A while back, I reported on how I was attacked through Facebook photo tagging and the offer of a free Walmart gift card. (Beware! A New Twist on the Facebook/Free Walmart Gift Card Scam is Making the Rounds ) Recently, I’ve noticed a significant upsurge in people reading this post, leading me to suspect that more gift card scams are out there and are using Facebook to propagate themselves. I suppose this should be expected. This is, after all, the gift card season. Anyway, here are a list of the scams recently making the rounds and often using Facebook to launch the attack. Note that the amounts on the cards can vary.
$1,000 Victoria’s Secret gift card
$500 Costco free gift card
$100 Applebee’s free gift card
1 free Walgreen gift card
One free Amazon.com gift card
Boots $50 voucher giveaway
Free $1,000 Walmart gift card survey
Eat for free at Cheescake Factory
Eat for free at Pizza Hut
Free Starbucks $50 gift card
Free $25 Tim Hortons gift card
The goal behind these scams is always the same. They want your personal information. To get it, they will usually ask you to apply for the free gift card. Clicking on the gift card will take you to a page that asks for this information. Unfortunately, filling out the “survey form” could give the scammers enough information to make a credit card in your name, but it won’t get you a gift card. Not all the scammers want your information so that they can steal your identity, some may just be collecting information about you that they can sell to advertisers through something known as ‘affiliate advertising’. Either way, they win and you lose. Sometimes you’ll be asked to install an app that is associated with what looks like the store logo. This should make you suspicious, but if you do install this app, hoping to get your gift card, you’ll join a network of spammers and send this bogus gift card on to all your friends.
Don’t feel bad if you’ve been fooled by these scams. They can look surprisingly real. You may even see comments of people thanking the store for the free gift card and some of these people may even be friends of yours. Why wouldn’t you want to get in on a good deal?
Since anyone can set up a Facebook page for anything, Facebook pages can appear to be set up by the store giving the gift cards. Facebook tries to stop such sites, but they are simply overwhelmed during the holiday season when gift cards, legitimate and fake, are popping up everywhere. After all, they don’t want to take down a legitimate site.
The main attack mode used by these scammers is based on clickjacking. Clickjacking refers to a click taking you to a site that you did not intend to go to. Often, scammers or spammers will send you a video or news story through a compromised friend. Often it will have a suggestive title such as, “see what happens to this girl when she encounters a giant anteater” or some such nonsense. Many times they will promise some sexual content. In any case, clicking to see the video or story won’t get you anywhere. It could, however, get malware installed on your device or send you to some other page in the hopes you’ll give some personal data. Recently, I was sent such a video by someone I am sure would never send such a thing. The URL seemed legitimate, but, when clicking on it, I received a message from Facebook saying that the site was blocked. I would have to say that Facebook was doing its job in this instance. I wonder if they informed the people compromised that they are being used by spammers.
There are many varieties of clickjacking. ‘Tag jacking’ will use the Facebook photo tagging capability to attract you to a particular site, usually by sending you an email telling you you’ve been tagged in a photo by one of your friends and hoping you visit the photo that’s been tagged. ‘Like jacking’ uses the Facebook ‘Like’ button to get you to like something that you actually don’t. You may be sent a lure (as mentioned above) but when you click the ‘Like’ button or anywhere on this lure, your friends are sent a notice that you have liked something, in the hopes that they, too, will like it. This is used by marketing firms to gather information; however, you can expect that scammers will soon figure out how to use it to get your information or give you some malware. Facebook has developed a way to counteract likejacking. After a certain number of ‘likes’ or other suspicious activity, a like confirmation button will appear followed by a screen which asks if you actually liked a particular post. If no one confirms the like, the site might be blocked or a limit on the number of likes will be imposed. This has caused some consternation among scammers and spammers and there are numerous discussions on how to circumvent this Facebook defensive measure. That said, there is another clickjacking scam that sends you to a page that appears to be from Facebook asking you to verify your account. Here is what it looks like.
Clearly, filling out this form will compromise your account. The problem for many is that the link (https://www.facebook.com/-security-services/) may appear as legitimate. (The legitimate site is: http://www.facebook.com/security). Don’t worry, this particular bad link has been removed by Facebook, but you get the idea of how easy it can be to fool someone.
There is one more way that you can be targeted through Facebook to be a spammer tool. Your Facebook site may be taken over by someone else. Well, not exactly your site but a site that is meant to look like yours. It will have your picture as well as any other photos that are available. They will then block you from accessing this fake site and send friend requests to everyone on your friend’s list. Now, they can comb through your friends’ Facebook pages and gather all the information that they can. They can also set up the gift card scam and spam it through all of your friends. In other words, if you are already friends with someone, beware of another friend request from them. At other times, the mock site is not even affiliated with Facebook but it is so well copied that it seems to be part of that network. In this case, be sure to check the URL. This last technique has been used to fool millions of shoppers this year with a fake Kohl’s $100 gift card.
Here are more examples of what these cards may look like. The first two are the latest in Amazon scams.
And here’s one for last year’s biggest holiday casualty, Target.
You can see that they look quite legitimate. If you find you are a victim of any of these Facebook-based schemes, you have to take defensive actions. My previous post will give you information on how to deal with a photo tagging, tag jacking, exploit. More detailed actions can be found here. Facebook is continuously fighting clickjacking and the details of this battle can be found here. If, however, you feel your account has been hacked or compromised in some way, you can go here to find out what to do next.
One compromised user on your company network can lead to spam being sent to all of your Facebook contacts. These contacts, which can include customers and partners, may get a message that you like something that you would never like and which can ruin your company image. You may end up sending many apologetic messages to everyone connected with your company. To prevent employees connected to your network from undermining your reputation through such spamming, you need to change the architecture of your network in a way that will prevent this from ever happening. Such architecture is available and can be found here.