Attackers on Facebook are continually taking advantage of new ways to get their content onto a user’s wallpost, in order to further propagate their scams. Recently, we came across yet another interesting scam, this one offering a free official t-shirt as a gift on the occasion of Facebook’s 7th birthday celebration. At first, this scam looked like any other, but after further analysis I realized that this scam takes advantage of mobile email uploads. Facebook provides user’s with a unique email address as a convenient means of uploading content from mobile devices. Here is what the scam message looks like:
If you click on the link, you will be taken to a page offering the fake free t-shirts, as can be seen in the following screenshot:
The page provides a button to click for redeeming the t-shirt and also displays a counter showing how many additional shirts remain in stock. If you navigate the ‘Click Here’ button, you will be taken to the following page, which can be seen below:
Take a look at the instructions mentioned on the page. They instruct the victim to copy an email address which can be found at “www.facebook.com/mobile” and paste it into a field on the scam page, in order to verify that the user belongs to Facebook.
When logged into Facebook, the email address displayed at www.facebook.com/mobile is a unique email address that a user can leverage to post status updates or send photos and videos straight to their profile. If someone has access to this email address, they can directly upload content to a user’s profile, without their knowledge. The Facebook mobile page displaying directions for using the unique email address can be seen below:
This is yet another trick used by scammers to gain access to your profile. Once a victim copies/pastes that email address, they will be taken to the page where the scam site will then ask them to complete surveys such as the one shown below:
The surveys represent the monetary component of the scam as the attackers are rewarded with a few cents every time a survey is completed. This is a common technique used in Facebook scams. The interesting component of this attack remains the social engineering used to obtain a victim’s personal email address, for uploading content from a mobile device. Once an attacker has that address, they have full write access to a victim’s profile and can use it to further propagate scams for monetary gain.
The cat and mouse game between Facebook and scammers continues. This time around, cleanup isn’t as simple as deleting a post from the victim’s profile. In this case, Facebook will have to force victims to change or reset affected email addresses to prevent further posts from the scammers.
Never share your personalized unique email address with anyone.
Leave a reply