RSS

Analysis of the PrizeBuzz phishing network and impersonated brands

naveenda1 pts0 comments

PrizeBuzz: The .buzz Prize-Scam Phishing Network | PhishEye<br>Skip to main contentLoginStart Free

PrizeBuzz: The .buzz Prize-Scam Phishing Network<br>PR<br>PhishEye Research<br>June 15, 2026 · 12 min read

Contents<br>Contents

A WhatsApp message says you've won a prize. "Congratulations! Participate in this survey and win E£19,000." It carries a familiar logo — your bank, your telecom, a soft-drink brand — and a link to a slick mobile page that asks four friendly questions before requesting your phone number, a one-time code, and your card details to "claim" the reward.

That page is phishing, and it belongs to a sprawling operation we track as PrizeBuzz : a phishing-as-a-service network that runs one configurable "prize survey" kit across 318 disposable .buzz domains to impersonate roughly 29 brands across the Middle East, Africa, and Latin America. The lure that triggered this analysis impersonated OMT (a Lebanese money-transfer company) on xjxtg.buzz — but OMT is just one face of the kit. The same software clones Coca-Cola, Vodafone, Pepsi, Mercado Pago, Starbucks, Zain, and more, swapping brands from a config file.

Every PrizeBuzz domain is fronted by Cloudflare, distributed over WhatsApp, and engineered to vanish and respawn the moment it is taken down. This report shows how the kit is built, how it clones any brand, how it hides from researchers, the full indicator list for defenders, and what targeted brands should do about it.

At a glance

Name<br>PrizeBuzz — a .buzz prize-survey phishing-as-a-service kit

Lures<br>Fake "win a prize / answer a survey" pages stealing phone, OTP, and card data

Scale<br>318 .buzz domains enumerated (173 live), ~29 brands impersonated

Lead example<br>OMT phishing (xjxtg.buzz, prior slot wqbgj.buzz)

Hosting<br>Cloudflare on every domain (free DNS + reverse proxy + TLS + edge cache)

Registrars<br>Spaceship, NameSilo (budget, fast registration)

Delivery<br>WhatsApp (s=wa link parameter) with spoofed link previews

Kit fingerprint<br>GET /base.json → code: 1100 (brand-agnostic, strongest signal)

The PrizeBuzz lure: a fake prize on a throwaway domain

PrizeBuzz runs the oldest playbook in scam-land — a prize you never entered to win. The victim gets a WhatsApp message with a branded link preview and taps through to a mobile page showing the brand's logo, a "Congratulations!" banner, a photo, and a four-question "survey." Answer the questions, scroll past fake testimonials, and the flow asks for a phone number, a one-time code, and ultimately card or account details to "claim" the prize.

We captured the live OMT page on 2026-06-15. It only renders if you request the tokenized path (/bKLsmXm); request the bare domain as a researcher and the server returns a blank decoy (a 404code… token) — the first hint at how carefully this operation hides.

Figure 1. Two live PrizeBuzz pages — a fake OMT prize survey (left, xjxtg.buzz) and a Coca-Cola version (right, ucdkx.buzz). It is the same kit, recolored and re-captioned from a config file: identical "Congratulations!" header, four-question survey, and E£19,000 prize.<br>One kit, 29 brands

The most important finding is in Figure 1: the OMT page and the Coca-Cola page are the same software . The layout, the "Congratulations!" header, the four-question survey, the prize amount, the fake comment section — all identical, just recolored and re-worded per brand.

That is because the page is a Vite-built single-page app , not a static HTML form. The HTML you receive is a 4.8 KB shell: a spinner, an empty , and a script bundle. The shell fetches a config file, /base.json, and renders whatever brand, country, currency, and copy that JSON specifies. One codebase impersonates OMT in Lebanon, Coca-Cola across Latin America, and Vodafone across the Arab world, with no code changes — only a different config.

This is what "phishing-as-a-service" means in practice: the brand is a parameter. Swapping victims from a Lebanese money-transfer company to a global beverage giant is a one-line edit, which is exactly why PrizeBuzz sprawls across ~29 brands and 318 domains.

How PrizeBuzz hides (cloaking + Cloudflare)

Three layers of evasion keep this network alive far longer than a typical phishing site:

Cloaking. The static HTML is deliberately generic. The phishing page only materializes if /base.json returns code: 1100 for your specific request. The server weighs the geo, the locale, the numeric victim token in the URL (e.g. ?0611855385310511618), and the # fragment, then decides: right country, fresh token, mobile browser → serve the lure; bot, security crawler, wrong geo, or reused token → serve ads or a blank decoy. This is why automated sandboxes frequently report "nothing malicious" on these domains.

Cloudflare on every domain. Each .buzz domain sits behind Cloudflare's free plan, which does triple duty for the attacker: it hides the origin server's real IP, supplies free automatic TLS (so the padlock looks legitimate), and edge-caches the kit so the page survives even if the...

prize prizebuzz buzz phishing page survey

Related Articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

ssiddharth34 ptsaccount attacker email instagram seen like

Apple WWDC 2026 Livestream

nextstep32 ptsapple stream video event live feed

Claude Fable 5

Philpax30 ptsfable claude mythos model models capabilities

US Government directive to suspend access to Fable 5 and Mythos 5

Dylan131224 ptsfable government anthropic jailbreak access mythos

German ruling declares Google liable for false answers in AI Overviews

ahlCVA15 ptsgoogle court search overviews content users
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.