Exposing a Singapore Airlines Free Ticket Scam

A family member posted a link to an apparent “free trips with Singapore Airlines ticket” on a family WhatsApp group few days ago, but I had too much time at home nursing a cold and wanted to dig deeper.

I believe this is the same scam as what’s been talked about here, but I had a more technical writeup regardless. I’ll be updating this post as I gather more technical information over the next few days.

The page itself is an interesting one…

A screenshot of the malicious site

First, let’s start grokking the URL. I first tried to load it on desktop, and this is where things get extra shady as I was constantly being redirected to Google. The site loads fine on mobile though as depicted with the screenshot above.

Let me try some wget magic and look at what’s inside my.html:

$ wget www.singaporeair.com-ticketsfree.win/my.html

Hmm… this line looks fishy!

Uh, why redirect to google.com when the screen width is ≥1000?

Mobile screens tend to have smaller widths due to its proportion. Seems like the scammer doesn’t want this to be rendered on mobile because the full length URL tend to be masked/truncated on mobile browsers due to the limited screen estate.

Since the prefix hostname is very similar to what we get from the official Singapore Airlines website, singaporeair.com, the scammer was hoping that people wouldn’t catch this? Nice try.

Alright, moving on…

I wonder if the language used in the code comments could give me a clue which native language this scammer was from, so I asked Google Translate:

var teilen = 10;
var pruefen = 0;
//3 Fragen und Pruefung

We have someone who knows German. As you can see in the full source, there’s German comments left all over the place.

This makes me cringe the most: If you have basic grammatical errors, there’s a good chance you’re not legit. I mean, QA can’t be that bad right? Sigh.

Rookie mistake

The key to developing a “good” scam that’s effective is to make one that’s virtually distinguishable from the legitimate site. In technical speak, you’ll want the images, icons, styles etc. to match what, in this case, Facebook, look like.

I presume the scammer did this by scrapping a legitimate Facebook page and modified them to render static text + images. All of the users’ profile pictures are static images, and the likes + comments are hardcoded.

Hardcoded comments for Facebook posts

Oh boy, this is juicy!

So this giveaway also has a ticket counter. The idea is to create an illusion that the tickets are running out as more users are redeeming them. But wait, how does the ticket counter work?

This would get shot down in a code review

Uhh okay…It seems like the timer was hacked together to decrease over time. The if-else blocks were pretty nasty imo.

And this is how the seed is planted:

Share the love (scam)!

Conclusion

A general rule of thumb is this:

There’s no such thing as a free lunch. If it sounds too good to be true, it probably is. *

* Unless you work in tech and your employer pays for your meals!

By the time I was ready to review a 2nd draft of this post, Google has this to say about the site:

Phew.

Resources:

[1] — A saved copy of the entire my.html script