It hurts me to see how most students are being scammed with fake scholarship adverts spreading through major communication platforms such as WhatsApp, Instagram and Facebook.
This is an example of these phishing campaigns where students are being tricked into giving out their personal information. In addition to that, they also get malware or two as a bonus😂😂 
These campaigns are being spread out in most WhatsApp groups by unknowing students. The campaign above is somewhat similar to a case study done by a close friend @dwambia in 2021 the-commonwealth-government-scholarship-phishing-campaign.
TECHNICAL ANALYSIS.
The link in the advert is hxxps://scholarship.gift-out[.]com/ ,I have modified it to avoid accidental clicks. Many students fall, victims, as the link has an HTTPS protocol. On visiting the URL, we get a poorly customized site. 
scrolling down, we get a fake scholarship application form that captures personal information 
the form has grammatical errors too🤣🤣 
after filling out the form, the students are asked to share the advert in their networks to unlock their visa application form. (smh)
The invite friends/group button calls an incrementValue1 function that opens the WhatsApp advert sharing intent with the hardcoded phishing message 
Another interesting function incrementValue_i uses cookies to keep the number of clicks and warns the victims on sharing the link to the same WhatsApp groups😂😂, this is some form of a crude but effective method to boost traffic to this site. 
Inside the incrementValue_i function, there’s yet another interesting check that updates the UI to some unrealistic promise by calling a function lasthtml() if the hw cookie value exceeds 12 
further analysis on the unlocked VERIFY NOW and CLICK HERE buttons show that both buttons use the same function 
the shared dapp()* function takes the victim to the site https://nyalelink.blogspot[.]com/ that acts as an ad server, anytime you visit the site, you are redirected to different ad sites where further extortion, premium SMS subscription, or malware installation happens.
Conclusion
Always think before you click, the post below from @SwiftIntellect cc @CyberSpaceKenya highlights some of the indicators of a phishing attempt and What to do if you suspect a site might be malicious.
Comments powered by Disqus.