DEV Community

I Clicked On A Facebook Scam To See What Would Happen

Antoinette Maria on June 05, 2017

So, I'm scrolling through Facebook and suddenly... And then I'm like... Do you see what's immediately wrong here? To start, Delta Airline isn'...
Collapse
 
eldelshell profile image
eldel$hell

I found something more quite unsettling on Instagram a few months ago. It was a very devious site that sold very cheap electric bicycles. As far as it went, the site was all there with nice professional pictures and a shopping cart on a domain that looked legit.

My main issues were, the prices were ridiculous (like 150€ for a 3000€ bike) and that it didn't use HTTPS.

So I decided to follow a purchase and fulfill the order with a mock credit card. And as you would expect, once you click on the pay button, nothing happened. The CC went off to some server and you're left on the payment page clicking the same button.

Collapse
 
yechielk profile image
Yechiel Kalmenson

Once in a while I reply to the email scammers claiming to want to give me a few million dollars if I "just" pay some processing fees.

The most outrageous one by far was a scammer claiming to be Michelle Obama(!!) herself.

I took that one for a ride. I posted the entire exchange on Quora here.

Collapse
 
antoinette0x53 profile image
Antoinette Maria

yes. YES. GOLD. Love it.

Collapse
 
spmedia profile image
Edmond Major III • Edited

This is nothing more than a landing page for a survey BS affiliate program. The person behind it makes like $0.50-$1.00 for each person who completes the survey.

It requires the user share it on Facebook in order to "complete it" which is exactly how you (the author of article) found it. It's a method in the affiliate marketing scene that is commonly called "content locking". Commonly used by affiliates working for CPA networks to make income.[1][2]

Screenshot of landing page : i.imgur.com/PbaNuon.png

"If getting personal information from the user isn't the objective here, then this site isn't a phishing site. It's more than likely used to deliver malware."

No, it's designed to drive traffic back to the website and make the owner $. It's spam.

If you would have Googled "mfaisal630@gmail.com" you would have found the owner owns a slew of other domains with these types of content locking offers.[3]

IMO this is a horrible write up with a complete lack of understanding of what it is and it seems the author lacks technical expertise on what is actually occurring.

Advanced reading:
[1] google.com/search?q=content+lockin...
[2] lifehack.org/335913/how-make-money...
[3] domainbigdata.com/gmail.com/mj/yZ_...
hoax-slayer.net/get-2-free-delta-a...
snopes.com/airline-ticket-giveaway...

Edit: the person behind this website has multiple other domains using the same script. dev.to/_theycallmetoni/i-clicked-o...

Collapse
 
antoinette0x53 profile image
Antoinette Maria

Thank you for your opinion. The point of the article, however, was to look at the network traffic behind the page and understand what it was doing behind the scenes. I never drew any final conclusions on it and based on the behavior of the traffic and my analysis with the information I had, I'd say I'm doing just fine with my technical expertise. But thanks for the sharing.

Collapse
 
spmedia profile image
Edmond Major III • Edited

Antoinette,

I'm just trying to clear up some confusion here because after looking at it, I believe your main statement that this page exists to distribute malware is incorrect.

"look at the network traffic behind the page and understand what it was doing behind the scenes."

"based on the behavior of the traffic and my analysis with the information I had, I'd say I'm doing just fine with my technical expertise."

What analysis? You mean plug the domain into VirusTotal, Hybrid Analysis, and Sucuri and then regurgitate back what it told you? Okay but that != technical expertise.

"I'm fairly confident that this site does distribute malware, but I cannot say what kind and what it does other than establishing a connection to a remote host (possibly a botnet?)."

It does not distribute malware. The landing page is designed to make some dude in Pakistan money via a CPA affiliate company and the website generates it's traffic by forcing users to Like and Share the URL on Facebook. A very common tactic in the cpa offer spam scene. I would love to see your evidence that the page exists to spread malware.

In the Advanced Reading section of my 1st comment I put more information about how content locking pages like this work.

Cheers

Edit:
You can tell the websites get a lot of traffic by checking out the views on the images used in the landing page:
imgur.com/xzmclDm - 52,865,976 views
imgur.com/7FesHcD - 30,900,812 views
imgur.com/bsRA7ip - 3,546,875 views
imgur.com/x557web - 62,299,883 views

Thread Thread
 
antoinette0x53 profile image
Antoinette Maria

There isn't any confusion. As I mentioned, I said it was inclusive. Again, I also said I couldn't be sure. Based on the traffic I saw, it collected browser information along with some other tracking things. That kind of behavior can be found to be consistent with malware delivery. Also, I didn't regurgitate anything from Virus Total or SiteCheck, I only shared the links. You're taking something I did out of boredom and making it quite serious for no other reason than to be right on the internet, which is fine if that's how you feel but I'm not sure what you think is gained by arguing with me about it. Especially considering the majority of the article discusses the backend of the page and its behaviors. If you're taking issue with a few lines at the end of the page, then duly noted.

Thread Thread
 
spmedia profile image
Edmond Major III • Edited

The internet is srs bizness. I'm just pointing out what I found VS you.

Cheers

Thread Thread
 
antoinette0x53 profile image
Antoinette Maria

And I appreciate your addition. Thank you.

Thread Thread
 
antoinette0x53 profile image
Antoinette Maria • Edited

Also, I will update my article with your additions.. However, I should mention that perhaps it would be in your best interest not to approach people with hostility when trying to present an opposing view point. It immediately puts people on the defense and invalidates anything you want to share, no matter how relevant. This exchange could have gone differently. Just food for thought. Unless you just like fighting with people.. in which case, do you.

Collapse
 
rkfg profile image
rkfg

On top of that, the "hardcoded comments" part confuses me. It's not obvious at all, the HTML could be generated on the server. SPAs exist, but there's also a lot of classic websites that are generated on the fly without any AJAX. I would say, it's probably a static page but that's not always true and without extensive research it couldn't be assumed.

Collapse
 
kaydacode profile image
Kim Arnett 

Awesome! Thanks for clicking so we don't have to, lol.
Very interesting that they target Internet Explorer explicitly. Scary though.

Collapse
 
jess profile image
Jess Lee

I think a lot of non-technical people use IE since it comes prepackaged. My mom is probably still on IE 8... :(

Collapse
 
kaydacode profile image
Kim Arnett 

Yeah, I imagine there's still a broad audience for it. At least it's not being shipped out anymore. It's cousin Edge is. lol. Oye.

Thread Thread
 
antoinette0x53 profile image
Antoinette Maria

I thought you get both Edge and IE now. I believe they're on IE 11 now.

Thread Thread
 
kaydacode profile image
Kim Arnett 

Oh for the love of.. 😭

Collapse
 
spmedia profile image
Edmond Major III • Edited

It's legit whois info imo.

Guy owns a bunch of other similar domains: domainbigdata.com/gmail.com/mj/yZ_...
cutestat.com/email/mfaisal630-gmai...

For instance, check out bestbuyfree.us. It's using the exact same script as the Delta Airlines free ticket one.

Collapse
 
antoinette0x53 profile image
Antoinette Maria

I know. Attribution is so terribly difficult given how easy it is to mask your identity online. I just thought it was a cool thing to find in the WHOIS. A lot of the time, they either pay to have it hidden or use a shell company of some kind.

Collapse
 
ben profile image
Ben Halpern

Lol at randomuser.me

That's glorious 😂

Collapse
 
ajackal profile image
chrism

Cool article, this stuff fascinates me. I have seen some posing as discount Oakley and RayBan sites and some how propagates through Facebook without the user knowing. Have gotten a few invites from friends to "Come to my sunglass party!" but when I contact them they have no knowledge of it. One of these days I might do some investigating myself, but seems like its probably a similar scenario to this one.

Collapse
 
musale profile image
Musale Martin

Haha this is hilarious. I have sniffed through some scammer code before but never went to length to analyze my network traffic etc... Great stuff!

Collapse
 
agenticarus profile image
Mike Cripps

Nice detective work!

Collapse
 
dimitri_acosta profile image
Dimitri Acosta • Edited

Maybe this guy was making money but why is he tracking information about people's browser, OS and mouse? I don't believe is truly harmless.

Collapse
 
hanmaslah profile image
Hannah Masila

Woow, this is beautiful. Can't wait to share it

Collapse
 
jess profile image
Jess Lee

Those photos 👌
Can't wait to share this with my friends who get tricked into this stuff!