So, I'm scrolling through Facebook and suddenly...
And then I'm like...
Do you see what's immediately wrong here? To start, Delta Airline isn't going to give out two free tickets to anyone for its 33rd anniversary.
Next, look at that URL at the bottom of the image.
Sure, it's possible for Delta to own different websites. But if Delta Airlines were going to give out free tickets for anything it's safe to say it's for the purposes of marketing, meaning they would more than likely want to drive traffic directly to their main website located at Delta.com.
The Surface
Now I'm curious, so I pull up Wireshark and start sniffing my own traffic while I browse through the site.
It should be noted that I should have done this in a VM. It is very possible that it could have been a drive by malware attack, meaning my computer would have been infected as soon as I visited the site...aaaand later you'll see why this matters.
Immediately I see that this site isn't secure (no HTTPS). I clicked through the questions, and reached a page that urged me to share the link on Facebook, Like a page (I never did find out what Page it wanted me to Like), and then I would somehow get the tickets. Since there was no way I was going to Share the link, this was my stopping point.
I looked up whether or not it would be possible to trick the site into thinking the link was shared, but I didn't see any hacky javascript to check that. It would have to be something hacky because you can't really track whether or not a user shared a Facebook post without having the user authenticate to your site using Facebook. (Correct me if I'm wrong here. I'm not an expert on Facebook's Share tracking)
At the bottom of the page, there were Facebook comments from "users" confirming that they receive tickets. This is a common method scammers use in an attempt to legitimize their site.
A Peek Under The Hood
I took a minute to look through the source code for the site and the first thing I noticed was that everything was hard coded, even the so-called Facebook comments. The "user" images came from a site called randomuser.me a.k.a. stock photos.
I know it's a little hard to see (feel free to zoom in), but these are all hard coded comments found on the page.
And then here is a closer look. You can see where they hard coded the number of likes the comments have, along with the age of the comments.
<div id="fb1" class="item hidden">
<img class="profileimg" src="https://randomuser.me/api/portraits/women/53.jpg" />
<p class="comtxt"><span class="name">Radford Sarah</span> Wow, i won a free tickets from Delta Airline. </p>
<p class="combot"><span class="ago">Just Now</span> · <span class="fblike">Like</span></p>
</div>
<div class="item">
<img class="profileimg" src="https://randomuser.me/api/portraits/women/46.jpg" />
<p class="comtxt"><span class="name">Deleon Sandra</span> Such a Great Service! Thanks Delta Airline.</p>
<p class="combot"><span class="ago">11 minutes ago</span> · <span class="fblike">Like</span><span class="likes totlikes">267</span></p>
</div>
<div class="item">
<img class="profileimg" src="https://randomuser.me/api/portraits/women/89.jpg" />
<p class="comtxt"><span class="name">Brenda Vaughn</span> I am finally going to France with my friends.. Thanks Delta Airline!</p>
<p class="combot"><span class="ago">17 minutes ago</span> · <span class="fblike">Like</span><span class="likes totlikes">63</span></p>
</div>
For an extra treat, the page had some Javascript that made a new comment appear to make it look like the Facebook comments were being actively updated and added by other users. It also allows the user to add their own comments and fades it into the comment list, even though there isn't any indication that the comments is persisted anywhere.
The more interesting part about this is that the site never asked for any information from me and based on the source code, I don't think it was ever going to. Based on the code below, it seems as though the host just wants you to share the link. It doesn't have a way to verify that you actually did it, and there aren't any conditional statements to advance the user to another section. No matter what the user did, they would always get a pop-up telling them to complete Step 1 when they tried to progress to Step 2. If getting personal information from the user isn't the objective here, then this site isn't a phishing site. It's more than likely used to deliver malware.
<div id="final">
<p align="center" class="prodname">Step 1</p>
<p align="center" class="prodname">Share this page by clicking "SHARE" button and type "Thanks #Delta Airline!" in the comments field!</p>
<p align="center">
<a id="go" href="javascript:void(0)" onClick="gt=window.open('https://www.facebook.com/sharer/sharer.php?u=' + link + '', 'gt','top=176,left=500,toolbar=no,location=yes,directories=no,status=no, menubar=no,scrollbars=no,resizable=no,width=800,height=50'); gt.onload = function () {gt.focus();}; return false;"><strong><img src="http://i.imgur.com/xzmclDm.png" align="top" border="0"></strong></a>
</p>
<div class="cont clearfix">
</br>
</br>
<p align="center" class="prodname">Step 2</p>
<div align="center">
<p align="center" class="prodname">Click Like</a></p>
<a id="to" href='javascript:window.alert("Complete Step 1 to get the Coupon!");'> <br/><img src="http://i.imgur.com/7FesHcD.jpg"> </a>
<div class="loading-wrap">
<p align="center" class="prodname">Verifying steps </p>
<img src="http://i.imgur.com/x557web.gif" height="75" alt="Loader image not found">
</div>
</div>
</div>
</div>
I also went back through the site with Google Chrome's inspection tool to watch network traffic and found that the site was pulling information about my browser and operating system, as well as information about my mouse movements. The site also collected information about my geographic location. All of this seems to be in line with my theory about the site delivering malware. Collecting information about browser version and operating system could be used to determine whether or not the user's machine is vulnerable and code on the backend could be making a decision about whether or not to deliver the malware.
I ran the host through a malware scanner called VxStream (hosted on Hybrid-Analysis.com) and found that if the user is running Internet Explorer the website actually does something more interesting. It launched another instance of Internet Explorer. Read through a bunch of registry settings, including security settings for the system. It requested access to the rasman service, which is used to establish remote connections to a service, and dropped a few files. It does look like it was preparing to install something if the user was running the operating system and browser, but I can't be entirely sure. I was in a sandbox and that isn't always reliable if the malware is used evasion tactics.
Conclusion
- Server IP: 104.18.58.70
- Hosted by: Cloudflare
- Web server: nginx
- Domain: Deltaa-com.us
I did a WHOIS lookup on the domain and found out that our registrant didn't bother to obscure his personal information.
I blacked out his phone number, mailing address, and email address, but...you know...it's public information so if you want to find it... that's not my business.
For this investigation, my results are inconclusive. I'm fairly confident that this site does distribute malware, but I cannot say what kind and what it does other than establishing a connection to a remote host (possibly a botnet?). VirusTotal now has 2 URL scanners that have identified this host as malware (when I first checked it didn't have any hits).
It has also now been blacklisted on Sucuri's Sitecheck.
I assume it's only a matter of time now before Cloudflare shuts down the host, but it will probably pop up again somewhere else with a different IP address and/or hostname. This is the game of Wack-A-Mole that happens all of the time with these types of sites.
Have you guys seen any particularly nasty scams on Facebook? What was the most outrageous claim?
Update 06/12 This host is a known affiliate link site. The user makes money when others share the their link. Harmless to the user.
Top comments (25)
I found something more quite unsettling on Instagram a few months ago. It was a very devious site that sold very cheap electric bicycles. As far as it went, the site was all there with nice professional pictures and a shopping cart on a domain that looked legit.
My main issues were, the prices were ridiculous (like 150€ for a 3000€ bike) and that it didn't use HTTPS.
So I decided to follow a purchase and fulfill the order with a mock credit card. And as you would expect, once you click on the pay button, nothing happened. The CC went off to some server and you're left on the payment page clicking the same button.
Once in a while I reply to the email scammers claiming to want to give me a few million dollars if I "just" pay some processing fees.
The most outrageous one by far was a scammer claiming to be Michelle Obama(!!) herself.
I took that one for a ride. I posted the entire exchange on Quora here.
yes. YES. GOLD. Love it.
This is nothing more than a landing page for a survey BS affiliate program. The person behind it makes like $0.50-$1.00 for each person who completes the survey.
It requires the user share it on Facebook in order to "complete it" which is exactly how you (the author of article) found it. It's a method in the affiliate marketing scene that is commonly called "content locking". Commonly used by affiliates working for CPA networks to make income.[1][2]
Screenshot of landing page : i.imgur.com/PbaNuon.png
"If getting personal information from the user isn't the objective here, then this site isn't a phishing site. It's more than likely used to deliver malware."
No, it's designed to drive traffic back to the website and make the owner $. It's spam.
If you would have Googled "mfaisal630@gmail.com" you would have found the owner owns a slew of other domains with these types of content locking offers.[3]
IMO this is a horrible write up with a complete lack of understanding of what it is and it seems the author lacks technical expertise on what is actually occurring.
Advanced reading:
[1] google.com/search?q=content+lockin...
[2] lifehack.org/335913/how-make-money...
[3] domainbigdata.com/gmail.com/mj/yZ_...
hoax-slayer.net/get-2-free-delta-a...
snopes.com/airline-ticket-giveaway...
Edit: the person behind this website has multiple other domains using the same script. dev.to/_theycallmetoni/i-clicked-o...
Thank you for your opinion. The point of the article, however, was to look at the network traffic behind the page and understand what it was doing behind the scenes. I never drew any final conclusions on it and based on the behavior of the traffic and my analysis with the information I had, I'd say I'm doing just fine with my technical expertise. But thanks for the sharing.
Antoinette,
I'm just trying to clear up some confusion here because after looking at it, I believe your main statement that this page exists to distribute malware is incorrect.
"look at the network traffic behind the page and understand what it was doing behind the scenes."
"based on the behavior of the traffic and my analysis with the information I had, I'd say I'm doing just fine with my technical expertise."
What analysis? You mean plug the domain into VirusTotal, Hybrid Analysis, and Sucuri and then regurgitate back what it told you? Okay but that != technical expertise.
"I'm fairly confident that this site does distribute malware, but I cannot say what kind and what it does other than establishing a connection to a remote host (possibly a botnet?)."
It does not distribute malware. The landing page is designed to make some dude in Pakistan money via a CPA affiliate company and the website generates it's traffic by forcing users to Like and Share the URL on Facebook. A very common tactic in the cpa offer spam scene. I would love to see your evidence that the page exists to spread malware.
In the Advanced Reading section of my 1st comment I put more information about how content locking pages like this work.
Cheers
Edit:
You can tell the websites get a lot of traffic by checking out the views on the images used in the landing page:
imgur.com/xzmclDm - 52,865,976 views
imgur.com/7FesHcD - 30,900,812 views
imgur.com/bsRA7ip - 3,546,875 views
imgur.com/x557web - 62,299,883 views
There isn't any confusion. As I mentioned, I said it was inclusive. Again, I also said I couldn't be sure. Based on the traffic I saw, it collected browser information along with some other tracking things. That kind of behavior can be found to be consistent with malware delivery. Also, I didn't regurgitate anything from Virus Total or SiteCheck, I only shared the links. You're taking something I did out of boredom and making it quite serious for no other reason than to be right on the internet, which is fine if that's how you feel but I'm not sure what you think is gained by arguing with me about it. Especially considering the majority of the article discusses the backend of the page and its behaviors. If you're taking issue with a few lines at the end of the page, then duly noted.
The internet is srs bizness. I'm just pointing out what I found VS you.
Cheers
And I appreciate your addition. Thank you.
Also, I will update my article with your additions.. However, I should mention that perhaps it would be in your best interest not to approach people with hostility when trying to present an opposing view point. It immediately puts people on the defense and invalidates anything you want to share, no matter how relevant. This exchange could have gone differently. Just food for thought. Unless you just like fighting with people.. in which case, do you.
On top of that, the "hardcoded comments" part confuses me. It's not obvious at all, the HTML could be generated on the server. SPAs exist, but there's also a lot of classic websites that are generated on the fly without any AJAX. I would say, it's probably a static page but that's not always true and without extensive research it couldn't be assumed.
Awesome! Thanks for clicking so we don't have to, lol.
Very interesting that they target Internet Explorer explicitly. Scary though.
I think a lot of non-technical people use IE since it comes prepackaged. My mom is probably still on IE 8... :(
Yeah, I imagine there's still a broad audience for it. At least it's not being shipped out anymore. It's cousin Edge is. lol. Oye.
I thought you get both Edge and IE now. I believe they're on IE 11 now.
Oh for the love of.. 😭
It's legit whois info imo.
Guy owns a bunch of other similar domains: domainbigdata.com/gmail.com/mj/yZ_...
cutestat.com/email/mfaisal630-gmai...
For instance, check out bestbuyfree.us. It's using the exact same script as the Delta Airlines free ticket one.
I know. Attribution is so terribly difficult given how easy it is to mask your identity online. I just thought it was a cool thing to find in the WHOIS. A lot of the time, they either pay to have it hidden or use a shell company of some kind.
Lol at randomuser.me
That's glorious 😂
Cool article, this stuff fascinates me. I have seen some posing as discount Oakley and RayBan sites and some how propagates through Facebook without the user knowing. Have gotten a few invites from friends to "Come to my sunglass party!" but when I contact them they have no knowledge of it. One of these days I might do some investigating myself, but seems like its probably a similar scenario to this one.
Haha this is hilarious. I have sniffed through some scammer code before but never went to length to analyze my network traffic etc... Great stuff!
Nice detective work!
Maybe this guy was making money but why is he tracking information about people's browser, OS and mouse? I don't believe is truly harmless.
Woow, this is beautiful. Can't wait to share it
Those photos 👌
Can't wait to share this with my friends who get tricked into this stuff!