One of the most recent fake advertisements announces free gift cards for one of the most popular coffeehouses worldwide. But, instead of a coupon, participants are likely to receive malware that infects their computer!
The fake campaign is spreading via Facebook walls around the globe. The texts used in the announcements are English, which increases the chance that a large number of Facebook users accept the “bait message”.
Starbucks has been used in a similar campaign already last year and they warned their customers not to believe such a fake advertisement, via their official Twitter account.
The campaign’s main page comes along in a quite simple design, following the social network’s style. Users are required to share the post on their own wall (Step 1) and then click the presented “Like” Button (Final Step). You can't click the "Like" button before clicking Step 1.
A click starts a redirect chain and opens a pop-up window, suggesting the user is a "winner today” and only needs to choose one of the upcoming prizes. We have seen this pop-up in various languages and all of them were translated quite poorly – most probably with an automatic translation program. The same goes for the websites opening after the “OK” click. The language is determined by a geo lookup of the IP the website visitor has.
You might now choose between several tech gadgets or other luxury goods… the scamsters suggest. The original offer, the Starbucks gift card, is no longer an issue! Have a look at other prize websites: German 1, German 2, French and Russian.
All of these sites have a timer embedded, which suggests, that the visitor can only receive the prize if he/she chooses fast enough, before the seconds run out. We doubt it – Nobody will receive anything, ever, no matter how fast you click.
The infection
One of the many (quiz) websites visited actually included JavaScript code our scanners detected as JS:ScriptPE-inf [Trj]. This is a generic detection for JavaScript files with encoded iFrame links to e.g. malicious sites. This means: one of the webpages visited included such an obfuscated JavaScript and could have lead us to any other webpage with either malicious content, phishing scam, more quizzes, pay-per-click ads or similar.
What happens if you choose a prize and follow the instructions?
Choosing one of the offers described above will initially lead to quizzes or smaller exercises, depending on the website. But, in the end, you will always be asked for your personal information to verify the participation. If one actually gives away details like name, address, email address, phone number etc. one will be very likely become a victim of spam campaigns and/or any kind of scam and fraud. Reading the shortened Terms and Conditions below the address fields already hint at the possible potential for misuse of your data, but those texts are often ignored by users.
As reported, we have seen various quiz sites. Some of them ask for a bunch of personal data and some of them only for your mobile phone number. As soon as you enter your phone number, you are about to accept a subscription with high costs of €4.99 per week (in Germany). Even though the costs are visible on those mobile quiz pages, we doubt that every visitor actually notices the text and therefore might fall victim to a subscription he/she did not want.
We also encountered a case in which, after the initial pick of a tech gadget, the offers did not cease at all. We had the chance to sign up for language classes; get a free (!) pre-paid credit card for a yearly fee (!); we actually won a luxury car or €15,000 cash and had multiple chances to sign up for newsletters, home shopping catalogues or tourist information services. Each and every offer required the input of personal data, of course, or even bank account details!
Other, similar scams
During the research, we found at least two other topics the scamster currently use to lure their victims: Another $100 Starbucks gift card, a $250 Olive Garden gift card and Dr. Dre Beats Headphones. Apart from the different topics, it’s the same shady deal, the same simple design and the same domain registrar. The topics and baits used will change constantly, because the scamsters try to avoid being blacklisted on content-based blacklists.
What you can do