Scammers tap the power of Facebook to offer `free' iPhones a-plenty

News by Steve Gold

Free iPhone? More like an iPhoney...

With Apple reportedly raking in more than four million pre-orders for the new iPhone 6, it was perhaps inevitable that scammers were standing by to cash in on the iPhone ordering frenzy.

According to Deborah Salmi of Avast, unlike previous scams with new iPhone launches, this time around the fraudsters are tapping into the power for social media, with paid-for advertising pages popping up on Facebook, claiming that people who like, share, and comment on a post can win an iPhone 6.

This type of scam, she says in her analysis, is referred to as `like harvesting.'

"The scammer makes the page popular by collecting likes and then sells the page to other scammers. The offer of a new device, like the iPhone 6, entices people to click the like button then spam their friends with the bogus promotion. Thousands of likes can accumulate within a few hours, making the page quite valuable on the black market," she said, adding that the new `owner' then rebrands the page to peddle more questionable products and services with their built-in audience.

A variation on this scam, she went on to say, is the Survey Scam.

"As with like harvesting, you must first like the Facebook page. The difference is that you need to also share a link with your Facebook friends," she said, adding that the link takes users to a page where you are instructed to download a `participation application.'

At this stage, Avast says its research suggests that the pop-up window leads users to participate in a survey before they can download the application.

Some surveys, says the security vendor, will ask for personal information such as your mobile phone number and/or name plus address, opening up the user to receive expensive premium rate text messages, annoying phone calls and - inevitably - junk mail.

Malicious code

As you might expect. the download can contain malicious code. The only thing you can be guaranteed not to get, however, is an iPhone 6.

According to Michael Sutton, VP of security research with Zscaler, this particular `like harvesting' scam for the iPhone 6 is quite basic as it is a straightforward social engineering scam.

"In this case users must manually 'like' and 'share' the page but there is no effort to redirect the user to third party content," he said, adding that `like harvesting' is inevitable for any breaking news story as scammers will try to cash in on the wave of publicity - and then try to build a popular page, before selling it off to others.

"Other groups will then use the page to promote some sort of pay-per-click scam whereby they make money by redirecting users to ads or surveys," he noted.

Over at Alert Logic, Richard Cassidy, the firm's senior solutions architect, said that this type of fraud will always be an underground industry favourite,

"Coupled with the proliferation of social media networks - and the ever growing younger population of Web users - it is becoming easier to extort personal information than ever before," he explained.

Reasonable return

Cassidy says that the main issue here is that the best scam campaigns are built on trusted-source and reasonable-return - that is, you know the promoter/sender of the information and the return is something that you both want (and feel) is a possibility.

"In this case the scammers got it absolutely right. Use Facebook to promote, offer this year's hottest gadget and leave the rest to the desperate masses of individuals to promote in a parochial fashion amongst their trusted circles," he said.

"What's even smarter about this campaign is that it plays more on the trust nature of individuals; if your close friends have done it then (a) why haven't you and (b) surely you don't want to miss out on the chance," he added.

The solution to these types of scams, he says, lies in greater education and awareness of the risks of these types of campaigns and offers.

"Social media sites could do more to promote better awareness to their users against offering up personal information to unknown/untrusted third parties, through messaging campaigns or login notifications. Ultimately it comes down to better education and a smattering of common sense," he concluded.

Mark James, a security expert with ESET, meanwhile, noted that Facebook states that these type of adverts are against its terms of service but that, he says, is not going to stop it from happening.

"I still encourage people to use the `front door' policy, ie treat your computer like your front door. When was the last time someone banged on your front door to offer you an iPhone 5 or 6 just for filling out a survey or a £10/£50 supermarket voucher for free? It just does not happen," he explained.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews