Free Rolling Stones tickets? No, it’s a Facebook scam

Filed Under: Data loss, Facebook, Featured, Security threats, Social networks

Are you a Rolling Stones fan?

Lots of people are, and with gigs on the Stones' 2014 tour selling out in hours, you can understand why websites and competitions offering free tickets might seem worth clicking through to.

After all, even if the competition ends up being a load of hot air, or the website does nothing more than offer to enter you into a lucky draw if you purchase a product or service...

...what harm could be done?

Surely it's no riskier than visiting, say, an airline website in the hope of being one of the lucky travellers who gets to buy a $99 ticket for $9?

After all, in the airline case, you probably aren't going to get one of the $9 tickets; they'll all be sold out.

If you don't get to travel for $9, you have to decide whether you want to pay $99 anyway, or wait and try for a cheap ticket some other time.

Of course, there's no cost, and no real risk, in trying: the airline gets you onto its website, which is a small net win for it, even if you don't buy anything; and you get a small chance of scoring cheap travel, or perhaps some other bargain you didn't know about.

Not all special offers are safe

But not all "special offer" sites are made alike, as an anonymous Rolling Stones fan alerted us today.

(She's a Naked Security fan, too. It's Only Chips and Code, but We Like It.)

In her Facebook group, where a bunch of Stones fans hang out, a post had been shared looking like this:

She presumed it was a scam of some sort, and she was right, but she wanted us to look into it and explain how a reader could tell.

Here's what you get if you follow the link:

The good news is that you can tell it's a scam already, because of the pre-requisite:

You can't recommend something that hasn't been explained to you yet.

I'll repeat that, even though it seems like a truism.

You can't recommend something that hasn't been explained to you yet.

So it's even worse to recommend something as a pre-requisite to finding out what it is.

Imagine signing a contract in order to find out what it was you just signed.

That would be reckless and absurd, wouldn't it?

So, in a case like this, you don't need to go any further to work out whether this is a scam - the website told you all by itself.

Of course, if you do look more closely, you'll notice things like:

• For a very limited time we are giving away free tickets.

Just how limited is that timeframe, do you think?

Or are you going to find, after you've told all your friends what a great site this is, that you're too late?

• The processing of your informations [sic] usually takes 3-5 business days.

For a company claiming to be from the UK, that's an unlikely grammatical error (information is a mass noun - it doesn't need or have a plural form).

But it should strike up a bigger warning than merely that the author isn't fluent in English: you're going to be asked for those "informations," which almost certainly means you'll be handing over at some PII (Personally Identifiable Information).

• Don't hesitate to contact us under [sic] giveaway@​rollingstones.​com

Another curious usage in English (under is not a preposition usually used with contact), and an even more curious email address that gives the impression of connecting this site with the Stones' official web property, rollingstones.com.

Not that you can click on that email address: it's made to look like a link, but it's only there for appearances.

By the way, SophosLabs took a look behind the scenes and found that the same "special offer" server is also targeting the younger crowd, with a claim of free tickets for One Direction, and dance fans, who are being offered tickets for Tomorrowland 2014.

What happens next?

The obvious question is, "What happens next?"

The way to answer that question is: it doesn't matter.

You already know it's a scam, so follow this simple advice: don't try, don't buy, don't reply.

Stay away, don't click, don't like. don't share.

I can't tell you whether this site will take you to an exploit page, or try to foist malware on you, because I'm simply not willing to share it in the first place to go any further.

Remember that sharing a site that you haven't seen yet, especially to enter a competition under terms that haven't been disclosed, is not just reckless and absurd - it hurts your friends, too.

Friends are more likely to click links you recommend precisely because they're your friends.

So don't diminish that friendship by helping a scammer to get in your friends' faces!

PS. Having said that "it doesn't matter" what comes next, I'll say that a lot of scams of this sort are what's called bait-and-switch.

The bait could be a free iPad, a holiday, or a Rolling Stones ticket; the switch is often some kind of survey or special offer that involves you filling in a form and the scammer earning some referral revenue.

At the end, the bait usually vanishes altogether, or there's a prize draw with one iPad shared amongst everyone who entered, or the offer isn't available in your area, so sorry.

Here's a video showing a typical bait-and-switch based on an free iPhone:

And, for a bit of fun, here's a video, made in 2010, for which we went to Raffles Place in Singapore one lunchtime, and asked people whether they'd click a link just because it promised a free iPad or iPhone.

(The iPhone 4 is mentioned in the video as a tempting bait because it was just being launched, so lots of people wanted one.)

, , , ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog