Scams Featured

Snapchat Ads: The New Frontier for Scammers (Part 1)

An in-depth analysis reveals the extensive use of Snapchat's advertising network to perpetrate large-scale Chinese-affiliated scams, exploiting unsuspecting victims for significant financial gain.

Investigation Team

8 min read
Snapchat Ads: The New Frontier for Scammers (Part 1)
Photo by Souvik Banerjee / Unsplash

This report will detail how Snapchat's advertising platform is being actively utilised by Chinese-speaking scammers. It will also break down their massively sophisticated "task" scamming operation that utilises well-established tech stacks, psychology and a determined team of scammers to drain victims for thousands of dollars.

It will also draw attention to the fact that advertising platforms perform little to no due diligence in their efforts to stop the exploitation of their advertisement platforms for nefarious acts (refer to the OneVanilla scams of 2018-2019).

This part of the article will document the scam. It will not cover the finances or the individuals behind the scam. It is purely to document the active task scamming campaign that utilises Snapchat's advertising network so this information may be forwarded to Snapchat.

TL;DR

1.) Advanced task scam network supported by Snapchat's advertisement network.

2.) The victim performs trivial tasks to earn commission on the Agent's account with a fake balance.

3.) The agent convinces the victim that the deposit is legit through fake crypto exchange withdrawals.

4.) The victim gets hooked and scammers use a fake group to further encourage the user to deposit.

5.) The victim then deposits to earn their commission after their balance becomes negative and is either inevitably scammed or led along to deposit more until the network goes dark.

The Snapchat "advertisement"

The initial focus of the report is on the poorly constructed "work from home, remote jobs making $800 a week" ads. These fraudulent advertisements are posted on Snapchat using a common technique among cybercriminals known as "Cloaking." This method involves using server-side code to redirect users based on various conditions, such as the referrer from Snapchat, geolocation data, or browser fingerprinting.

0:00
/0:20

Take notice of the URL at the bottom of the advertisement. As you see in the video it is redirected quickly to the WhatsApp form. The Snapchat advertisement moderation team are oblivious to the scam site being added to their advertisement pool.

The site appears to be an established business with a physical address in the UK if it is to be believed.

However, a basic investigation into the site reveals that the administration panel of the website suggests an affiliation with Chinese entities.

It does not take much due diligence to detect that this site is simply a funnel to get potential scam victims hooked via a Snapchat advertisement.

0:00
/0:17

Another one of the advertisements that can be seen uses the same method of redirecting the user to the WhatsForm.

0:00
/0:02

It is highly concerning to see the amount of fraudulent advertisements that are present on Snapchat's advertisement pool.

Introduction process

Once the form was filled, it sent a message to what was assumed to be an Agent funnel where it was then assigned to a batch of scamming networks. A scammer would then contact you and give you a brief overview of their "job".

The entire concept of the "tasks" or "the job" is for it to make sense for you to deposit your own money by using a very sophisticated website designed to psychologically hook you by making you think you've earned a commission per task that is completed.

Scam

The scam operates by misleading individuals into believing that they have been "hired" by a legitimate company (in our case Marks and Spencer) to help improve the ratings of various products. Victims are led to think that their role involves purchasing products through the scammer's platform, posting reviews, and then receiving a commission for these activities. They are further enticed by the illusion that their assigned agent has deposited significant funds themselves to facilitate larger purchases, promising higher commissions in return.

Step 1 - Introduction

The victim is introduced to the platform and is told that they can use the agent's account and earn a commission on their account. The victim takes advantage of their agent's account because they have "deposited" a significant balance and thus are rewarded with the larger "packages".

The image above shows the order task form

Step 2 - Complete tasks

The victim will complete trivial tasks until they get stuck on a valuable order where they will inevitably tell the agent they cannot complete the tasks because there is not enough balance on the account and the account's balance is frozen.

Step 3 - Observe the fake top ups

The agent then asked the victim to contact support to get a top up address and sent a fake screenshot of a deposit to the address that is sent by the support agent. This is done to trick the victim into thinking that the deposits are legitimate.

This is the faked screenshot, note that the agent had even changed their phone time to match that of the victim
No transfer occurred to that address at any time when cross-referenced with the withdrawal screenshot

Step 5 - Complete the day's tasks

Once the victim has completed both of the high-value orders, they will be netted with around $90 of earnings which the agent will deposit into their account. They will then give instructions on how to withdraw this, but as expected the account requires over $100 in their balance to withdraw. The victim is then told to wait until tomorrow to complete more tasks.

Step 6 - FOMO

In the meantime, they are invited to a group chat where other "employees" are chatting and giving advice. In truth, these interactions are attempts to manipulate the victim into thinking that numerous users are earning significant amounts for easy tasks, and that the victim is missing out.

All of the "employees" in the group chat had French names and their profile pictures had been modified to ensure they could not be reverse image searched.

Step 7 - Complete the new tasks

Once the victim starts the tasks the next day, they are suddenly given a "package task" that far exceeds their balance. It is impossible to withdraw the money in the balance at this point as there are "tasks to complete". The agent will then proceed to tell the victim that they must deposit the money into their account to be able to release the funds and complete the tasks.

Once the money is deposited (given it is done through their support agents who send the deposit address) it is then either taken by the scammers immediately or the scammers may opt to entice the user to deposit more by allowing them to withdraw the first batch of earnings. The system would then give them a larger package, thus requiring the user to deposit more.

Technical information

The web application that enabled the scam was a clone of a well-known UK company called Marks & Spencer. The domain was also scarily similar to the legitimate company's.

The team investigated the codebase and it was found to be running Vue.js and funnily enough behind Cloudflare (this is very common for phishing and scamming sites).

If we check the WhoIs registry on their domain, we will find that it is registered through GName. GName is often associated with phishing and scamming (refer to their trust pilot reviews), however, since reporting their domain it does seem to have gone dark.

Actors

The first technical clue about where the actors behind this campaign are from is the fact that their so called "Support Chat" icon actually has a watermark for a HKTV Mall as shown below. HKTVMall is a shopping and entertainment platform in Hong Kong.

We can also look at the codebase for a few more clues about the language of the scam actors.

Pa.props.loadingText={type:String,default:J("加载中...")};
Pa.props.finishedText={type:String,default:J("加载完成")};
so({confirmButtonText:J("确认"),cancelButtonText:J("取消")});

This points towards the operation being operated by Chinese-speaking actors, just like sophisticated phishing panels such as "Darcula" which operate on similar high-level tech stacks.

Login Response

Upon logging into an account on the website, a JSON response was returned from the login endpoint that contained interesting data. On the agent's account, the response indicates that the account has been marked as "is_fiction" being true whereas the victim-created account was marked as "false".

The response also indicates that the API could be reused elsewhere with seemingly arbitrary keys that had no relation with the actual task scam being returned in the response. Read this great article by Project Black that documents a very similar scam (possibly by the same people).

Here is the response returned in JSON from the login request of the Agent's account:

{
  "code": 200,
  "message": "Success",
  "data": {
    "refresh_token": "",
    "access_token": "",
    "expiration_time": 7200,
    "member": {
      "id": 963699,
      "merchant_id": 133,
      "username": "8169072830",
      "type": 1,
      "nickname": "pz64B_2830",
      "realname": "",
      "head_portrait": "",
      "current_level": 1,
      "gender": 0,
      "qq": "",
      "email": "",
      "birthday": null,
      "visit_count": 2,
      "home_phone": "",
      "mobile": "8169072830",
      "role": 10,
      "last_time": 1714565807,
      "last_ip": "",
      "province_id": 0,
      "city_id": 0,
      "area_id": 0,
      "pid": 963654,
      "level": 4,
      "promo_code": "2521671",
      "tree": "tr_0 tr_1 tr_888448 tr_963654 ",
      "status": 1,
      "created_at": 1714564060,
      "updated_at": 1714565807,
      "have_password_security": 1,
      "password_security_hash": "$2y$10$fTBSWj/RMZpaXrvK0Bb7IuI/s.U8XF0u228SV1P.3qlVGXpMMfZbK",
      "is_fiction": 1,
      "mobile_code": "44",
      "credit_score": 100,
      "withdraw_status": 1,
      "code_status": 1,
      "account": {
        "id": 954714,
        "merchant_id": 133,
        "member_id": 963699,
        "level": -1,
        "user_money": "535.00",
        "accumulate_money": "525.00",
        "give_money": "10.00",
        "consume_money": "0.00",
        "frozen_money": "0.00",
        "user_integral": 0,
        "accumulate_integral": 0,
        "give_integral": 0,
        "consume_integral": "0.00",
        "frozen_integral": 0,
        "status": 1,
        "task_bonus_amount": "0.00",
        "team_bonus_amount": "0.00",
        "withdraw_total": "0.00",
        "bonus_amount": "0.00"
      },
      "memberLevel": {
        "id": 550,
        "merchant_id": 133,
        "level": 1,
        "name": "VIP0",
        "money": "100.00",
        "check_money": 0,
        "integral": 0,
        "check_integral": 0,
        "middle": 0,
        "discount": "10.0",
        "status": 1,
        "detail": "",
        "created_at": 1712934271,
        "updated_at": 1712934271,
        "daily_tasks": 38,
        "pre_order": "1.00",
        "team_num": 0,
        "valid_num": 0
      }
    }
  },
  "timestamp": 1714565807
}

Code Analysis

The code contained every endpoint along with its required parameters, albeit lightly obfuscated. It would be trivial to exploit their API by sending malformed request data to modify your account, however, this is not the purpose of the article and given that the current scam is running rampant across Snapchat it is better to warn others. Below is a dump of all client-side code often used to consume the same API as other Chinese-speaking task scamming campaigns.

task scam marks-spencer code dump
Client side frontend code using Vue.js
task scam marks-spencer code dump.rar
77 KB
download-circle

Conclusion

The web application was designed to defraud victims through a system that aims to extract the largest possible amount. The scamming operation is multi-layered with significant funding as evidenced by the numerous advertisement campaigns. These task scams have been operating on a lesser scale before this report, however, they are utilising cloaking to draw in victims to their abhorrent scams.