Last week, I was checking my Facebook account and noticed I had an Event Invitation from a fellow security researcher. Very intriguing. This friend is a world traveler and doesn’t currently reside in the United States, but the Event Invitation was for a Free $1000 "Best Buy gift card to celebrate Best Buy’s 20th Anniversary".

Alarm bells started ringing and I knew it had to be a scam. But let’s take a look...

There was no reason I could think of why they would use a bit.ly URL unless they didn’t want people to notice right away that it wasn’t a Best Buy site.  This way, people are forced to click through.  (There are good reasons for using bit.ly.  For example, a medium such as Twitter restricts the size of your entry. Or you have a legitimate need to obfuscate the URL.)

The first thing I noticed was:

"AmazingFreeRewards.com is not affiliated with Best Buy®, Inc."

ALL of the links on this page return you to this page, except for the Gift Status link that requires a login, a login that you would create if you followed the process through to that point.  Thus, there is no Privacy Policy nor any other information available.  But if you enter a ZIP code, you will be transported to…

All the links here react similarly as the previous page (see tabs; returns or requires login).  But look at all the information they want.  Those are many data items that qualify as Personally Identifiable Information (PII) for which a Privacy Policy is required because there are legal ramifications for their inadvertent dispersal.  (I hesitate to call them legal protections as all we get is notification.)

But so far, all this probably looks legitimate for an offer such as this, and this is no more than a warning for people to think twice before divulging their PII. You might think it’s worth your PII for a chance at $1000.  But consider how you got here.  There was an Event on Facebook. Friends are giving up their friends' personal data by RSVPing to the offer.  Almost 10,000 people gave this company all their Facebook info about themselves and their friends.  This company has possibly accumulated over one-third of a million email addresses for its future spam campaigns, or perhaps it plans to sell the list to other spammers.  Such a list is worth more than a couple thousand dollars.  Pretty good returns for the creation of a Facebook Event.

But why is this a scam?  Again, we start at the beginning.  “Best Buy Celebrates Its 20 Year Anniversary!”  You can see from the official Best Buy corporate history that they existed prior to 1983 when the company changed its name to Best Buy and were already trading on the Nasdaq in 1985. If anything, they would be celebrating their 25th, 27th, or even 44th anniversaries.

The lesson here, guard your personal information. But also, guard your friends’ personal information.  Don’t go giving it away when you have no idea who is on the other end taking it all in.

-- Jimmy Kuo

PS. I contacted Facebook and the Event page was gone by the next morning.