Free Facebook t-shirts at the cost of your Personal Information?
Just like the many other social-engineering spam attacks observed on Facebook, the recent one which offers victims free t-shirts as its 7th Anniversary special gift, seem to have gained quite a bit of popularity. If stats are to be believed, [Figure 1, courtesy hacker9] quite a few people have fallen victim to this like-jacking social engineering spam. Interestingly, I already have spotted close to eight people's accounts in my Facebook contact list posting the scam over and over again on my wall, which is one of the aftereffects of falling prey to this social-engineering attack. Another startling fact is that when I checked on other related security blogs, there appears to be different variants of this spam. Some have already been taken down. So this means that possibly scammers have realized that the "free Facebook t-shirt" is an extremely good proposition for luring in innocent Facebook victims.
[Figure 1] Likejacking stats shown on one of the scam pages
The version of the scam I ran into unfolds in the images shown below:
[Figure 2]: Continuous posts on my Facebook wall from a friend who is victim to the spam
It started off with similar posts on my wall about the free t-shirt [Figure 2]. As you can see, although the links have been obscured for safety, every post from the scam bears a different URL, all however leading to the same page. This probably is a trick employed in order to escape blacklisting of the posts on Facebook. Click on any of the links and the user is directed to a page outside of Facebook [Figure 3] which advertises the Facebook Anniversary. The webpage takes attributes from the Facebook-like theme, perhaps in a vain attempt to legitimize the appearance of the page. It does say plenty of t-shirts in stock and ready to be won for free.
[Figure 3] The landing page of the scam with Facebook-like theme and buttons
Clicking on the "Like" button will use your Facebook account to register the page into your favorites on Facebook and also increases the count on the register. By the time I wrote the blog, this count had gone above 500. So this page definitely appears to be tricking many people into likejacking. It also posts the scam on your Facebook wall, which is shared with all your friends and ready to trick more victims. [Figure 4]
[Figure 4] Scam posted automatically shared with all my contacts on my Facebook
Clicking on the "Click Here" button [Figure 3] takes the user into a "Facebook Verification Page" [Figure 5] where the user is required to access the Facebook mobile webpage (www.facebook.com/mobile) on the computer and it asks the users to provide the scammers with the Facebook secondary email. This personalized secondary email is legitimate and is given by Facebook to users to enable them to post updates and pictures by email. If supplied, then scammers have now email access to spam your Facebook wall at will. Two interesting things to note on this scam page is a YouTube video on the same page to guide you into making this mistake and on top of that the following ironical statement "NOTE : The Steps are involved to stop Spam on Facebook. "
[Figure 5] The scam page that steals your Facebook secondary email address
[Figure 6] The fake YouTube video and the textbox to steal your Facebook personalized email
Well it isn't over yet. On submitting your email address, the scammers take you to a third and final page [Figure 7] where you are required to take one of the three online surveys. This page has an animation which says "Survey not completed". This animation status message never changes and the users are forced into taking all the three surveys. One is the "Is Coke or Pepsi better" survey; the other is "Pimp out Your Facebook Page!" and the final "Customize Your Facebook with a Theme." The survey collects the user's information which includes name, gender, address, telephone number, personal preferences and it makes you download software that appears to be adware onto your machine (pending investigation in our research labs). I went through each of these surveys, filled in bogus information in all and still this final page never allowed me to go any further to order the t-shirt.
[Figure 7] The fake survey page that never allows the user to go further and get the t-shirts sent
Guess the hopes of getting the free t-shirt were in vain after all. Please be advised, when something is free on the Internet, or in the real world, it generally never is and if you fall prey to such scams, you may lose much more than you ever bargained for. Stay clear of such scams and stay safe.