Les vulnérabilités du VPN vous préoccupent ? Découvrez comment profiter de notre solution de migration VPN qui inclut 60 jours de service gratuit.

Blog Zscaler

Recevez les dernières mises à jour du blog de Zscaler dans votre boîte de réception

S'abonner
Recherche sur la sécurité

Facebook Free T-shirt Scams Take Advantage Of Email Upload

image
THREATLABZ
septembre 13, 2011 - 3 Min de lecture
Attackers on Facebook are continually taking advantage of new ways to get their content onto a user’s wallpost, in order to further propagate their scams. Recently, we came across yet another interesting scam, this one offering a free official t-shirt as a gift on the occasion of Facebook’s 7th birthday celebration. At first, this scam looked like any other, but after further analysis I realized that this scam takes advantage of mobile email uploads. Facebook provides user’s with a unique email address as a convenient means of uploading content from mobile devices. Here is what the scam message looks like:

Image

If you click on the link, you will be taken to a page offering the fake free t-shirts, as can be seen in the following screenshot:

Image

The page provides a button to click for redeeming the t-shirt and also displays a counter showing how many additional shirts remain in stock. If you navigate the ‘Click Here’ button, you will be taken to the following page, which can be seen below:

Image

Take a look at the instructions mentioned on the page. They instruct the victim to copy an email address which can be found at “www.facebook.com/mobile” and paste it into a field on the scam page, in order to verify that the user belongs to Facebook.

Mobile Upload:

When logged into Facebook, the email address displayed at www.facebook.com/mobile is a unique email address that a user can leverage to post status updates or send photos and videos straight to their profile. If someone has access to this email address, they can directly upload content to a user’s profile, without their knowledge. The Facebook mobile page displaying directions for using the unique email address can be seen below:

Image

This is yet another trick used by scammers to gain access to your profile. Once a victim copies/pastes that email address, they will be taken to the page where the scam site will then ask them to complete surveys such as the one shown below:

Image

The surveys represent the monetary component of the scam as the attackers are rewarded with a few cents every time a survey is completed. This is a common technique used in Facebook scams. The interesting component of this attack remains the social engineering used to obtain a victim’s personal email address, for uploading content from a mobile device. Once an attacker has that address, they have full write access to a victim’s profile and can use it to further propagate scams for monetary gain.

The cat and mouse game between Facebook and scammers continues. This time around, cleanup isn’t as simple as deleting a post from the victim’s profile. In this case, Facebook will have to force victims to change or reset affected email addresses to prevent further posts from the scammers.

Never share your personalized unique email address with anyone.

Umesh

form submtited
Merci d'avoir lu l'article

Cet article a-t-il été utile ?

dots pattern

Recevez les dernières mises à jour du blog de Zscaler dans votre boîte de réception

En envoyant le formulaire, vous acceptez notre politique de confidentialité.