When it comes to cybercrime, people often think of sketchy e-mails filled with typos or robot-voices on their phones. However, criminals are increasingly looking beyond traditional sources and turning to sites like Facebook and Twitter to steal personal information and spread scams.
Over the past few weeks, the Beauceron Security team became aware of a fake advertising campaign for a major Canadian brewery, spreading via so-called viral marketing.
The campaign was targeting Canadians in the peak of hot summer weather with a tempting offer: free beer in celebration of the brewer’s supposed 200th anniversary. The social media posts appeared in Facebook users’ timelines and included the text, supposedly from the Facebook friend, stating 'Thanks for my beer'.
A close inspection of the link in the post included the name of the brewery, Molson, and the website molson-freebie.win.
Stealing social credibility
Further investigation revealed that the scam had users complete a questionnaire about the beer, and then asked them to share the contest on their social media account.
To do the quiz, users were asked to log into their Facebook account and asked to share it. Through the quiz, the criminals attempt to gather personally identifiable information.
In addition to attempting to gather personal information that could be used in highly targeted social engineering attacks such as e-mail based phishing, text messaging or even phone scams, the criminals added text whenever a user shared the post, making it look like the individual who shared actually had won something and making it more likely their friends may click on it and fall victim as well.
From free beer to free flights and royal weddings
As we investigated the scam further we discovered a similar scam re-using the same code as the beer scam to offer supposedly free flight tickets on a major Canadian airline. Unfortunately, the scammers forgot to change the automated thanks for my beer text-add-in, which made the free airline ticket scam pretty easy to spot.
Another example of a social media powered scam occurred during the royal wedding between Prince Harry and Meghan Markle. A seemingly innocent post was circulating asking users to determine their “Royal name” by commenting their Grandmother/Grandfather’s first name, their mother’s maiden name, “Of” followed by the name of the street they grew up on.
All of these questions, of course, are used as typical account recovery questions for virtually any secure website.
Beyond phishing scams
The evolution of social engineering scams is accelerating, and the crafters of these scams are helping themselves to better tools and resources to get closer to the people they’re trying to target.
In this case for example, malicious actors are using the opportunity to lure people in with free beer in the middle of a hot summer.
Gone are the days where a Nigerian prince needs you to send $100,000 to his offshore account so he can release $1 million to you. Today’s advanced social engineering attacks have manifested themselves into smaller, specific targeted attacks that take use more effective scams.
This trend of micro targeted social engineering is growing within social media sites. Criminals have taken lessons learned by successful advertising and political campaigns and applied it to the realm of cyber crime.
People: the best line of defense
There’s no technology based defense against a well targeted social media delivered social engineering campaign.
The first, best and most effective line of defense is people.
Before clicking like, before sharing, before logging in with your social media account to any game, survey, quiz or contest, follow these steps:
- Stop, think and consider. Is this offer too good to be true? If it looks that way, it probably is.
- Check the real website of the firm supposedly behind the contest. See if there’s information about this contest. Chat with them on social media. If it’s a scam, you’ll be helping alert the firm to the fake campaign.
- Be careful what personal information you provide to any quiz, survey or contest. Information that may seem harmless, once combined with other known facts about you, can be used against you.
- If you did click on the link using an organizational device, contact your organizations IT team to let them know so they can help investigate whether your accounts may have been compromised or devices infected with malware.
Contributed by, Ian MacMillan, Beauceron's Chief Experience Officer and a co-founder.