Facebook likejacking scam via Twitter

The tweet your receive is ”we are looking for twitter members to try our brand new product at twitgiveaway,com”, mostly as a reply to one of your tweets.

There is no mistake in the URL: “twitgiveaway,com”. There is indeed a comma there instead of a dot. The reason for this is that the fraudsters are trying to obfuscate the URL so that they don’t get blocked or don’t get the domain they publish blocked. And in this case, a simplistic filter would not detect a domain at all.

twitt-ipadpromo

 

 

Clicking on the user’s profile we see the name “iPad Promo”.

twitt-ipadpromo-block

Checking the tweets the account produced we see that all links are about the same topic.
This account is trying to recruit as many visitors as possible to the website.

twitts-ipadpromo-profile

Observe that the posts contain various versions of that domain, which proves that the fraudsters are using various obfuscation methods.

Nothing unusual so far… Just another way of luring users to visit a website.

But, once on the website, the user has to take a survey with three simple questions:

– if he is a man or woman

– how many hours he spends on social media

– if he is accessing the site from work or from home

At the end of the survey you see what you could win: am iPhone 5 or an iPad 3.

twitgiveaway

 

In order to make the user click on the buttons, the authors of the scam are using a common social engineering technique and increase the urgency by adding the small amount of prizes still left (1 and 2 respectively).

The surprise comes after clicking on the links.

The buttons have some remote JavaScript code behind that redirect the user to a website which mandates the user to respond to other surveys in order to be eligible to win an iPad (no word anymore about an iPhone):

 

twitgiveaway-fb.JPG

 

This scam ends after all this trouble as a classical like jacking scam.

However, due to the cross site scripting reference (do not mistakenly consider it a cross site request forgery CSRF), there is a potential that the script changes its behavior and can do pretty much anything the attacker want.

In the end, there are only a few things to be done:

– report the Twitter user as a spammer

– delete the posts done on your behalf if you continued to take the survey

– unlike the app that offer the survey

– get out of your mind that you will win an iPad or an iPhone. Never forget that nothing is really free in the Internet.

 

 

Sorin Mustaca

IT Security Expert

 

 

via Avira – TechBlog http://techblog.avira.com/2013/06/18/facebook-likejacking-scam-via-twitter/en/


© Copyright 2013 Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity

Check www.mustaca.com for the IT Consulting services I offer.
Visit www.itsecuritynews.info for latest security news in English
Besuchen Sie http://de.itsecuritynews.info für IT Sicherheits News auf Deutsch

About the Author

Sorin Mustaca

Sorin Mustaca, (ISC)2 CSSLP, CompTIA Security+ and Project+, is working since year 2000 in the IT Security industry and worked between 2003-2014 for Avira as Product Manager for the known products used by over 100 million users world-wide. Today he is an independent IT Security Consultant focusing on Cybersecurity, secure software development and security for IoT and Automotive. He is also running his personal blog Sorin Mustaca on Cybersecurity and is the author of the free eBook Improve your security .

Comments are closed.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close