Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Facebook Scam Spam SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Facebook Scam Spam

We are seeing reports of Facebook Scam Spam trickle in.  Rene provided us with a detailed anecdote that includes the following image.   The url provided in the image was investigated a bit.  TinyURL has since taken down the redirect and classified it as Spam.   However, the image (and others like it) still propagate by FB users clicking on the link.  

This type of scam is used mostly without the permission of the vendor noted, in this case Costco.   The idea is to entice the user to click so they get redirected to a site where the business model depends on traffic volume.   If the Facebook user count has hit 1 billion yet, (not something I'm keeping track of.. :) )  then even a small percentage of that makes the Facebook population an easy target, with an easy payout.

If you are a Facebook user, then please be wary of any offers that entice you to "click" to receive.  It's a really bad practice.   The holiday shopping season is beginning and these vectors are going to be heavily used by the scammers in the coming months.

ISC Handler on Duty

Kevin Shortt

85 Posts
ISC Handler
Oct 10th 2012
"woow I got my free $500 costco gift card , get yours at ......":

Spelling, capitalization, and punctuation errors. And it seems too good to be true. All the earmarks of spam. But I could buy many gallons of salsa with the $500. Tempting - NOT!

57 Posts
Received a text message this morning supposedly BestBuy "you won a prize of an iPad or iPhone 5" with a link. I won't click on the link as it may be tied specifically to my cell number and I don't want them knowing it is a valid one, but I'm sure this is a nice Android/iPhone compromising end-link. Rule #1: There is no free lunch. Rule #2: If there is a free lunch, see Rule #1.
42 Posts
We tweeted about this over the weekend:
New #Facebook credential stealer: Subj: :Hey friends got a $500 Gift Card from COSTCO!" URL: hxxp:// IP: Blocked

8 Posts
The full analysis shows that the URL us a double redirect, using Google Translate. We notified the SafeBrowsing guys on Sunday Afternoon, and they have been blocking it since:
More details below.

Subject: "Hey friends got a $500 Gift Card from COSTCO! "

URL: hxxp://, redirects through Google Translate to


Which goes to:




8 Posts
It actually ends up at https://mirrorgo[.]info/costco/ but only if you are from US, UK or AU.

var country = geoip_country_code(); if (country == 'US' || country == 'GB' || country == 'AU' || country == 'USA') { = "https://mirro rgo[.]info/costco/"; } else { = ""; }
2 Posts
I frequent Facebook often. My friends have posted a, Causes link on my page to turn my page pink, for Breast Cancer Awarness, Which I do not want to do, oddly because of a small spelling error. Question is, Do all spelling errors within these ads, emails, or Causes suggest that it is a scam every time? We are only human and have room for grammatical errors, right? I believe the Cause is a phishing scam, and I do not play social games through Facebook for fear of scams out there. Thank you in advanced.:-)
1 Posts

Sign Up for Free or Log In to start participating in the conversation!