July 25, 2011

Facebook scams aiming to profit from recent tragedies in Norway and Amy Winehouse's death

Elad Sharf Security Researcher

The tragic events that occurred at the end of last week with the Norway attacks and the sudden death of British singer Amy Winehouse resulted in some unwanted scam activities in cyberspace. Websense Security Labs™ and the WebsenseThreatSeeker® Network have detected that scams pretending to offer a "look at footage of Amy Winehouse just moments after her death" and similar scams in nature are now propagating in Facebook. This type of scam is a "survey scam," where users are lured to complete a survey and in return, are promised to be shown an "exclusive" video or footage. Completion of the surveys puts some money in the scammer's pockets, and users that complete the surveys are never shown the promised videos or footage.

This is how this scam looks on Facebook: 



The scam leads to a survey page: 

Scams taking advantage of the tragic Norway attacks surfaced this weekend, but these scams appear to have been cleaned out by Facebook: 


Facebook Scams - an Ongoing Phenomenon 

Survey scams on Facebook are an ongoing thing. They're not limited to one news event alone (tragic or not) or one domain. They keep track of current news events and aim to lure Facebook users with any means possible. Here is a snapshot of some domains affected by these scams, which were propagating via Facebook at the time this blog was being written. They pop up like mushrooms after the rain and share similarities, such as lures that seem to use the same toolkit or application skeleton  to build them all. This is a similar phenomenon to what we blogged on in the past. Anybody can get his or her hands on those "template" applications and create Facebook threats in minutes. Here are some examples of threats dominating Facebook at the moment that are using the same skeleton or toolkit mentioned earlier:  


Scam: "This Is What Happens When Ex Girlfriend Forgets To Turn Off Her Webcam!!!"


Scam [translated from Italian] : "Boy Betrays His Girlfriend and Accidently Puts the Video on Facebook" [Ragazzo tradisce la propria ragazza con una Mora da paura e mette per sbaglio il video su FACEBOOK. ASSOLUTAMENTE DA VEDERE"] 


Scam: "R4p3d g1rl 1n th3 sch00l bathroom - Sh0cking Video"


Scam: "FATHER gets TOTALLY Embarrassed after entering Daughters Room"


Scam: "Look what he did to his Ex Girlfriend!"


Scam Threats on Facebook Spread Swiftly

All the threats illustrated above are happening on Facebook NOW — at the time this was being written. The next image is an example that shows how many users are actually falling for the ""Look what he did to his Ex Girlfriend!"" scam. The propagation of the threats mentioned above onto user's home pages is happening literally at every given single second or less for all the threats mentioned combined:


ThreatSeeker Network on the Prowl

This is a snapshot from our internal ThreatSeeker Network portal showing a slice of the hostnames that the network detected that matches the above profile. Websense customers are protected from these threats by ACE, our Advanced Classification Engine

The Threats Locations - a Geographical Breakdown 

The different threats that we covered in this blog have a location and you might wonder where that is. The locations aren't limited to one country but several, the next pie chart shows the location breakdown of all the scams we mentioned earlier. Remember, all the mentioned scams have commonalities and use the same toolkit or skeleton to create the viral pages - the locations vary because there are a number of cyber criminals creating different viral pages that are based of the same toolkit/skeleton (click on pie chart image to enlarge):


Top Hosting Countries:

United States 




About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.