dslreports logo
site
    All Forums Hot Topics Gallery
spc
Search Topic:
uniqs
2227
share rss forum feed


justbits
More fiber than ATT can handle
Premium
join:2003-01-08
Chicago, IL
Reviews:
·Comcast Business..

1 recommendation

[Phish] Facebook "Free Starbucks $100 card"

Bad URL:
»www.myfreestarbuckscoffee.com/?offerid=2#

Clicking the link creates a Facebook login reference URL of the form:
»www.facebook.com/connect/login_s···n=XXXXXX

The site requests that you copy/paste the URL back to the original web site, basically giving the attackers full access to your account.

How lovely.

The page countdown timer starts at the same value and rapidly counts down. Reloading the page resets the countdown.



Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable

Re: [Phish] Facebook "Free Starbucks $100 card"

Nice analysis!
I thought trading in one of my lesser used facebook accounts would be worth $100 but the domain "myfreestarbuckscoffee.com" is not even affiliated with Starbucks so the chances of actually receiving the card is Zero.
WHOIS Data

=-=-=-=

Registration Service Provided By: Namecheap.com
Contact: support@namecheap.com
Visit: »namecheap.com
Domain name: myfreestarbuckscoffee.com

Registrant Contact:
WhoisGuard
WhoisGuard Protected ()

Fax:
11400 W. Olympic Blvd. Suite 200
Los Angeles, CA 90064
US

Administrative Contact:
WhoisGuard
WhoisGuard Protected (d5bf65bb36ea429e983cfbd6ac2f6b0b.protect@whoisguard.com)
+1.6613102107
Fax: +1.6613102107
11400 W. Olympic Blvd. Suite 200
Los Angeles, CA 90064
US

Technical Contact:
WhoisGuard
WhoisGuard Protected (d5bf65bb36ea429e983cfbd6ac2f6b0b.protect@whoisguard.com)
+1.6613102107
Fax: +1.6613102107
11400 W. Olympic Blvd. Suite 200
Los Angeles, CA 90064
US

Status: Locked

Name Servers:
dns1.registrar-servers.com
dns2.registrar-servers.com
dns3.registrar-servers.com
dns4.registrar-servers.com
dns5.registrar-servers.com

Creation date: 16 Oct 2012 12:02:00
Expiration date: 16 Oct 2013 04:02:00


justbits
More fiber than ATT can handle
Premium
join:2003-01-08
Chicago, IL
Reviews:
·Comcast Business..

The web page script redirects to:
"http://blankreferrer.com/u/www.facebook.com/dialog/permissions.request?app_id=237759909591655&next=http%3A%2F%2Fwww.facebook.com%2Fconnect%2Flogin_success.html&response_type=token&perms=publish_stream"

This link creates a permission request to publish_stream. The generated URL it goes to is an authorization token which allows the scammer/phisher to post to the phishee's account.

I am having a hard time figuring out how to get to the Facebook app page that originates "app_id=237759909591655" so I can report it as spam. e.g. »apps.facebook.com/${app_id} doesn't work.


justbits
More fiber than ATT can handle
Premium
join:2003-01-08
Chicago, IL

1 recommendation

reply to Snowy

By the way, the site that originally generated the redirect to www.myfreestarbuckscoffee.com was:
»184.72.247.38/sh/0et05iz82s1v9qj···fer.html



Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
reply to justbits

These scams are rampant on Facebook and other social media. They are also sent via email; I've seen others like this hit my Yahoo spam folder, where I will just delete them.
--
I, for one, welcome our new Computer Overlords.

Expand your moderator at work


justbits
More fiber than ATT can handle
Premium
join:2003-01-08
Chicago, IL
Reviews:
·Comcast Business..

2 edits
reply to justbits

Re: [Phish] Facebook "Free Starbucks $100 card"

Another Starbucks fraud
»107.22.225.86/sh/jba3cd34hllv8xu···fer.html
redirects to
»78.external-host.lawsonsoft.com/page.php
which has an overlaid "Submit" button over a "Comment" button with what looks like a text field overliad on a Facebook "Add a comment" field.

Interesting. »107.22.225.86/sh is a DropBox server hosted at Amazon EC2.

Submitted a report to:
»aws-portal.amazon.com/gp/aws/htm···AWSAbuse