Executive Summary
Shreshta threat intelligence team has uncovered a phishing scam aimed at Flipper Zero India enthusiasts interested in buying a Flipper Zero.
Do you believe threat actors limit their focus solely to non-technical users? Think again! Infosec community and enthusiasts are also excellent preys.
Exactly a year ago, BleepingComputer had shared of a similar phishing scam aimed at Flipper Zero enthusiasts.
The shortage of Flipper Zero devices has encouraged threat actors to exploit the situation by creating phishing campaigns. The economics of supply and demand play an essential role in cybercrime.
What this outlines is that threat actors do not limit their exploits only to the average Internet user but also target Infosec and technical users as well.
About Flipper Zero
Flipper Zero Flipper Zero is a portable Tamagotchi-like multi-functional device developed for interaction with access control systems.[1] The device is able to read, copy, and emulate RFID and NFC tags, radio remotes, iButton, and digital access keys, along with a GPIO interface.1
Motive
We can share with moderate confidence that the motive of the threat actors is to harvest the Personally Identifiable Information (PII) of the user, specifically, the user’s name and address and their credit card details.
Aside from financial motive, the PII of users can be sold on the dark web.
Technical analysis
Phishing scam website is powered by Shopify.
Figure 1 – The home page of the phishing website
The phishing scam website contains links to the official Flipper Zero website, to make it appear legitimate.
Availability of Flipper Zero in India
The availability of an item plays an important role in the economics of supply and demand. Unfortunately, if you are based in India, the official distributors do not ship the Flipper Zero to India.
Unfortunately, this also gives an opportunity to threat actors to setup fake stores and phishing scam websites supposedly selling the items.
Flipper Zero device available for purchase on the phishing scam website
Figure 2 – The user is redirected to another page as they click on the product.
Flipper Zero enthusiasts and infosec users the primary target
Figure 3 – Shopping cart of the phishing website
The website displays the selected product and the total amount.
Figure 4 – Clicking checkout prompts the user for their personal information and credit card details.
Harvesting credit card details
Figure 5 – After entering false details, it displays an error stating that the card details couldn’t be verified.
Figure 6 – Clicking on Google Pay, the website prompts the user for their personal and credit card details.
Safety Recommendations
- Purchase products directly from the official website of the brand or from recommended authorized retailers
- Research the seller before purchasing the product
- Be cautious of purchasing products from websites offering prices significantly lower than those on the official website, or offering free devices.
- If you become a victim of cybercrime, particularly financial crime, call the national (India) cybercrime helpline 1930 or file a complaint at https://cybercrime.gov.in/
- Shreshta Protective DNS blocks phishing, malware, newly registered domain names and other malicious communication in real-time. For enterprises, please email info@shreshtait.com for a free 30-day trial.
Conclusion
By using Shopify as the store front for the phishing website, the threat actor has replicated the legitimate Flipper Zero website design and feel.
While the Flipper Zero device is back in stock, the official distributors of Flipper Zero do not ship the device to all countries. This creates an opportunity for threat actors to launch phishing campaigns targeting infosec users and enthusiasts interesting in purchasing a Flipper Zero.
We reached out to the Flipper Zero staff and have reported the phishing website.
Free 30-day trial of our threat intelligence
Threat actors constantly optimise and evolve their attacks to steal credentials and data and infiltrate networks. Our threat intelligence feeds are highly actionable and curated to protect against phishing, malware, C2 and newly registered domain names.
Interested? Please send us an email to info@shreshtait.com for a free 30-day trial.
References
A few other campaigns we’ve uncovered that you might be interested in,
