How would you like a free carton of cigarettes? How about a free 24 pack of markers?
Great! All you have to do is fill out this brief survey and share it with 15 Facebook friends, and we’ll give you a totally legit (fake) coupon you can redeem with these well-known brands (nowhere).
Scams that use Facebook as a vector aren’t exactly new, but they’re incredibly persistent. It’s pretty easy to get people to share something if they think they’re getting something for free—especially something as relatively expensive as a carton of cigarettes.
This particular Facebook scam (seen below) was spotted by a colleague at RiskIQ, who personally saw the fake brand-name marker rewards page shared on Facebook and sent it over to the research team for further analysis.
We used PassiveTotal to pivot off of the IPs hosting its domain and found a fake brand name cigarettes rewards page (below) lurking there as well. RiskIQ blacklisted both pages based the fraudulent nature of their content.
How RiskIQ investigates it
The WHOIS data for both pages is protected, which prevents us from looking into other domains setup by the same registrant, but analysis of the host infrastructure, i.e. looking for further fraudulent domains and the HTML code of each page, is in progress. Customers can check out our crawl of the scam domain purporting to be the cigarette company here.
Here’s the PassiveTotal sequence we went through with associated URLs:
In figure three above, you can see that the fake marker rewards page has only been up since July 5th, the day of our investigation. It shows that the domain maps to a few different IPs, which are shown below the heatmap and tagged as Google infrastructure (looks like somebody is taking advantage of that free Google Drive web hosting).
If we click on “WHOIS”, we’re shown all the WHOIS info for this domain, which shows us that the registrant is using WHOISGUARD to protect their identity. This prevents us from pivoting off the WHOIS info to identify additional domains setup by the same registrant.
Let’s turn our attention to those IP addresses. Mostly, they map to Google API and user storage addresses, but the first IP shown also maps to a pretty suspicious looking domain masquerading as one belonging to the cigarette company. If we take that domain and look at it in a VM (see the screenshot above) it shows something pretty much identical to our fake marker rewards page, except this time, it’s free smokes instead of markers. Because we took these shots after we took action on the suspect domains, you can see that they are tagged as blacklisted by RiskIQ:
Clicking the fake cigarettes domain brings us to another PassiveTotal page where we can see some patchy IP mappings over the last month, as well as some additional IPs we can investigate further.
The massively increasing size and scale of the Internet continue to lower the bar for hackers to carry out successful attacks. Security analysts need the most comprehensive view possible into their adversary’s infrastructure to stay a step ahead. By bringing together critical data sources—like RiskIQ's blacklist—PassiveTotal enables analysts to assess incidents within their networks to map and analyze their adversary’s digital footprint.
For more detailed proprietary RiskIQ info on the host history—the full crawl/traversal, DOM capture, etc.—customers can query RiskIQ’s Global Blacklist, Zlist, or APIs.
Questions? Feedback? Email firstname.lastname@example.org to contact our research team.