Scammers combined Google Ads with Walmart Lists to trick customers into believing they were trafficking druglord money and now have to pay for the imaginary crime.
The scammers devised a malicious ad campaign that abuses Walmart Lists, a service that allows customers to organize a digital shopping list via the web or an app. The cybercrooks impersonated Walmart’s customer service, adding fake phone numbers to the Lists, researchers at Malwarebytes uncovered.
What makes the scam particularly nasty is that by the end of the operation, the victims were convinced their financial accounts were used to launder money and that they were supposed to pay up to avoid getting prosecuted. The criminals achieved this by mixing classic scam features – a sense of urgency and fear – which push victims to act without analyzing the situation.
The scam started with a well-placed Google Ad that popped up after users searched for Walmart’s customer support number. Unless users manually checked “My Ad Center,” the researchers said, there was no way to tell who was behind the ad. Moreover, the ad displayed a legitimate Walmart website address, adding to its credibility.
Unlike most scams, where malicious ad campaigns lead to compromised websites, this one directed victims to a legitimate Walmart website, where Walmart Lists are displayed. Mobile users were particularly exposed, as a phone’s screen size doesn’t show the full URL, meaning that once on the Lists site, the victims would see walmart.com in the browser address bar.
Anyone can create a Walmart List on their account. Lists are meant to be shared among family members to ease the shopping process. Meanwhile, scammers used the site to post supposed “customer service” phone numbers that lead directly to scammers themselves.
People who dialed the number were led to a call center imitating Walmart. First, the operator would ask for customers’ name and email address to supposedly check their identity, setting up the stage for an extortion campaign to start.
Once the caller’s identity was “established,” scammers would explain that a “large purchase was recently made on their account,” immediately putting the caller in distress. Capitalizing on that, scammers would ask for bank details, social number, and other information.
Researchers, who masqueraded as victims and called the scammers, found out that the fake Walmart call center would use several “actors,” pretending to be the Walmart customer service representative, the higher authority or “supervisor,” a fake bank employee and a fake FTC investigator.
“Now, all the banking funds which were created using your personal information are transferring huge amounts of money to the narco trafficking countries such as Columbia, Mexico, some Saudi Arabia countries and Columbia,” the scammers told the researchers.
When researchers tried to push back, scammers turned up the heat, threatening to take them into custody, saying there was an active arrest warrant in their name. Later on, the scammers tried to convince victims they should immediately withdraw as much money from their bank account and transfer them to a bitcoin wallet.
“It’s quite scary to see how anyone can go from wanting to return an item or speak to a Walmart associate, to being falsely accused of crimes and pressured to transfer money. It’s also a reality check that scammers are constantly preying on the vulnerability of innocent people,” researchers said.
To avoid getting tangled in the scammers web, researchers advise to be wary of sponsored Google Ads results, scare tactics, and anyone asking to disclose confidential information.
Your email address will not be published. Required fields are markedmarked