Analyzing a Suspicious HTTPS Link in a WhatsApp Scam Message

Analyzing a Suspicious HTTPS Link in a WhatsApp Scam Message

 

🔐 The HTTPS Illusion: Why "Secure" Doesn't Mean Safe

I received this SMS containing an HTTPS link:
   "Important document for you: hxxps[://]oaqdlqnm[.]org/klmWi (Defang URL)"

While the HTTPS padlock might suggest safety, here's why this was still dangerous:

🔍 Technical Breakdown

1. HTTPS ≠ Legitimacy

  • The site had a valid SSL certificate (from Let's Encrypt)

  • But certificates are free and easy to get - scammers use them too

  • Key Insight: HTTPS only encrypts traffic, doesn't verify content

2. Domain Analysis

  •  oaqdlqnm.org:

    • Registered hours before the message was sent

    • Random letter sequence (common with malware)

    • No legitimate web content

3. Redirect Chain

  1. Initial HTTPS link →hxxps[://]oaqdlqnm[.]org/klmWi  (Defang URL)

  2. Redi rect → Legitimate WhatsApp group invite

  3. Group name: "Official Support Channel" (impersonation)

🛡️ Protective Measures I Took

1. Safe Investigation Tools

  • VirusTotal URL Scan: 6/92 engines flagged as malicious

  • URLScan.io: Revealed 3 redirect hops before WhatsApp

  • Browserling: Viewed site safely in virtual browser

2. Critical Findings

  • The HTTPS site contained:

    • Click-tracking scripts

    • Browser fingerprinting code

    • A delayed redirect (3 seconds to evade scans)

3. Network Analysis

bash

"curl -I https://oaqdlqnm.org/klmWi"

Response:

Date: Thu, 03 Apr 2025 15:12:57 GMT
Location: https://chat.whatsapp.com/JF52z9mYpJ13dT7VULgM9H
Referrer-Policy: unsafe-url
Server: Caddy
Status: 308 Permanent Redirect
X-Content-Type-Options: nosniff

🚨 Modern Scam Tactics Revealed

  1. HTTPS as Social Proof - Tricks users into trusting the link

  2. Multi-stage Filtering:

    • First page filters out security-savvy users

    • Only engaged victims reach the WhatsApp group

  3. Infrastructure Cycling:

    • Domain active for just 48 hours

    • New domains rotated weekly

💡 Security Takeaways

  • HTTPS is now standard - even for malicious sites

  • Check domain registration date (new = higher risk)

  • Look beyond the padlock - Scammers weaponize trust indicators

  • Use intermediary scanners before visiting unknown links

Remember: Looks can deceive. The safest-seeming link is often the deadliest. Think before you click.


Author: Sviatoslav(Simon) | Published on: April 3, 2025, 5:38 p.m.