So, I'm scrolling through Facebook and suddenly...
And then I'm like...
Do you see what's immediately wrong here? To start, Delta Airline isn'...
For further actions, you may consider blocking this person and/or reporting abuse
I found something more quite unsettling on Instagram a few months ago. It was a very devious site that sold very cheap electric bicycles. As far as it went, the site was all there with nice professional pictures and a shopping cart on a domain that looked legit.
My main issues were, the prices were ridiculous (like 150€ for a 3000€ bike) and that it didn't use HTTPS.
So I decided to follow a purchase and fulfill the order with a mock credit card. And as you would expect, once you click on the pay button, nothing happened. The CC went off to some server and you're left on the payment page clicking the same button.
Once in a while I reply to the email scammers claiming to want to give me a few million dollars if I "just" pay some processing fees.
The most outrageous one by far was a scammer claiming to be Michelle Obama(!!) herself.
I took that one for a ride. I posted the entire exchange on Quora here.
yes. YES. GOLD. Love it.
This is nothing more than a landing page for a survey BS affiliate program. The person behind it makes like $0.50-$1.00 for each person who completes the survey.
It requires the user share it on Facebook in order to "complete it" which is exactly how you (the author of article) found it. It's a method in the affiliate marketing scene that is commonly called "content locking". Commonly used by affiliates working for CPA networks to make income.[1][2]
Screenshot of landing page : i.imgur.com/PbaNuon.png
"If getting personal information from the user isn't the objective here, then this site isn't a phishing site. It's more than likely used to deliver malware."
No, it's designed to drive traffic back to the website and make the owner $. It's spam.
If you would have Googled "mfaisal630@gmail.com" you would have found the owner owns a slew of other domains with these types of content locking offers.[3]
IMO this is a horrible write up with a complete lack of understanding of what it is and it seems the author lacks technical expertise on what is actually occurring.
Advanced reading:
[1] google.com/search?q=content+lockin...
[2] lifehack.org/335913/how-make-money...
[3] domainbigdata.com/gmail.com/mj/yZ_...
hoax-slayer.net/get-2-free-delta-a...
snopes.com/airline-ticket-giveaway...
Edit: the person behind this website has multiple other domains using the same script. dev.to/_theycallmetoni/i-clicked-o...
Thank you for your opinion. The point of the article, however, was to look at the network traffic behind the page and understand what it was doing behind the scenes. I never drew any final conclusions on it and based on the behavior of the traffic and my analysis with the information I had, I'd say I'm doing just fine with my technical expertise. But thanks for the sharing.
Antoinette,
I'm just trying to clear up some confusion here because after looking at it, I believe your main statement that this page exists to distribute malware is incorrect.
"look at the network traffic behind the page and understand what it was doing behind the scenes."
"based on the behavior of the traffic and my analysis with the information I had, I'd say I'm doing just fine with my technical expertise."
What analysis? You mean plug the domain into VirusTotal, Hybrid Analysis, and Sucuri and then regurgitate back what it told you? Okay but that != technical expertise.
"I'm fairly confident that this site does distribute malware, but I cannot say what kind and what it does other than establishing a connection to a remote host (possibly a botnet?)."
It does not distribute malware. The landing page is designed to make some dude in Pakistan money via a CPA affiliate company and the website generates it's traffic by forcing users to Like and Share the URL on Facebook. A very common tactic in the cpa offer spam scene. I would love to see your evidence that the page exists to spread malware.
In the Advanced Reading section of my 1st comment I put more information about how content locking pages like this work.
Cheers
Edit:
You can tell the websites get a lot of traffic by checking out the views on the images used in the landing page:
imgur.com/xzmclDm - 52,865,976 views
imgur.com/7FesHcD - 30,900,812 views
imgur.com/bsRA7ip - 3,546,875 views
imgur.com/x557web - 62,299,883 views
There isn't any confusion. As I mentioned, I said it was inclusive. Again, I also said I couldn't be sure. Based on the traffic I saw, it collected browser information along with some other tracking things. That kind of behavior can be found to be consistent with malware delivery. Also, I didn't regurgitate anything from Virus Total or SiteCheck, I only shared the links. You're taking something I did out of boredom and making it quite serious for no other reason than to be right on the internet, which is fine if that's how you feel but I'm not sure what you think is gained by arguing with me about it. Especially considering the majority of the article discusses the backend of the page and its behaviors. If you're taking issue with a few lines at the end of the page, then duly noted.
The internet is srs bizness. I'm just pointing out what I found VS you.
Cheers
And I appreciate your addition. Thank you.
Also, I will update my article with your additions.. However, I should mention that perhaps it would be in your best interest not to approach people with hostility when trying to present an opposing view point. It immediately puts people on the defense and invalidates anything you want to share, no matter how relevant. This exchange could have gone differently. Just food for thought. Unless you just like fighting with people.. in which case, do you.
On top of that, the "hardcoded comments" part confuses me. It's not obvious at all, the HTML could be generated on the server. SPAs exist, but there's also a lot of classic websites that are generated on the fly without any AJAX. I would say, it's probably a static page but that's not always true and without extensive research it couldn't be assumed.
Awesome! Thanks for clicking so we don't have to, lol.
Very interesting that they target Internet Explorer explicitly. Scary though.
I think a lot of non-technical people use IE since it comes prepackaged. My mom is probably still on IE 8... :(
Yeah, I imagine there's still a broad audience for it. At least it's not being shipped out anymore. It's cousin Edge is. lol. Oye.
I thought you get both Edge and IE now. I believe they're on IE 11 now.
Oh for the love of.. 😭
It's legit whois info imo.
Guy owns a bunch of other similar domains: domainbigdata.com/gmail.com/mj/yZ_...
cutestat.com/email/mfaisal630-gmai...
For instance, check out bestbuyfree.us. It's using the exact same script as the Delta Airlines free ticket one.
I know. Attribution is so terribly difficult given how easy it is to mask your identity online. I just thought it was a cool thing to find in the WHOIS. A lot of the time, they either pay to have it hidden or use a shell company of some kind.
Lol at randomuser.me
That's glorious 😂
Cool article, this stuff fascinates me. I have seen some posing as discount Oakley and RayBan sites and some how propagates through Facebook without the user knowing. Have gotten a few invites from friends to "Come to my sunglass party!" but when I contact them they have no knowledge of it. One of these days I might do some investigating myself, but seems like its probably a similar scenario to this one.
Haha this is hilarious. I have sniffed through some scammer code before but never went to length to analyze my network traffic etc... Great stuff!
Nice detective work!
Maybe this guy was making money but why is he tracking information about people's browser, OS and mouse? I don't believe is truly harmless.
Woow, this is beautiful. Can't wait to share it
Those photos 👌
Can't wait to share this with my friends who get tricked into this stuff!