Gift card mania: Fake Starbucks gift cards spreading on Facebook can lead to malware

02/23/2012
G DATA Blog

One of the most recent fake advertisements announces free gift cards for one of the most popular coffeehouses worldwide. But, instead of a coupon, participants are likely to receive malware that infects their computer!

The fake campaign is spreading via Facebook walls around the globe. The texts used in the announcements are English, which increases the chance that a large number of Facebook users accept the “bait message”.

Starbucks has been used in a similar campaign already last year and they warned their customers not to believe such a fake advertisement, via their official Twitter account.

The campaign’s main page comes along in a quite simple design, following the social network’s style. Users are required to share the post on their own wall (Step 1) and then click the presented “Like” Button (Final Step). You can't click the "Like" button before clicking Step 1.



A click starts a redirect chain and opens a pop-up window, suggesting the user is a "winner today” and only needs to choose one of the upcoming prizes. We have seen this pop-up in various languages and all of them were translated quite poorly – most probably with an automatic translation program. The same goes for the websites opening after the “OK” click. The language is determined by a geo lookup of the IP the website visitor has.



You might now choose between several tech gadgets or other luxury goods… the scamsters suggest. The original offer, the Starbucks gift card, is no longer an issue! Have a look at other prize websites: German 1, German 2, French and Russian.
All of these sites have a timer embedded, which suggests, that the visitor can only receive the prize if he/she chooses fast enough, before the seconds run out. We doubt it – Nobody will receive anything, ever, no matter how fast you click.

The infection
One of the many (quiz) websites visited actually included JavaScript code our scanners detected as JS:ScriptPE-inf [Trj]. This is a generic detection for JavaScript files with encoded iFrame links to e.g. malicious sites. This means: one of the webpages visited included such an obfuscated JavaScript and could have lead us to any other webpage with either malicious content, phishing scam, more quizzes, pay-per-click ads or similar.

What happens if you choose a prize and follow the instructions?
Choosing one of the offers described above will initially lead to quizzes or smaller exercises, depending on the website. But, in the end, you will always be asked for your personal information to verify the participation. If one actually gives away details like name, address, email address, phone number etc. one will be very likely become a victim of spam campaigns and/or any kind of scam and fraud. Reading the shortened Terms and Conditions below the address fields already hint at the possible potential for misuse of your data, but those texts are often ignored by users.

As reported, we have seen various quiz sites. Some of them ask for a bunch of personal data and some of them only for your mobile phone number. As soon as you enter your phone number, you are about to accept a subscription with high costs of €4.99 per week (in Germany). Even though the costs are visible on those mobile quiz pages, we doubt that every visitor actually notices the text and therefore might fall victim to a subscription he/she did not want.

We also encountered a case in which, after the initial pick of a tech gadget, the offers did not cease at all. We had the chance to sign up for language classes; get a free (!) pre-paid credit card for a yearly fee (!); we actually won a luxury car or €15,000 cash and had multiple chances to sign up for newsletters, home shopping catalogues or tourist information services. Each and every offer required the input of personal data, of course, or even bank account details!

Other, similar scams
During the research, we found at least two other topics the scamster currently use to lure their victims: Another $100 Starbucks gift card, a $250 Olive Garden gift card and Dr. Dre Beats Headphones. Apart from the different topics, it’s the same shady deal, the same simple design and the same domain registrar. The topics and baits used will change constantly, because the scamsters try to avoid being blacklisted on content-based blacklists.

What you can do

  • Use an up-to-date, comprehensive security solution with a virus scanner, firewall, http scan and real-time protection. A spam filter, to get rid of unwanted spam, is a must-have, too.
  • Do not enter your data on any of these websites! The data collectors will use this for further fraud and probably also sell the information to other crooks!
  • Do not click on links or download files if you received a message from a foreigner. The websites and files might harm your PC. Even if the message comes from a friend, but looks different from usual messages, you better ask him and reassure yourself that he willingly sent you this message.
  • Do not surf the Internet while you are logged in to services like social networks simultaneously in the same browser. Fraudsters can manipulate your browser session and use your social network account to spread unwanted messages, etc.
  • Always log-out after your visit in social networks. Especially if the computer you are using is used by several other people or is a public machine, e.g. in universities, internet cafés, etc.
  • If you have fallen victim to this scam and shared the link on your Facebook wall, delete it as soon as possible! Otherwise, your friends might be tempted to click it and therefore share it as well.