I’ve been really dumb and clicked a phishing link.
The link arrived via WhatsApp and consists of:
A Nubank está fazendo aniversário e quem ganha o presente é você!. São 2.000 convites para um novo cartão com até R$ 12.000,00 de limite, e o melhor, sem consulta ao SPC/Serasa. Eu já fiz o meu, corra fazer o seu, restam poucos convites! Para resgatar seu convite acesse 👉
(Roughly translated, it offers a new credit card or an upgrade to your current one).
The redacted link opens this which redirects to this.
I’ve opened the link on my mobile browser (Chrome 72.0.3626.121 on Android 6.0.1, latest Chrome for Android according to Wikipedia) and didn’t initially realized it was a phishing campaign.
It shows a generic “landing page”, but didn’t ask for personal data, just 3 apparently innocuous questions.
I answered the questions and it then it instructed me to share a link to my WhatsApp contacts.
I got suspicious and quit. Then I called my card provider and they assured me they don’t do campaigns on messenger apps and the links were not legitimate.
What do they want?
What’s the point of this campaign if they don’t ask for personal data or passwords? They seem to go from the “capture” to the “replication” stage without the actual action in-between.
Here’s what the whole process looks like:
- Receive the previously stated message from a trusted WhatsApp contact.
- Click on the link, it opens a sort of “landing page”.
- The page cointains some jQuery code and a button with a yes / no question. You pick an answer, it shows another yes/no question, 3 in total (“Do you onw a “x brand” card / “Would you like a new one with a $ 12k limit” / “Do you prefer mastercard or visa”).
- From a very quick glance on the code, it looks like they don’t even send that data anywhere, as there is no
- Now the page asks to “share this with your WhatsApp contacts” and shows a link.
- Clicking this link opens the real, actual WhatsApp app in a sharing screen asking you to pick a contact (I stopped here and closed WhatsApp without picking a contact).
- If you pick a contact, it sends them the very same message that brought me to this very page (I didn’t actually sent anyone anything and inferred this from logic as well as from the code, as the message I received is hard-coded on the source code).
Something must be happening on that page, but it isn’t capturing private info; at least, not ones inputted by the user. It looks like all they want is for exponential sharing to happen and then… what?
Is there an exploit or other kind of payload here?
Has my browser or OS been compromised?
I have cleared all my cookies and site data from Chrome. Is there any other action I should perform?
It would be really inconvenient to reset my device to factory state, and even more to flash a retail ROM. I only want to do it if absolutely necessary.