Unsolicited Secret Admirers Via Email
The Websense® ThreatSeeker® Network has detected an unsolicited email campaign in which love-struck or curious recipients may have their appetites whetted by the thought of a secret admirer. Although Websense customers are protected from this and other threats by ACE™, our Advanced Classification Engine, this post provides an insight into the campaign, which appears to be on the increase today.
The messages, sent from various Yahoo.com accounts, suggest that the sender has "to let you know how [they] feel" and provide an enticing Facebook link to "View Your Ecard".
As displayed above, a valid short Facebook URL is used which, in this case, redirects to hxxp://www.facebook.com/pages/32942390324/536822983001617?sk=app_190322544333196. This particular page, which appears to have been created today (October 1, 2012), makes use of a third-party Facebook app 'Static HTML App.' This app embeds the following code:
The code sends a 'signedRequest' string (as seen in the highlighted URL above), which then requests the desired content for rendering in the victim's browser. In this case, a basic JavaScript is delivered:
The victim's browser is then directed to a fake ecard site hxxp://readyourecard.com/viewmessage/?a=vip36 which, according to Whois data, was registered on September 20, 2012 by 'Liu Hongmei' in China:
At this point, the aim of the campaign becomes clear: Every link on the fake ecard page redirects to an affiliate landing page on the Adult Dating website AdultFriendFinder.com and, with affiliate earnings of up to $1 per unique visitor, you can easily see how such a campaign could become very lucrative!
This campaign appears to be financially driven, but it is conceivable that the same techniques could be used to direct victims to malicious sites. Given that the redirection starts from an innocent-looking Facebook page, users should consider themselves warned to tame their curiosity and not click on unsolicited links!
