Just recently, I logged on to my Facebook account and saw that a couple of people on my Friends list had posted something about a free $250 gift card from Costco, similar to this:

When you click the link, Facebook asks you if you're sure that the link is not spam. If you choose "not spam", your browser opens a specific website, which looks similar to the following:

Note that this is not an URL affiliated with Costco, but rather the author(s) of the scam are using the branding and naming of well-known companies to lure users into providing their sensitive information.

If you follow the instructions on the website, you end up posting something like this on your Wall:

Second, you have to put a message on their site like in the following screenshot:

The third step asks you to visit a website where, it says, you can get a higher value gift card by filling out a form that asks for your personal information: your name, phone number, home address, email address and credit score and income.

It then asks you to choose two of the following offers:

Which then leads to another "survey", which asks you to install a coupon app. This app is a toolbar that monitors your browsing habits, for example, what websites you visit. The toolbar doesn't show in your browser; however, you can see it in Internet Explorer as a browser helper object (BHO - which we detect as BrowserModifier:Win32/BSaving) by opening the Manage Add-ons window in the Tools menu:

The BHO registers itself to load every time the browser is opened.

Here are some captured data on how this BHO sends the user's inputted data to the server and what exactly they look like when analyzed:

Logging in to Facebook:
GET /?action=instant&unit=msie&site=hxxps%3a%2f%2fwww.facebook.com%2flogin.php%3flogin%5fattempt%3d1&unique=7e872ee05f4e7d624a73ecedd6b62867&white=6&sub=15 HTTP/1.1
Host: toolbar.<removed>.com
Accept-Encoding: gzip, deflate
Accept: text/html
Accept-Language: en-us,en;q=0.5
Connection: Close

Searching "bag":
GET /?action=instant&unit=msie&site=hxxp%3a%2f%2fsearch.live.com%2fresults.aspx%3fq%3dbag%26src%3dIE%2dSearchBox&unique=7e872ee05f4e7d624a73ecedd6b62867&white=6&sub=15 HTTP/1.1
Host: toolbar.<removed>.com
Accept-Encoding: gzip, deflate
Accept: text/html
Accept-Language: en-us,en;q=0.5
Connection: Close
 
 
You must install the app to continue with the survey:

. . . which then leads to what seems to be a never-ending deluge of surveys (at least I never reached the end of the surveys):

You are then asked if you want to increase your credit score, and may be asked for your social security number (SSN):

And yes, more surveys:

Right now, the scam is tagged as "spam" by Facebook.

It should also be noted that the companies represented in this scam are themselves victims - they are in no way affiliated with the scam or the scam's author(s). And even if you complete the surveys, you will never receive the promised gift card!

At this point, it isn't determined what the purpose of collecting and sending this information might be for; what we can verify, however, is that all data inputted into the browser from these surveys is sent to a single remote server.

Be careful about freebies on Facebook, no matter how tempting they seem to be. A good way to gauge whether something on Facebook is genuine or a scam is to go to the official product page (in this case, here is Costco's, which also offers a disclaimer of the scam). If the offer is real, there should be something on the product page. Otherwise, it may be a scam, so exercise a lot of caution. As you can see, these scams don't just ask for your name and number; some of them go as far as to ask for your SSN and financial information.


Ferdinand Plazo
MMPC Redmond