Malaysia Airlines MH370 Used as a Lure in Facebook-Themed Scams
The Websense® ThreatSeeker® Intelligence Cloud has observed Facebook-themed scams using news of the missing Malaysia Airlines MH370 flight as a lure. Legitimate news sources report that on March 8, 2014, the plane went missing over the South China Sea.
The lure websites have been configured to appear like a legitimate Facebook page; complete with sharing button, suitable graphics, and relevant links.
Should users browse to the lure website, they are presented with a series of dialogue boxes, which eventually lead to a Facebook popup supposedly referencing a Yahoo! News article. We shall walk through an example of a user interacting with such a website.
Figure 1: The relevant lure title is displayed to the user, yet when attempting to close an unrelated dialogue box, the user is directed to "Please Share Us on Facebook To Close."
Figure 2: The user is then encouraged to share the link. Should the user click the link while logged onto Facebook, a share action occurs thus spreading the threat further.
Figure 3: The user is then presented with another page of a YouTube video overlayed with a further request to interact, by taking a short test.
Thus, we identify the true nature of the scam. The aim of the lure is to generate revenue as part of a Cost Per Action (CPA) lead scam. Certainly not a new idea as our previous blogs show.
When we review our telemetry, we observe that the registrant responsible for this timely scam has also been responsible for Facebook-themed lures as far back as December 2012.
Other websites hosting the fake news include:
Websense customers are protected with ACE™, our Advanced Classification Engine. Specific attributes which triggered our analytics include domains registered between 12 and 25 days ago, which are now being used to host the fake video lures, and the association to the past CPA ecosystem.
A sample ACE Insight report showing the protection offered is available here: http://csi.websense.com/Report/Index/6eb049c1-7d42-4056-b568-a2ee009c97a9
If you are searching for information on this event, Websense Security Labs™ strongly recommends that you use trusted and legitmate media outlets to source your news.