
 Disassembling the Woolworths Facebook scam - wglb
http://www.troyhunt.com/2012/11/disassembling-woolworths-facebook-scam.html
======
Smerity
I'm glad to see this blogged about as it was on my todo list. I have numerous
previous examples of this scam as well if people want to compare and contrast
(free sunglasses [Oakleys], free headphones [Beats by Dr Dre], etc).

What annoys me most about this is the scam is only spread through exploiting
human nature and not advanced technology. The code is literally almost exactly
the same each time yet nothing has been done by Facebook to prevent it.
Fingerprinting this is certainly not impossible (every example I've seen is
formulaic and even starts the counter at 973) and I'm surprised Facebook
doesn't have an advanced spam fighting arsenal that's effective against it.

Does anyone know what tools they use to combat this sort of thing? Machine
learning would work really well here considering numerous past examples and
the fact you're only interested in links that are spreading virally. Even if
you needed a human being for final confirmation before blocking the site,
you'd knock out a link once and it'd positively impact tens of thousands of
people. I'd be shocked if using bit.ly and a few other obvious spammy
redirects was all you needed to trick Facebook...

~~~
abeland
Hi, my name is Abe, and I'm an engineer at Facebook working on the team that
prevents these kinds of scams from spreading on the site. As you suspect, we
actually do have a bunch of tools that detect attacks like this (and others),
but they're not perfect, and you never really see when they work, only when
they don't.

In cases like this, you're right that there are often obvious content
patterns. However, enforcing on or detecting those doesn't really scale, as
they're trivial for the attacker to change. Instead, we try to focus on
aspects of an attack that are much more expensive for the attacker to change.
One component of our systems that detect this does involve looking at metadata
about URLs, and running it through some machine learned classifiers (you're
correct that simply using bit.ly is insufficient to stop us).

Regardless, we've taken care of this particular instance of the attack and are
always working to systematically improve our detection and mitigation systems.
Let me know if you're interested in helping us out in this effort!

------
dbaupp
Presumably the 'AL' country code test was included so the Albanian "John
Smith" could/can examine the live website without being directed straight to
Google.

~~~
skeletonjelly
Correct. The Woolworths one had checks for "IN" || "AU" else it would redirect
to Google. That domain was registered to an Indian address.

------
TomGullen
What confuses me is the (relative) sophistication of some of these scams
juxtaposed with some really shoddy website designs that scream "scam" to me.

When scammers and phishers learn to put together a semi respectable design or
even simply copy the designs they are trying to imitate more precisely they
would be far more successful.

~~~
recuter
Or perhaps it is a worst is better type of thing and the crappier designs
convert better for their purposes. Hmm.

~~~
mgkimsal
possibly.

perhaps people more readily identify with a site written with the same
spelling and grammar mistakes _they_ use, and trust the site more over those
"educated" sites where "proper grammar" and "correct spelling" are just lorded
over you and rubbed in your face. the crap website might be a kind of kindred
spirit, just waiting to befriend the intellectually downtrodden.

------
fblp
Most scams might have a terrible success rate, but the scammers still make a
lot of money. Over $80mil in scam losses were reported to the Australian
Government last year, s surprising amount were from Nigerian style scams and
the like that you'd think nobody would fall for. For every person that is
willing to send money via western union to some guy in Nigeria, there would be
thousands who would click through these links.

2011 Scam report by Australian Government is here:
<http://www.accc.gov.au/content/index.phtml/itemId/1039349> I've passed your
research onto the authors of this report, thanks for sharing it.

~~~
brc
I have seen probably 5 or 6 Facebook friends fall for this one. The typical
profile is of a mother who isn't very tech savvy but likes the idea of free
stuff.

------
ricardobeat
The redirects are generating fake ad clicks for the scammer, it's very common
and probably the main source of revenue for this "campaign".

~~~
arb99
Nope. Can't get paid to redirect to a (2nd) url but still have that (2nd) url
redirect to somewhere else. They tend to redirect to another url/company when
they don't have an offer to send to that IP address sometimes too.

------
Gustomaximus
I've seen this scam while in Android apps and like to click the ad every now
and again just to cost them a little more money (though it is a shame it is
not easy to report as a better alternative).

But a marketeer I recommend looking at scam email/ads from a professional POV.
Quite often they are great examples of marketing and how to communicate
effectively. Just please apply this to a more honest motive.

------
aresant
I've spent ~15 years in online advertising and this sure isn't limited to just
being a "Facebook scam".

This style of advertising called "incentivized co-registration" (co-reg / co-
reg path) (1) has been a long running plague - as far back as 2008 the FTC
penalized ValueClick ~$3m (2) for this exact same thing as it's deceptive.

On the front-end you've got Facebook, Microsoft, and Google (to name a few)
making money hand over fist letting these co-reg paths buy their media.

(As an aside Bing is well known to be the loosest with regulating compliant
advertising which is just sad given that it impacts the MSFT brand.)

On the back-end you've got brands like Netflix, Nokia, Guiness, GAP, etc etc
that lend themselves to being on the co-registration path and offering a
variety of offers like "Join our newsletter etc" so they can then market to
the consumers that say yes.

Again, great in concept - fill out your information once to enter for a
"prize" and then select brand offers that you're interested in.

The problem is that most of the guys running the actual paths - buying the
media etc - are small affiliate marketers. These are one to five man teams
that slap together a variety of these co-reg offers from the "legit" co-reg
company APIs.

So you'll see the big co-reg companies bragging about how they power the
USAToday.com registration process, but the reality is many of them make the
bulk of their revenue through their API sets and affiliate programs, which
they leave damn-near unregulated (unless put under the microscope).

So every now and again the FTC hammers a few of these small timers, but the
reality is an affiliate - doing "ok" - can make anywhere from $10 - 100k/mo in
profit just doing what I describe above - build some direct-response landing
pages, pull brand offers from the co-reg company apis, and buy media from
companies that love to sell it, and don't look too hard for reasons not to.

So anywho I love getting on my soapbox but it's insane how many huge companies
benefit from these scams, and how simple it is for them to have deniability
due to the ecosystem of using these small timers on the front end.

(1) A great breakdown of "what is" co-reg advertising
<http://www.coregmedia.com/demos/demo-pub.php>

(2) FTC Settles w/ValueClick <http://www.ftc.gov/opa/2008/03/vc.shtm>

~~~
matznerd
They aren't all co-registration sites. Some of the examples are CPA (cost-per-
action), where submitting email, taking phone surveys, submitting zip, etc
generate revenue for the site owner.

------
fingerprinter
Can someone break down how the scammers are making money on this? Think of me
as a complete idiot ;)

It seems that they are simply affiliates of these various sites and get a
small percentage for signups? Is that correct? how much can they reasonably
hope to make from something like this?

~~~
hippich
It looks not like a scam-taking-your-money-away, but rather as a scam-
register-for-a-fake-prize-and-we-get-paid-by-affiliate type. So it is less
harmful, that's why I am not sure if "scam" word is appropriate. But it
definitely waste time and might put bunch of spyware on your machine while you
are going through this process.

------
ryen
I think you should blur the names in the Customer Outrage section.

------
ddorian43
The whois record:

Administrative Contact: James Smith Lagja e vjeter --- the name of the
neighborhoo: old neighborhood tek pallati cope cope --- name of the building
Elbasan, Albania n/a --- city Albania ilovefbinfo@gmail.com +355 692207020 ---
some poor guys number

Its odd to find Albanian scammers, usually they suck at programming. The
number should be working.

Spamming is a problem here in Albania. By checking my submission history you
will find that i currently talked to a spammer even reported him but nothing
was done (not a response even from the host).

He was telling me it is effective and you should do the same if you can.

~~~
smartwater
It's unlikely an entire race "sucks at programming." It's a skill like any
other and can be learned to varying degrees.

------
SilasX
Well, at least Facebook does their very best to coordinate with law
enforcement to take down those who use their platform for scams.

 _jerk-off gesture_

