March 14, 2014

Malaysia Airlines MH370 Used as a Lure in Facebook-Themed Scams

Carl Leonard Principal Security Analyst

The Websense®  ThreatSeeker® Intelligence Cloud has observed Facebook-themed scams using news of the missing Malaysia Airlines MH370 flight as a lure. Legitimate news sources report that on March 8, 2014, the plane went missing over the South China Sea.

The lure websites have been configured to appear like a legitimate Facebook page; complete with sharing button, suitable graphics, and relevant links.

Should users browse to the lure website, they are presented with a series of dialogue boxes, which eventually lead to a Facebook popup supposedly referencing a Yahoo! News article. We shall walk through an example of a user interacting with such a website.

Figure 1: The relevant lure title is displayed to the user, yet when attempting to close an unrelated dialogue box, the user is directed to "Please Share Us on Facebook To Close."

Facebook Share

Figure 2: The user is then encouraged to share the link. Should the user click the link while logged onto Facebook, a share action occurs thus spreading the threat further.

Malaysia Plane

Figure 3: The user is then presented with another page of a YouTube video overlayed with a further request to interact, by taking a short test.


Thus, we identify the true nature of the scam. The aim of the lure is to generate revenue as part of a Cost Per Action (CPA) lead scam. Certainly not a new idea as our previous blogs show.

When we review our telemetry, we observe that the registrant responsible for this timely scam has also been responsible for Facebook-themed lures as far back as December 2012.


 Other websites hosting the fake news include:

  • hxxp://cotmot.com/mh370plane/
  • hxxp://mh370malaysia31.droppages.com/
  • hxxp://insidevideo.net/


Websense Protection

Websense customers are protected with ACE™, our Advanced Classification Engine. Specific attributes which triggered our analytics include domains registered between 12 and 25 days ago, which are now being used to host the fake video lures, and the association to the past CPA ecosystem.

A sample ACE Insight report showing the protection offered is available here: http://csi.websense.com/Report/Index/6eb049c1-7d42-4056-b568-a2ee009c97a9

If you are searching for information on this event, Websense Security Labs™ strongly recommends that you use trusted and legitmate media outlets to source your news.

Carl Leonard

Principal Security Analyst

Carl Leonard is a Principal Security Analyst within Forcepoint X-Labs. He is responsible for enhancing threat protection and threat monitoring technologies at Forcepoint, in collaboration with the company’s global Labs teams. Focusing on protecting companies against the latest cyberattacks that...

Read more articles by Carl Leonard

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.