Anatomy of a free Starbucks gift card scam

Filed Under: Facebook, Malware, Social networks, SophosLabs, Spam, Vulnerability

One trait that I developed since I started with Sophos is being calm under pressure. With virus and spam outbreaks, analysts needs to keep their nerves to analyze the situation and proceed to deal with the new threat. So, I wasn't expected to be surprised by my friends' actions on facebook this past weekend.

It started innocently enough, as a post about getting a Free $25 Starbucks gift card for joining a particular group. The first person to join the group from my friends list happens to work for a non-profit organization helping young people. So, I expected the young people on his "friends list" to join this group shortly.

Looking at the page, my instincts tell me that something is amiss when the description (on the bottom left) says:

"This is not a scam, we are merely trying to get people to go to Starbucks. We are trying to see what coffee people purchase" (my emphasis added). The words "This is not a scam" rings loudly in my head. Isn't the same phrase used in many Nigerian/419 scams? Usually, the only people who have to assure others that they're not scamming are actual scammers.

Moving on to the "News" portion where the instructions are posted. It is a little horrifying to know that someone actually went through the steps below:

To paraphrase Step 4, it says: "Erase everything in your address bar, copy and paste the code below, and press enter". Now, this is not just any url, it's full-fledged javascript code. The code on the page did what it claim, which is "simply highlight all your friends for the 'invitation'". However, given the number of bad javascripts out there, such as the prevalent Troj/JSRedir-AR and Troj/JSRedir-AK, it is disconcerting to know that there are people out there willing to enter Javascripts of unknown origin in their browser. Imagine what would happen if the script starts installing a FakeAV or do other nasty deeds to their computer?

This comes to objective lesson #1 in this case:

One should not execute unknown Javascripts

As if running a Javascript is not bad enough, the group owner is not done yet! Step 6 asks the users to go to the "official site" and follow the instructions. The site happens to be like this:

The "last step" is to enter Personally Identifiable Information (PII) such as Name and Full Address. Some of my friends started to question the scheme by this time, yet others happily gave their info away, which gets us the objective lesson #2:

Do not give away your Personal Identifiable Information online

Now, what does the group/site owner have to gain from this scheme? By clicking submit, the PII is sent to a marketing company call cpalead, which we have seen before. The group/site owner gets a few cent every time someone gives up their personal information. So clearly the owner is profiting from this.

As for the poor users (and my poor friends) who submitted their information? They probably will never see a Starbucks card arriving in their mail. What's more likely, however, is that their information will be sold off to the highest bidder for more "marketing" in the future.

Make sure that you keep informed about the latest scams spreading fast across Facebook and other internet attacks. Join the Sophos page on Facebook, where over 100,000 people regularly share information on threats and discuss the latest security news.

, , , , ,

You might like

2 Responses to Anatomy of a free Starbucks gift card scam

  1. Sarav · 1068 days ago

    May I know which browsers affected?

  2. Ryan · 1034 days ago

    So, I figured that it was a scam as I put in my email...What does that mean for me?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s