From time to time the Websense® ThreatSeeker® Network detects high volume surges of badness rolling across Facebook. In the past 48 hours we've seen a rapid increase of a particular scam campaign that has aggressively spread through the world's largest social networking site.
With the holiday shopping season here, it appears that cybercrooks are going full throttle to attract Christmas shoppers by piggybacking on the reputation of well-known brands such as Walmart, Asda, Visa, Best Buy, Apple and others. In the attack that we're about to describe, it appears that user accounts belonging to the free DNS service freedns.afraid.org were used as part of the cybercriminals' scam infrastructure. Read on for details.
The scam varies in appearance, is geolocation aware, and serves content based on the location of the victim. Potential victims are enticed with videos and free shopping vouchers. Here are some examples of how it might look in a Facebook news feed:
The scam in a Facebook news feed
What happens when a scam post is clicked?
When a scam link is clicked in the news feed, the victim is redirected to a fake Facebook page that hosts a fake video that pretends to show the "Fail Blog Daily Video." A clickjacking technique is employed on the page so that when the victim clicks on the video's play button, it results in one of two outcomes:
1. A browser popup is launched and the victim is asked to "Like" a certain scam post. This is done to propagate the scam further because liking it causes it to appear on the victim's news feed.
(Click here to see what it looks like; a new browser window will open.)
2. The victim is redirected to fake video page that uses the CPA advertising method to "unlock" what is supposedly a YouTube video.
(Click here to see what it looks like; a new browser window will open.)
This isn't the end, though. The page also has a timeout mechanism. If the victim doesn't play the video they are greeted with a "Merry Christmas!" message and are redirected to a fake Facebook page offering some fake free vouchers. In the following example, some fake Asda vouchers are offered:
The scam is geolocation aware:
Here is a scam page offering some free vouchers from Asda. This particular page is desgined for UK-based visitors:
This scam page offers vouchers and rewards from Walmart, Best Buy and Visa. This particular page is desgined for US-based visitors:
This scam page offers vouchers and rewards from Walmart and American Express. This particular page is designed for US-based visitors:
As mentioned, the scam comes in many variations and piggybacks on the reputation of many well-known brands. Let's have a look at the example from above that piggybacks on Asda. The fake voucher page for Asda takes the victim through the scam step by step. First, in order to get the free voucher the victim has to share the voucher in their Facebook profile. Second, the victim must publish the comment "Thanks Asda!" to support the scam. Lastly, the user must click the Like button, which is a scam link.
After the victim completes the steps, their Facebook news feed includes the fake voucher scam and they are redirected to a legitimate website at new.activeyou.co.uk that gives out prizes and supports an affiliate program. The way this works is that any user coming to the site -- thanks to a certain affiliate -- and who participates, earns the affiliate some money; there is no free voucher after all. The affiliate here obviously engages in illegal methods to advertise and generate traffic to a website that earns them money. The affiliate ID is seen in the next image, marked in red in the URL where it states affid.
No free vouchers after all:
The scam infrastructure and intelligence: accounts on Afraid.org as doorways
Websense's partnership with Facebook alerts us and invites us to assist Facebook in mitigating such scams using Websense ACE. We released this blog because we saw a spike in our data feeds and a rather large number of different URLs that are used for scam purposes that have a relation to each other. We think that Facebook is doing a good job of cleaning up and removing posts related to this scam.
We spotted more than 3,000 unique URLs used for this scam on Facebook. The high variation is used by cyber criminals to assure persistence and redundancy in case some URLs or domains get blacklisted.
The scam peak as seen by the ThreatSeeker Network. This plots the number of new hosts seen hosting the scam vs. the number of active hosts using this scam.
One of the most interesting findings is that most of the scam hosts used in the attack use the DNS servers of the free service at freedns.afraid.org. Essentially we found that all the name-server records used by websites involved in the attack use Afraid.org DNS server and point to ns1.afraid.org (see illustration below)
freedns.afraid.org is a free service that offers domain owners free DNS services. For example, a domain owner can use the DNS servers of freedns.afraid.org and have them point to their website's IP address. freedns.afraid.org also allows users to manage those free DNS services via an account. It allows account holders to add various subdomains to their main domain and optionally point those new websites to different IP addresses. For example, if John Doe owns johndoe.com on IP address x.x.x.x, he can go to freedns.afraid.org, create an account, and use their DNS servers to point to their website IP address at x.x.x.x. On top of that, John can easily add DNS records to subdomains of his main website (johndoe.com) via his account at freedns.afraid.org. At his option, John can have those subdomains (that essentially represent different web sites) point to different IP addresses. So, for example, John can use his DNS account with freedns.afraid.org to have johnsfriend.johndoe.com point to y.y.y.y.
Scam host example and its DNS record: 91037997396662norryyoutubecomplay10pegahihypupegahihypu.opbco.web74.net
In this attack, accounts/hosts on freedns.afraid.org have been used to serve scams URLs by pointing subdomains of legitimate hosts to the attackers' infrastructure. If we examine some of the scam hosts involved in the attack, we can see that they point to a different IP address than the one used at the host level. Websites at the host level vary in purpose and appear to be legitimate. We verified that this pattern is consistent with all of the approximately 3000 instances that we found involved in the attack. In the next example, we present an example scam URL that is used for the scam that is hosted on an IP address that cybercriminals are using to host the scam (126.96.36.199), while the host is hosted on a different IP address that hosts a legitimate website (188.8.131.52), in this case a personal cooking blog. Looking at other websites hosted on the offending 184.108.40.206 reveals more scam websites:
urbancooking.net appears to be a personal blog about cooking:
Exploring other websites hosted on the offending 220.127.116.11 reveals more scam websites:
Here are some of the offending IP addresses found to be part of the scam infrastructure hosting the scam websites:
We believe that this attack is now under control and is being successfully mitigated by Facebook. We're seeing a gradual decline in incidences, but it's safe to say that while it's declining it's still going strong. We're going to keep an eye on events related to this attack and keep you in the loop.
Also, we would also like to take this opportunity to wish you a merry and cybersafe holiday season.