An Adidas phishing campaign is offering potential victims a “free” $50 per month subscription via all under the promise of free shoes.
Threat attackers lure victims with a message suggesting Adidas is giving away 2,500 pairs of shoes to celebrate its 69th anniversary and a homographic link spoofing the appearance a legitimate Adidas website albeit a vertical line with no dot in place of where the “i” would be.
Other brands using similar lures and URL spoofs were also exploited in the malicious campaign.
Researchers described the attack as appearing fairly well structured and noted its geolocation-based redirections and the checks made to ensure requests are made from a mobile device such as a smartphone.
If a victim's computer passes the mobile device test the website then obtains geolocation data for the visitors IP address. If a visitor doesn't come from Norway, Sweden, Pakistan, Nigeria, Kenya, Macau, United States, Netherlands, Belgium, or India the Adidas phishing scheme leaves the starting block.
Victims are then directed to a four-question survey that will inform the victim they are “qualified” to get a free pair of shoe regardless of how they respond, although users are told they must share the offer to their friends on WhatsApp to collect their prize.
Despite the claims, there is no way for the page to know if a user shares the app and the next redirect will take a user to answer a few more questions for their new pair of shoes worth $199. Victims are then redirected to answer a few obvious questions and are instructed to claim their new shoes for $1, a slight mark up from the initial free offering.
Finally, users are redirected to a known scam domain where they are instructed to enter their payment information. In the footer of the following page, there is a message informing the user that their account will be charged $50 per month if they don't cancel their account after seven days. The payment message itself is also misleading as it says “free trial organizejobs[.]net” despite the reoccurring fee.
In the end, victims who have fallen for the scam never receive the promised shoes and are left with recurring charges until they resolve the issue.
Researchers urge users to be on the lookout for these types of scams and not hesitate to report them.