Spikes in scam activity are predictable. Any time brands push a shiny product, there is a new internet trend, or, the most predictable of all, there’s a spike in consumer spending, scammers come out of the woodworks to exploit the hype. As such, every security professional knows that one needs to be more alert around Black Friday, when the latest Game of Thrones twist hits the interwebs, when a mobile app goes viral or when consumers are inclined to buy presents for their dear sweet mothers.
Mother’s Day is on Sunday, and, you guessed it, Mother’s Days scams are trending on social media.
ZeroFox Threat Operations has been tracking an uptick in coupon scams on social media prior to Mother’s Day. Pulling from a recent story about a Lowe’s coupon scam, we extracted the domains used by the scammer. We then pivoted on those domains to find an actor who owns hundreds of associated domains registered to perform other coupon scams. Each domain looked very similar and promised free coupons, impersonating dozens of brands in verticals like restaurants, bed and bath, furniture, airlines and grocery stores. These are particularly tantalizing for coupons around Mother’s Day, and many explicitly called it out as part of the promotion.
These scams are being disseminated by legitimate users, as the scam forces the victim to share or message their friends in order to get the coupon. It also encourages victims to message their friends through Facebook Messenger. Then the user is presented with a small survey to get the promotion. The coupon, of course, is fraudulent.
With hundreds of independent Mother’s Day scams and an attack model based on social media sharing, the campaign has reached an impressive scale, being shared by tens of thousands of uses. The scam has been circulating for at least 3 weeks across social media.
While it is certainly nothing new for scams to thrive on social, we were particularly interested in how the scammer created the Mother’s Day scams so rapidly, impersonated so many brands and leveraged the network effect to spread them organically.
All the Mother’s Day scams have the same copy and design, and the website have the same layout. As such, we know the scammer uses a templated “kit” to swiftly update the fake coupon and the web interface (brand logo, messaging, coupon) for each domain relative to the brand being exploited. Although this means each site is somewhat uniform, it also mean the scams can be perpetrated at a much larger scale. For example, if it’s a Dominos page it will show the Dominos logo, Aldi’s page it will show the Aldi’s logo.
When the victim lands on the page, a series of network calls are made to services that fingerprint the victim’s device, retrieve geographical information and track site activity. These are then routed through different digital ad agencies and can be sold off as identifying information. This is ultimately how the scammer makes money. Services are used to see if you are a human (anti-bot technology) as well as geo, which means that the owner of these sites only wants organic human traffic.
The ads on the page are never seen by the user because of a technique called “pixel stuffing,” which stacks ads and ensures the biggest bang for the attacker’s buck. The ad distributors paying for impressions are short changed; their ads are not displayed properly, and the traffic is low quality.
In short, because these Mother’s Day scams live on social media and thrives off shares and virality, being able to rapidly create a host of custom, fake site & coupons and programmatically profile their users ensures that the attacker makes a pretty penny off all the would be Mother’s Day shoppers.
What’s the Impact?
Much like the recent Google OAuth phishing attack that affected hundreds of thousands of users, this attack abuses user trust. First, getting a coupon share code from a real Facebook friend could be enough for a victim to click on the link. Secondly, the coupons are enticing and exploit the hype around Mother’s Day. An erosion of trust across social media has negative impacts for all parties involved.
In terms of impact, there’s five ways to slice it:
Luckily for consumers, the scam makes money by abusing digital ad agencies, not by siphoning dollars or credentials directly from those who share or visit the sites. Other scams we have studied have more nefarious purposes and are built to steal identities, harvest banking credentials and download nasty malware or ransomware. The erosion of trust in this scam campaign makes consumers less willing to engage with brands on social media and more skeptical of promotions and coupons that come their way online.
For brands, the impact is huge. This scam campaign hijacks companies’ logos and extorts users who otherwise would be customers of the genuine company. From a direct perspective, brands lose those clicks and that business. Indirectly, the cost is greater: the abuse of brands for nefarious purposes can undermine the brand image and severely erode customer & follower trust. There have been reports of victims printing out these coupons and trying to use them in the brick and mortar stores. Next time that brand tries to market on social media or advertise a promotion, any of the tens of thousands of people who were duped by this scam will be reluctant to engage.
- Social networks
The networks make money through advertising. Brands, like the once exploited by this campaign, pay Facebook, LinkedIn, Instagram and Twitter to prioritize their posts and display their ads. While a single campaign won’t materially affect the network’s ad revenue, scams of this nature and scale will certainly move the needle over time. It’s in the network’s best interests to monitor for cyber and financial crimes on their platforms, removing anything in violation of their terms of service.
- Security teams
It doesn’t take Nostradamus to see the writing on the wall for security teams. Like consumers, the security teams for these brands should be thankful the attack wasn’t worse. Had this been targeted at the employees & executives of the company or the attack on consumers had been more technical — an issue increasingly falling outside of the purview of marketing and within that of information security — we would have an even bigger story on our hands. What’s apparent is that social media platforms are business tools, where businesses engage customers, recruit talent and build brand, and security must always secure new systems of communications (like what happened in the past two decades with email, web applications and BYOD). Social media can be used to spread phishing attacks, malware campaigns and much much more, all targeted at, or under the fake auspices of, your brand. At the end of the day, it’s the security team’s responsibility to protect it.
- Ad agencies
Brand abuse drives organic human traffic to these websites. This traffic is useful for the attacker because these websites can use ad fraud tactics like pixel stuffing and ad stacking to fraudulently serve ads to a victim. The companies buying this ad space will then receive confirmation that a human was served the ad, but the human cannot see the ad. A penny lost by the ad agency is a penny gained by the scammer.
For consumers, it’s the same song and dance as always. Be vigilant on social media. Be careful what you click. As far as cyber risks on social media go, this scam campaign is somewhat benign. It’s not downloading ransomware or even harvesting credentials. But if you clicked, imagine what other nasty payloads could be on the other side. If we ran this scenario again with a more nefarious attacker, you might be researching how to send a thousand dollars worth of bitcoin to a ransomware author in the Ukraine.
For brands & security teams, it’s your responsibility to know where your digital assets are being leveraged (or abused) online. Over time, a scam campaigns at this scale with this attention to virality can greatly undermine trust in your social media reputation. Even a 1% erosion of trust can have devastating consequences once you try to promote an authentic coupon. And again, the attack could have been much worse; we’ve see as much time and time again.
Mothers Day scams are just another reminder that it’s time to seriously consider social media from the lens of brand protection and corporate security.