Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Facebook Scam Spam - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Facebook Scam Spam


We are seeing reports of Facebook Scam Spam trickle in.  Rene provided us with a detailed anecdote that includes the following image.   The url provided in the image was investigated a bit.  TinyURL has since taken down the redirect and classified it as Spam.   However, the image (and others like it) still propagate by FB users clicking on the link.  

This type of scam is used mostly without the permission of the vendor noted, in this case Costco.   The idea is to entice the user to click so they get redirected to a site where the business model depends on traffic volume.   If the Facebook user count has hit 1 billion yet, (not something I'm keeping track of.. :) )  then even a small percentage of that makes the Facebook population an easy target, with an easy payout.





If you are a Facebook user, then please be wary of any offers that entice you to "click" to receive.  It's a really bad practice.   The holiday shopping season is beginning and these vectors are going to be heavily used by the scammers in the coming months.


-Kevin
--
ISC Handler on Duty

Kevin Shortt

81 Posts
ISC Handler
"woow I got my free $500 costco gift card , get yours at ......":

Spelling, capitalization, and punctuation errors. And it seems too good to be true. All the earmarks of spam. But I could buy many gallons of salsa with the $500. Tempting - NOT!
Alan

57 Posts
Received a text message this morning supposedly BestBuy "you won a prize of an iPad or iPhone 5" with a bit.ly link. I won't click on the link as it may be tied specifically to my cell number and I don't want them knowing it is a valid one, but I'm sure this is a nice Android/iPhone compromising end-link. Rule #1: There is no free lunch. Rule #2: If there is a free lunch, see Rule #1.
Alan
42 Posts
We tweeted about this over the weekend:
New #Facebook credential stealer: Subj: :Hey friends got a $500 Gift Card from COSTCO!" URL: hxxp://bit.ly/Pi1X8O IP: 46.21.151.148 Blocked
ByrneIT

8 Posts
The full analysis shows that the URL us a double redirect, using Google Translate. We notified the SafeBrowsing guys on Sunday Afternoon, and they have been blocking it since:
More details below.

Subject: "Hey friends got a $500 Gift Card from COSTCO! "

URL: hxxp://bit.ly/Pi1X8O, redirects through Google Translate to

hxxp://www.google.com/translate?hl=en&ie=UTF8&sl=auto&tl=en&u=hxxp://bit
.ly/UvLPCO

Which goes to:

hxxp://ooyah.info/costco.php?bfxhpJ3X

IP: 46.21.151.148

Old RBN IP.
ByrneIT

8 Posts
It actually ends up at https://mirrorgo[.]info/costco/ but only if you are from US, UK or AU.

var country = geoip_country_code(); if (country == 'US' || country == 'GB' || country == 'AU' || country == 'USA') { window.top.location = "https://mirro rgo[.]info/costco/"; } else { window.top.location = "https://google.com"; }
ByrneIT
2 Posts
I frequent Facebook often. My friends have posted a, Causes link on my page to turn my page pink, for Breast Cancer Awarness, Which I do not want to do, oddly because of a small spelling error. Question is, Do all spelling errors within these ads, emails, or Causes suggest that it is a scam every time? We are only human and have room for grammatical errors, right? I believe the Cause is a phishing scam, and I do not play social games through Facebook for fear of scams out there. Thank you in advanced.:-)
ByrneIT
1 Posts

Sign Up for Free or Log In to start participating in the conversation!