Cyber-attacks are now targeting Indian e-commerce users with a ‘year-end carnival, get free Christmas gifts!’ scam, according to an investigation conducted by CyberPeace Foundation.

According to the report, the scam is designed to cash in on the festive fervour and to dupe e-commerce users into thinking that they can win brand new OPPO F17 Pro (Matte Black, 8GB RAM, 128GB Storage) smartphones.

While the new scam bears many similarities to the Spin the Lucky Wheel Scam reported by CyberPeace Foundation earlier, it also aims to inject malware into users’ smartphones by asking people to install a third-party malicious app.

The report suggested that the scam is new and is in the early stages of its lifecycle. It also speculated that the scam could reach a large number of Indians by December 31 and could last well until the first week of January.

The report said: “Flipkart’s year-end carnival was last announced in December 2018. In 2020 we did not find any information regarding the year-end carnival on its official website.

The owner of the sites being shared via the social media platform is not Flipkart Internet Pvt Ltd. On the basis of our investigation and extracted information, it seems that the sites are registered from the region of China.”

How does the new scam work?

Unlike the Spin the Wheel scam, the format for selecting winners is different this time. The landing page has a lucky draw section. On clicking the start button, it says ‘It’s a pity that you didn’t get the reward, you have 2 more chances’ with an alert.

Also, the bottom of this page has a section which appears to be a Facebook comment section where many users have commented about how beneficial the offer is. All these comments and accounts are fake, according to the investigation.

The investigative report noted that the ‘Year-end carnival, Get free Christmas gifts!’ scam is a more malicious version of earlier e-commerce scams as it aims to keep users engaged with fake pop-up alerts. Every time a user clicks on the WhatsApp button on the scam website to share the link with friends and family, a new tab with the WhatsApp link opens on the browser.

This means that if the user clicks on the link from a mobile device, it will open the installed WhatsApp application on the phone.

The report added: “We have also noticed an alert message that says ‘Sharing failed! The same group or the same friend is not correct. Please check and share again’." After clicking on the green download app button, it redirects the user to a suspicious link. All domains are registered in Guangdong province.”

How to recognise the attacks?

The report points out that unlike big brand organisations, such malicious webpages have grammatical mistakes.

Further, big e-commerce entities hold offers on their respective official websites.

In a statement the President and Founder, CyberPeace Foundation, Vineet Kumar, said: “There is a need for International Cyber Cooperation between countries to bust criminal networks running fraud campaigns affecting individuals and organisations, to make cyberspace resilient and peaceful.”

He added: “With the growing number of attacks and disruption in cyberspace, countries are struggling with attributing attacks and fixing accountability, which is one of the major causes of concern today.”