Free Virgin Atlantic tickets? No, it’s a WhatsApp scam

I received a WhatsApp message on Friday that piqued my interest – 2 free tickets on Virgin Atlantic!
Free tickets! For every family!
It had to be a scam.
According to the message, Virgin Atlantic was giving away two free tickets per family in celebration of its 35th anniversary. It sounded far too good to be true and, as any regular reader of Naked Security can tell you, that means it probably IS far too good to be true.

I took a closer look. A much closer look.
The URL looks legit, like it must belong to Virgin Atlantic, right?
Wrong.
Take a closer look and zoom in on the “r” in “Virgin” – see the dot underneath?

viṛginatlantic.com

The“r” is in fact an “ṛ”, which, in the words of Wikipedia:

Ṛ (minuscule: ṛ) is a letter of the Latin alphabet, formed from R with the addition of a dot below the letter. It is used in the transliteration of Afro-Asiatic languages to represent an “emphatic r”.

So, instead of a free luxury holiday we’ve found ourselves a highly deceitful SMS phishing, or smishing, message (perhaps we could call it WhatsPhishing or whishing scam).
I forwarded the message on to my super-secret WhatsApp alias on a test android mobile device (freshly wiped with no mobile security installed) and “fell” for the scam by clicking on the link.
The page opens in your phone’s browser and, if you’re eagle-eyed enough, you can see that something’s phishy immediately. This is what the domain viṛginatlantic.com looks like in a Chrome address bar:

www.xn--viginatlantic-jm1g.com

The xn-- at the beginning of the domain tells the browser that the domain name is encoded using punycode – a way of representing thousands of different exotic characters like Ṛ using only the Roman letters A to Z, the digits 0 to 9 and the hyphen (-) character.
WhatsApp interprets the punycode and shows the internationalised version of the domain, but Chrome does not.
The page itself is a four-question survey about your previous experiences, and a little PII (Personally Identifiable Information) – your age.

It attempts to lend itself some legitimacy with Virgin Atlantic branding and a collection of fake Facebook comments:

If you fill in the survey, you’re asked to share the WhatsApp message with 20 friends or groups using a handy button. You’re then led to a separate website that tells you “you’re just one step away” and asks for more personal information.
Interestingly, although the scam is in English the code is full of comments like <!-- Button zum Teilen --> that suggest it was created by a German speaker.

What to Do?

Be vigilant! The attack tries to make itself plausible by using a domain name that looks real and by coming from people you know. (Although the version that I saw arrived via WhatsApp it’s also been spotted on Facebook).
Your best defence is a combination of mobile security, such as Sophos Mobile Security for Android or iOS, and a clear understanding that if you get a WhatsApp message, tweet, Facebook post, email or other unsolicited message that seems too good to be true, it probably is.