CORONAVIRUS

Digital scammers latch on to Covid-19 to harvest personal data in South Africa

By Jean le Roux for DFRLab 16 April 2020

Iterations of this “free voucher” scam have targeted South African users since 2014. Now, with a nationwide lockdown in effect in South Africa in an attempt to curb the spread of the virus, the scammers’ angle of attack has shifted to keep the old scam current. (Source:@jean_leroux/DFRLab)

A Hong Kong-based marketing firm breathed new life into a tired ‘free voucher’ scam by making it coronavirus-related.

Planet49, a Hong Kong-based digital marketing company with close associations with Asia Pacific Marketing Limited, targeted South African users with a digital marketing campaign intended to harvest their personal information. The campaign falsely presented a Covid-19 “relief promotion” by local grocery chains. In reality, it enticed WhatsApp users to not only share the promotion with several of their WhatsApp contacts, but also consent to Planet49 selling their personal information to third parties. 

The grocery chains referenced in the campaign have denied any involvement with Planet49. 

A DFRLab investigation analysed the source code of these websites, which revealed the links to a Planet49 website registered in 2014. The website had fabricated a Facebook-style comments section using an API for randomly generating profile pictures. Reverse image searches revealed that these profiles pictures were used prolifically across social media, blogging platforms, and review platforms on other websites. 

Display Adverts

There is evidence that some of these campaigns were used in Australia as well.

Planet49 registered the www.sa-rewards.co.za domain in May 2014. Less than a year later, the first warnings against the website and its fake voucher lotteries began circulating online. In 2019, Planet49 was reprimanded by the European Court of Justice for transgressing GDPR requirements in its online lotteries. Meanwhile, crucial sections of South Africa’s Protection of Personal Information (POPI) Act, meant to be the country’s parallel to GDPR, are still in limbo since some sections of the act were promulgated six years ago. 

The website 

The campaign spread mainly via a short WhatsApp message that contained a link to a seemingly legitimate website for one of South Africa’s grocery chains. 

This message was deceptively styled to mimic the official Woolworths website and gave the impression that Woolworths was giving away R5,000 ($280) worth of groceries as part of a coronavirus support programme.

A screengrab of the WhatsApp message linking to the dubious website, indicating the deceptive logo and URL. (Source: @jean_leroux/DFRLab)

Once a user clicked on this link, a two-stage process commenced. 

Firstly, a landing page (woolworths.co.za-groceries.store) enticed the user into sending the same WhatsApp message containing a link to the website to several of their contacts. This landing page changed twice during the course of the DFRLab investigation, but the content remained identical. It did this by taking the user through a short survey before prompting them to send the link to at least 10 of their contacts. A counter would keep track of the number of times a user shared this with their friends or groups. 

These steps could be discerned from the JavaScript functions embedded into the buttons.

A screengrab from the source code of the page revealing the functions called when clicking the buttons. Clicking the ‘WhatsApp’ button (red) pre-drafted a WhatsApp message to be forwarded to several contacts, whereas the ‘Continue’ button (purple) would check if the post was shared enough before allowing a user to click through to www.sa-rewards.co.za. A third function (blue) was unused and seems to be from a version of the site that used SMS messages. (Source: @jean_leroux/DFRLab)

Once the threshold was met, it would allow the user to click through to a second website, www.sa-rewards.co.za. This website was registered to Planet49, and required the user to enter their personal details, and consent to Planet49 processing and selling this information to third parties for marketing purposes, before they could secure an entry into the draw. 

This process ensured that users propagated the website to several of their WhatsApp contacts before they even entered the drawing by providing their personal information. 

A schematic representation of the flow of the campaign. (Source: @jean_leroux/DFRLab via Draw.io)

This coronavirus “promotion” was deceptive. The domain names were crafted in such a manner that they mimicked Woolworths’ official domain, and official logos were used to give the impression that the campaign was sanctioned by Woolworths. The mention of the coronavirus kept the campaign – which seems to have been running since 2016 – fresh. 

A dive into the source code of the www.sa-rewards.co.za website revealed that in addition to Woolworths, the campaign also targeted two other grocery chains, Pick n Pay and Spar. The site would be tailored to either Woolworth, Spar, or Pick n Pay shoppers depending on the link you received. 

A screengrab from the source code of the www.sa-rewards.co.za website indicating that the site changed its display text to one of three grocery chains depending on the link you used to access it. (Source:@jean_leroux/DFRLab via SA-rewards.co.za)

Another deception was the way in which a portion of the website was designed to imitate a Facebook comments section. This featured several happy “participants” expressing their satisfaction at receiving their vouchers, despite the drawing date only being slated for June this year. 

The source code, however, revealed that this was fake. The Facebook comments section was hard-coded into the website, and was made to imitate real users’ comments and likes. The source code also showed that the “user profiles” were being generated automatically using an API built specifically to generate random user accounts. 

Screengrabs from the www.woolworths.co.za-grocery.store website (left) imitating a Facebook comments section, and the accompanying source code (right). Note that these comments were hard-coded, and the profile pictures sourced programmatically from a website that generates fake profiles. (Source: @jean_leroux/DFRLab)

Reverse image searches of these photographs revealed that scores of websites used the same profile pictures on their websites. These included customer reviews for a gaming-sales website in Germany, a WordPress management tool, and even hidden unused in the source code of the website for a UK-based dentist.

 

A reverse image search conducted on some of the profile pictures used by the fabricated Facebook comments section revealed that the same pictures saw extensive use. Multiple Twitter, Medium, WordPress and dating site accounts were found using these profile pictures. (Source: @jean_leroux/DFRLab)

 Iterations of this “free voucher” scam have targeted South African users since 2014. In a country rife with unemployment and inequality, the promise of a substantial voucher in exchange for personal information seems enticing. Now, with a nationwide lockdown in effect in South Africa in an attempt to curb the spread of the virus, the scammers’ angle of attack has shifted to keep the old scam current. DM

 Jean le Roux is a research associate, southern Africa, with the Digital Forensic Research Lab and is based in South Africa.

The DFRLab team in Cape Town works in partnership with Code for Africa.

Follow along for more in-depth analysis from our #DigitalSherlocks.

This article was first published  here

Gallery

Days of Zondo Newsflash

End of the line as Zondo tells Zuma appearance dates are non-negotiable

By Erin Bates