Facebook likejacking scam via Twitter

The tweet your receive is “we are looking for twitter members to try our brand new product at twitgiveaway,com”, mostly as a reply to one of your tweets.

There is no mistake in the URL: “twitgiveaway,com”. There is indeed a comma there instead of a dot. The reason for this is that the fraudsters are trying to obfuscate the URL so that they don’t get blocked or don’t get the domain they publish blocked. And in this case, a simplistic filter would not detect a domain at all.

twitt-ipadpromo

 

 

Clicking on the user’s profile we see the name “iPad Promo”.

twitt-ipadpromo-block

Checking the tweets the account produced we see that all links are about the same topic.
This account is trying to recruit as many visitors as possible to the website.

twitts-ipadpromo-profile

Observe that the posts contain various versions of that domain, which proves that the fraudsters are using various obfuscation methods.

Nothing unusual so far… Just another way of luring users to visit a website.

But, once on the website, the user has to take a survey with three simple questions:

- if he is a man or woman

- how many hours he spends on social media

- if he is accessing the site from work or from home

At the end of the survey you see what you could win: am iPhone 5 or an iPad 3.

twitgiveaway

 

In order to make the user click on the buttons, the authors of the scam are using a common social engineering technique and increase the urgency by adding the small amount of prizes still left (1 and 2 respectively).

The surprise comes after clicking on the links.

The buttons have some remote JavaScript code behind that redirect the user to a website which mandates the user to respond to other surveys in order to be eligible to win an iPad (no word anymore about an iPhone):

 

twitgiveaway-fb.JPG

 

This scam ends after all this trouble as a classical like jacking scam.

However, due to the cross site scripting reference (do not mistakenly consider it a cross site request forgery CSRF), there is a potential that the script changes its behavior and can do pretty much anything the attacker want.

In the end, there are only a few things to be done:

- report the Twitter user as a spammer

- delete the posts done on your behalf if you continued to take the survey

- unlike the app that offer the survey

- get out of your mind that you will win an iPad or an iPhone. Never forget that nothing is really free in the Internet.

 

 

Sorin Mustaca

IT Security Expert