Passive income, working from home, no experience needed – sounds like a dream job? That’s what scammers all around the world are currently offering!
We’ve all probably received some tempting offer for a get-rich-quick product, job, or investment opportunity. While these scams are nothing new for technically educated users, lots of people, especially those in desperate financial situations, can still be vulnerable and fall for the scam, losing everything instead of earning a few dollars on the side.
Whalebone initially investigated a current SMS campaign sending supposed job offers from well-known recruitment agencies in Czechia and promising highly competitive salaries for just a few hours of work from home. Scammers then redirect victims to WhatsApp and send them registration links to their domain which impersonates famous retail brands such as Amazon, Argos, Target, and Walmart, for which they’ll be allegedly working. In reality, however, it’s a scheme to gather your personal information and make you send money to their Tether (USDT) cryptocurrency wallets.
By investigating the domains, we’ve discovered that Czechia is merely a drop in the ocean of their operation – the same group runs a wide scamming scheme with hundreds of domains mostly targeting the Pacific region, Vietnam, India, Middle-east and Latin America, but also has numerous English localized versions.
First contact in Czechia
We discovered this campaign in Czechia in a form of an SMS or WhatsApp message offering a suspiciously lucrative job from a well-known job agency - 60,000 CZK (roughly 2,500€ while the average monthly income in the country is roughly 1,660€) for just one hour a day of marketing work from the comfort of your home. Tempting!
Messages came from Thailand (+66) or Malaysian (+60) numbers in slight variations, referring you to WhatsApp contact with Czech code (+420). As some numbers within our research that got these messages were only used for WhatsApp and aren’t registered anywhere else, there is a high probability that the scammers are using contacts from a recent WhatsApp leak.
Upon contacting the provided number on WhatsApp and showing interest in this luxurious offer, operators always exchanged a few messages with us, trying to make an impression of a job interview. After chatting with several of them, however, it became apparent they just send pre-prepared auto-translated messages regardless of what you write. Some even use the same profile picture on WhatsApp on multiple accounts. In the end, you’ll receive a link to their website along with the registration code you need to access it.
Our first thought was that this is a security measure to delay the detection of the domain by reputation services, however, the code was always the same, so we believe it’s just a scheme to appear more exquisite to the victim.
The page in this case impersonated a British retail company Argos and offered a chance to earn money by simply “optimizing the products” on their website – this varies from site to site, but the system always remains the same. We initially suspected this would be a front for something malicious, such as a background crypto miner or drive-by malware download, but this proved negative. The site serves only as a “game” that shows fake earnings and lures victims into sending more money to invest into this “account” – by using the Tether (USDT) cryptocurrency.
The trick is, that you first start with what the scammers call a demo account, where each click rewards you with a few dollars and it appears you are earning money. After a while, however, you’ll switch to a “production” account, but here you can only start “working” with at least 50$ in your account – which of course they want you to deposit.
Worldwide affiliate operation
The sites are hosted using Google Cloud Services in Hong Kong and registered anonymously from China. In the sites themselves, there were however two interesting details:
- It was solely made for mobile browsers, with no desktop option.
- Site used a distinct favicon and was built using ThinkPHP, a little-known backend framework mostly used in China.
Pivoting on these characteristics and common patterns, we’ve discovered hundreds of similar domains all around the world and 5-10 new ones generated every day, impersonating more retail brands in the same manner – AliExpress, Amazon, Target, Shopify, sometimes even banks or investment funds. All with identical layouts, walk-throughs, and sharing the same blocks of code, just rebranded to fit its desired scam. The fact that it only targets mobile users suggests the target audience is probably mostly from South Asia and Pacific regions, where smartphones are the prevalent method of internet access.
By digging further and testing some of those sites, we’ve noticed a pattern of two possible strains of this campaign:
- One spreading via SMS and sending fake job offers. These appear to mostly target the western part of the world and are hosted in Hong Kong (AS396982 or AS64050) mostly on Google Cloud services with some outliers at different providers in Singapore or Thailand. In these cases, the scammer will first exchange a few messages with you and only after that will send you a link with an invitation code. Their primary form of contact is WhatsApp.
- Second is posing as an investment opportunity, hosted almost exclusively using Cloudflare and targeting Middle-east and Asia regions, mostly Turkey, Vietnam, Indonesia, India, and Thailand. These are spread in Telegram channels, through affiliates posing as investment advisors, or even on youtube channels of “investment influencers”. The invitation code is already part of the link that is shared publicly. We’ve even discovered several Youtube channels from Turkey, Indonesia, Ethiopia, UAE, and India propagating these websites and showing tutorials on how to register and "make money". Some even openly show their faces.
There is however a significant overlap between the two in sites that are localized for Vietnam and Brazil. Ironically, while leading us to this discovery, the Czech version was the biggest outlier of them and we didn't find any other domains directly targeting Europe.
Based on the same backend, layout, and scam scenario across the world, we believe that rather than being operated by a single group the platform might be rented to affiliates who rebrand and create variants for individual countries or regions.
If something sounds too good to be true, it probably isn’t. You never get something for nothing. Be cautious before signing up for anything online and never give out your personal information to anyone before checking trusted reviews of their service.
