(location.hash === "#!/history") {  history.replaceState(null, document.title, location.pathname);  setTimeout(function(){location.replace("");},0);}}, false);}(window, location));

history.replaceState and history.pushStage

according to Mozilla this will let the site manipulating the browser history. In this case it will change your browser history and replace it with a different site


<meta http-equiv="refresh" content="0;URL=''" />

Seems like our friend just want to send traffic to this link and make some $$$

To summarize this post please remember there is no such thing free money!

Stay Safe

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade