Yet Another Phishing Scam Attack In Finland

I promise you, you would not be ready for the end of this write-up

Aino Virtanen, who ever he/she is, decided to help parents with a sponsored Facebook post, informing them of the free baby strollers from the brand Bugaboo , claiming that the company is withdrawing its products from the Finnish market and will be giving out these strollers. Now, Since Aino, a concerned Finn/Whatever the nationality of this person is, decided to take a small compensation of 2 Euro for whistleblowing as shown in the screenshot below, victims wouldn't mind to pay that, after all, 2 Euro cannot buy you a stroller.

Aino has good intentions, said the 'almost to be victim' of this well calculated and orchestrated SCAM-A-THON. I immediately dialed my good friend and brother Adegbola Adeleye who is a pro in de-mystifying scam links and tracing them back to their originating roots.

About the URL

We defanged the URL so that you lots would not mistakenly click on the link. The real link is available in the picture above.

hxxps[://]special-promo[.]store/bugaboo[.]fi

The domain name also known as the human-readable name is special-promo[.]store with /bugaboo[.]fi as an object reference.

We proceeded to search for what bugaboo's website domain name is, to compare both together, and here's what we found.

https://www.bugaboo.com/fi-en

This isn't defanged because bugaboo exists, so feel free to click if you want to patronize them. NB, Bugaboo did not sponsor this post, I just want to clear their name from the scam as a responsible citizen.

I decided to check the SSL certificate to see how long this site has been up and how long it has to live, and I found out that it has 3 months validity as shown below. What this means is the hosting will be down when it expires.

The Attack (Social Engineering)

Here's what happens when the link is clicked. The domain name changes to super-dell-price[.]pro . This domain is used to get information about the user's IP. I found that it has a drive-by download and it logs the IP of the user and their activities. What I didn't find out is if it installs a keylogger in the device, hence the reason I used my dead iPhone 6s as the lab rat, to bring you this content.

It still maintained the same DNS, however it goes on to ask you 3 absolutely irrelevant questions, and confirms that your answers are correct. There's a twist below, where they staged a fake review from a beneficiary named "Magic Tile". I am unsure about the gender of Magic as he/she might be either a lady, a man, a non binary, or two spirits. The fact is, they were too lazy to create a realistic catfish. Talking about catfish, we will find out who Aino really is at the end of this piece.

They make you select a random gift box, and if you select one that contains a stroller, you see this.

It gets interesting below, when they start to tilt towards the real reason for the scam.

Credential Harvesting

At this point, they switched the domain name to giftingshow[.]com where they host the secure payment that harvests your personal details including your bank card credentials.

OSINT [OPEN SOURCE INTELLIGENCE]

Up until this point, the "almost victim" still holds that it isn't a scam, because the website looked real and almost professional. I decided to start up with figuring who Aino really is.

I started with a reverse image engineering to narrow down the real owner of the image, as I am sure that isn't Aino. Meanwhile, the Facebook account has 0 followers and 0 following. However, the "almost Victim" didn't care about that. Here's what the reverse image search gave me.

I had two hits, Shaun Fishman, and Josiah Duggar, none of which had anything to do with Finnish names, let alone Aino Virtanen. I tried running Shaun Fishman on a common google search, and I found a young man who looks nothing like the guy in the Facebook profile.

So, Shaun has nothing to do with this scam.

Next>

I decided to use traceroute to get info on the IP and also find something useful in the subnets.

I also mapped their network using nmap to see what ports are open for possible penetration or exploitation.

Normally, I would find my way to infect the host with a malware, this will temporary disrupt their activities, while they move on to create a new phishing link. But Hey! Where is the fun in that? However, this time I decided to just leave it in the hands of law enforcement Agencies.

Virus Total Scan

I went on to check virus total, a database for compromised DNS. Surprisingly, I found just one hit.

I moved on to check for details about the FQDN (Fully Qualified Domain Name), and found the serving IP address in the process.

we weren't satisfied so we decided to use Amass to find out details about the subdomains and public facing IP as well as a full enumeration of the whole route. Here's what we found.

I used NMAP again to establish which ports are opened, but this time I searched with the public facing IP address. here's what I found

Curious to know where this IP is located, I ran a search on IP stack and found this. Of course, we took the information with a pinch of salt. There are a lot to do with these open ports, but then again, we allowed the law to take it's course.

Adegbola Adeleye's Section.

More Technical review

Device-Specific Targeting

Phishing sites often detect the type of device or browser a visitor is using (via User-Agent headers) and serve different content accordingly:

On Computers: They might display a fake website tailored for desktop users, potentially mimicking a desktop-like shopping site or promotion.        

On iPhones (Safari): The site might serve a mobile-optimized version of the fake site, or even entirely different content to better mimic mobile apps or interfaces that users expect on iPhones.        

To safely investigate how a website behaves differently on a desktop browser vs an iPhone browser, you can emulate the iPhone's Safari browser using browser developer tools. Here's a step-by-step guide for Chrome (the process is similar in other browsers like Firefox or Edge):

Emulating iPhone Safari in Chrome:

Open the Site in Chrome:        

Navigate to the website you want to inspect in your Chrome browser (e.g., hxxps://special-promo[.]store/bugaboo[.]fi).        

Open Developer Tools:

Right-click anywhere on the page and select Inspect or press Ctrl + Shift + I (Windows/Linux) or Cmd + Option + I (Mac) to open the Chrome Developer Tools.

Alternatively, press F12 or Ctrl + Shift + I (Cmd + Option + I on Mac).        

Activate Device Emulation:

In the developer tools, click the Toggle device toolbar button (it looks like a smartphone and tablet icon) or press Ctrl + Shift + M (Windows/Linux) or Cmd + Shift + M (Mac).

This will show the site in a mobile device view and allow you to select specific devices to emulate.        

Select iPhone Model:

At the top of the device emulation bar, there will be a dropdown menu where you can choose different devices. Select an iPhone model (e.g., iPhone X, iPhone 12, etc.).

Chrome will now emulate the display, screen size, and behavior of an iPhone.        

Check the User-Agent:

In the developer tools, go to the Network tab.

Refresh the page to reload the website.

Look for the request made to load the site (usually the first request) and click on it.

In the Headers section, you can find the User-Agent string. This represents the browser's identity. For example, an iPhone User-Agent might look like:

User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 14_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0 Mobile/15E148 Safari/604.1        

Compare the Responses:

Observe how the website renders in both emulation mode (with iPhone Safari) and in your regular desktop view.

You can also right-click on the page, inspect elements, and check the differences in CSS or JavaScript, as some sites are known to dynamically change based on the detected User-Agent.        

Optional: Use Browser Extensions for More Flexibility

If you'd like more control or easier switching between device emulation, you can use browser extensions like User-Agent Switcher for Chrome. This allows you to manually change the User-Agent string without relying on the developer tools' emulation.

User-Agent Switcher for Chrome

Why This Works:

Websites may detect your browser or device type using the User-Agent string sent with each HTTP request. By emulating an iPhone, you are tricking the website into thinking you are accessing it from an iPhone.        

Some websites may provide different content, layouts, or behavior based on the device type, and inspecting the User-Agent can help you understand what might be triggering the difference.        

This approach helps you analyze how the site changes based on the device type and can give insight into any hidden content or altered behavior due to mobile-specific scripts.        

Ladies and gentlemen, if you made it here, just click on the subscribe button, don't be mean! meanwhile, if you don't, I will know, and I will be watching.

#Cybersecurity #Phishing #Staysafe #SocialEngineering #Scam #DomainNameServer #Employment #Recuruiters #Beware #LinkedIn

Summary

The domain special-promo.store resolves to two IP addresses:

172.67.164.20 

104.21.57.137

These IP addresses are part of two netblocks:

172.67.0.0/16 (owned by Cloudflare)

104.21.48.0/20 (also owned by Cloudflare)

The infrastructure is managed by Cloudflare, as indicated by the ASN 13335.

Implications

This phishing site (special-promo.store) is likely using Cloudflare for hosting or DDoS protection.

The IP addresses and netblocks indicate that the phishing site is hiding behind Cloudflare’s infrastructure, which makes it harder to pinpoint the origin server.