Vulnerabilities / Threats

11/20/2012
01:00 PM
50%
50%

Facebook Gift Scams: How They Work

Beware complex scams that promote Costco, Starbucks vouchers, while making it tough for authorities to track down perpetrators.

Beware of a gift scam that promises to reward a limited number of respondents with a $400 voucher to Australian retailer Woolworths. The scam typically circulates via Facebook, after a user shares a link to a "Get a Free $400 Woolworths Voucher Now" page with their Facebook friends.

Interestingly, clicking on the included link -- woolworthsfree.net -- dumps most people onto a Google search page, with no further offers being forthcoming.

According to Australia-based software architect Troy Hunt, that's because the scam uses JavaScript to identify the country that a user is located in, and then discards anyone who's not located in Australia, Albania, Canada, New Zealand or South Africa. Sister scams operating in other countries, meanwhile, include one that targets Costco users in the United States with vouchers and another that offers a $100 "free Starbucks Christmas voucher."

Don't feel left out if you can't click through; attackers are just trying to increase their odds of success. "One thing this scam does right up front is detects your location and determines whether you're likely to be sucked in by a Woolies scam or not," said Hunt in a blog post that analyzes how these scams work, as well as what the criminals behind them are seeking.

[ Learn more about Facebook security. See Facebook Adopts Secure Web Pages By Default. ]

Of course, criminals continue to launch scams -- such as cold-calling consumers and selling them fake antivirus -- because they work. "Recently I wrote about the mechanics of another Facebook scam where the 'bait' was photos of a salacious school girl. Many people -- including female friends and my mother in law -- readily fell for that one," said Hunt.

But even in countries where people can click on the Woolworths scam, the actual "conversion rate" for criminals -- meaning, the number of people who fall victim to the scam -- is likely scant. "Yes, spam and other nasties 'work' but it's really only a very small percentage of them," said Hunt. "When the king of Nigeria dies and bequeaths you $50M but only if you can help his grieving widow shift it out of the country, there's this very, very small segment of the community which actually says 'Hey, I could be onto something here.'"

To help make scam conversion rates more successful, criminals up the ante by employing a variety of social engineering techniques, such as adding a sense of urgency to their messages, including offering a supposedly limited number of free vouchers. The scam Woolworths website page also includes fake Facebook posts with kudos from two users, which appear to have been posted within the last few minutes, as well as a note at the bottom, next to a Facebook "like" button, that says over 6 million people have "liked" the page.

Meanwhile, a script on the website page counts down the number of vouchers still remaining, apparently as other consumers are snapping them up. "Every half a second the script generates a random number that is between 0 and 5," said Hunt. "If the generated number is between 1 and 2 then the number of remaining vouchers is decremented by 1. What it means is that the rate of other people snapping up vouchers doesn't appear to be constant, which adds to the believability of the whole scam."

Ultimately, how do people fall victim to the scam? To obtain a voucher, people first need to post to a fake "Share on Facebook" link, which triggers a pop-up window that's generated using a one-time link, which allows the attackers to gauge their click-through rates. Hunt said this technique "isn't that unusual for a legitimate site as it's a means of tracking how many click-throughs come from a particular 'share,' it's just a little unusual to see it in a scam." Second, users must click on the fake "Like" button at the bottom of the page, which then may trigger one of a variety of different actions, based on the user's location, but ultimately, a variety of page redirects take users to the aldaniti.net website, "where you can go off and win a shiny new Apple toy," said Hunt. In other words, the promise of one freebie leads to a website ostensibly offering even more freebies.

Regardless, clicking on a button to enter any of the competitions offered pops up a box requesting a user's name, date of birth as well as full contact details. "Or in other words, a healthy starting point for identity theft," said Hunt. Meanwhile, filling in one information-request box can beget unending other requests for information via the same site, or sister sites.

Ultimately, Hunt said all of the websites involved appear to track back to a user named "James Smith" who's based in Albania, but using a server based in Germany. "The geographic distribution is one of the reasons why these scams are so hard for authorities to get on top of," Hunt said. "People in Australia being scammed by a guy in Albania using a server hosted in Germany. Who do the cops speak to?"

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Deb Donston-Miller
50%
50%
Deb Donston-Miller,
User Rank: Apprentice
11/23/2012 | 10:41:10 PM
re: Facebook Gift Scams: How They Work
Are there any Woolworth's left in the U.S.? Was that another way of weeding people out? (That is, people in the U.S. likely wouldn't click through in the first place?)

Deb Donston-Miller
Contributing Editor, The BrainYard
Mathew
50%
50%
Mathew,
User Rank: Apprentice
11/26/2012 | 10:10:17 AM
re: Facebook Gift Scams: How They Work
Great question. Yes, Woolworths is gone in the U.S., but the brand lives elsewhere. This particular attack was detailed by a security expert based in Australia, which still has Woolworths. But the exploit in question assesses the user's location, then feeds--or doesn't feed--them the scam. American versions of the scam, meanwhile, include a Costco voucher.
Cybersecurity's 'Broken' Hiring Process
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/11/2017
Ransomware Grabs Headlines but BEC May Be a Bigger Threat
Marc Wilczek, Digital Strategist & CIO Advisor,  10/12/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Search Cybersecuruty and you will get unicorn.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.