Facebook Scam Spam

Published: 2012-10-10
Last Updated: 2012-10-10 14:32:26 UTC
by Kevin Shortt (Version: 1)
6 comment(s)


We are seeing reports of Facebook Scam Spam trickle in.  Rene provided us with a detailed anecdote that includes the following image.   The url provided in the image was investigated a bit.  TinyURL has since taken down the redirect and classified it as Spam.   However, the image (and others like it) still propagate by FB users clicking on the link.  

This type of scam is used mostly without the permission of the vendor noted, in this case Costco.   The idea is to entice the user to click so they get redirected to a site where the business model depends on traffic volume.   If the Facebook user count has hit 1 billion yet, (not something I'm keeping track of.. :) )  then even a small percentage of that makes the Facebook population an easy target, with an easy payout.





If you are a Facebook user, then please be wary of any offers that entice you to "click" to receive.  It's a really bad practice.   The holiday shopping season is beginning and these vectors are going to be heavily used by the scammers in the coming months.


-Kevin
--
ISC Handler on Duty

6 comment(s)

Comments

"woow I got my free $500 costco gift card , get yours at ......":

Spelling, capitalization, and punctuation errors. And it seems too good to be true. All the earmarks of spam. But I could buy many gallons of salsa with the $500. Tempting - NOT!
Received a text message this morning supposedly BestBuy "you won a prize of an iPad or iPhone 5" with a bit.ly link. I won't click on the link as it may be tied specifically to my cell number and I don't want them knowing it is a valid one, but I'm sure this is a nice Android/iPhone compromising end-link. Rule #1: There is no free lunch. Rule #2: If there is a free lunch, see Rule #1.
We tweeted about this over the weekend:
New #Facebook credential stealer: Subj: :Hey friends got a $500 Gift Card from COSTCO!" URL: hxxp://bit.ly/Pi1X8O IP: 46.21.151.148 Blocked
The full analysis shows that the URL us a double redirect, using Google Translate. We notified the SafeBrowsing guys on Sunday Afternoon, and they have been blocking it since:
More details below.

Subject: "Hey friends got a $500 Gift Card from COSTCO! "

URL: hxxp://bit.ly/Pi1X8O, redirects through Google Translate to

hxxp://www.google.com/translate?hl=en&ie=UTF8&sl=auto&tl=en&u=hxxp://bit
.ly/UvLPCO

Which goes to:

hxxp://ooyah.info/costco.php?bfxhpJ3X

IP: 46.21.151.148

Old RBN IP.
It actually ends up at https://mirrorgo[.]info/costco/ but only if you are from US, UK or AU.

var country = geoip_country_code(); if (country == 'US' || country == 'GB' || country == 'AU' || country == 'USA') { window.top.location = "https://mirro rgo[.]info/costco/"; } else { window.top.location = "https://google.com"; }
I frequent Facebook often. My friends have posted a, Causes link on my page to turn my page pink, for Breast Cancer Awarness, Which I do not want to do, oddly because of a small spelling error. Question is, Do all spelling errors within these ads, emails, or Causes suggest that it is a scam every time? We are only human and have room for grammatical errors, right? I believe the Cause is a phishing scam, and I do not play social games through Facebook for fear of scams out there. Thank you in advanced.:-)

Diary Archives