Russian digital scammers staged holiday incursions on Kik instant messenger users, flooding them with genuine-looking offers from big brands and conning them into sharing their personal data. Attacks began on Halloween and continued through Thanksgiving, CyberMonday, Christmas Day, and New Year’s Day.
Taking advantage of high engagement rates on holidays, the poseurs sent offers of discounts and free gifts from brands and retailers such as Amazon, Best Buy, iPad, and GoPro. The high value of the offers enticed Kik users to copy catchy URLs like “TestiPad.com” and type them into their browsers to fill out forms. This enabled the fraudsters to bypass traditional carrier security controls and give their scams a longer run than they might have enjoyed with email scams.
“After users typed the URL into their phones, they’d be asked for their phone numbers and they might subscribe to something and then start receiving expensive messages,” said Cathal McDaid, head of the threat intelligence unit at Adaptive Mobile, which helped uncover the scam. The URLs were registered just before or even shortly after the fake messages were sent to generate maximum demand without detection. All of the URLs used in the Kik scam resolved to a Russian IP address.
Marketers need to become aware of this new innovation in the world of digital fraud, warns McDaid, who chairs the mobile malware group at GSMA, a European mobile technology trade association. “Brands have to be aware that they can be phished on Kik or What’s App, as well,” he says. “Neither consumers nor marketers are tuned in to this, because it’s not a normal spamming source like email or Twitter.”
Kik had previously been spammed by porn sites, but now scammers are going legit, as it were. Other brands that had their identities assumed during the holiday assault included Chipotle, Home Depot, Fitbit, Samsung, Sony, and Walmart. As the Russian scammers continue to get more sophisticated, McDaid says, their Holiday gambits are sure to increase in 2016 and perhaps begin appearing on Valentine’s Day and Mother’s Day.