Do you see what's immediately wrong here? To start, Delta Airline isn't going to give out two free tickets to anyone for its 33rd anniversary.
Next, look at that URL at the bottom of the image.
Sure, it's possible for Delta to own different websites. But if Delta Airlines were going to give out free tickets for anything it's safe to say it's for the purposes of marketing, meaning they would more than likely want to drive traffic directly to their main website located at Delta.com.
Now I'm curious, so I pull up Wireshark and start sniffing my own traffic while I browse through the site.
It should be noted that I should have done this in a VM. It is very possible that it could have been a drive by malware attack, meaning my computer would have been infected as soon as I visited the site...aaaand later you'll see why this matters.
Immediately I see that this site isn't secure (no HTTPS). I clicked through the questions, and reached a page that urged me to share the link on Facebook, Like a page (I never did find out what Page it wanted me to Like), and then I would somehow get the tickets. Since there was no way I was going to Share the link, this was my stopping point.
At the bottom of the page, there were Facebook comments from "users" confirming that they receive tickets. This is a common method scammers use in an attempt to legitimize their site.
I took a minute to look through the source code for the site and the first thing I noticed was that everything was hard coded, even the so-called Facebook comments. The "user" images came from a site called randomuser.me a.k.a. stock photos.
And then here is a closer look. You can see where they hard coded the number of likes the comments have, along with the age of the comments.
<div id="fb1" class="item hidden"> <img class="profileimg" src="https://randomuser.me/api/portraits/women/53.jpg" /> <p class="comtxt"><span class="name">Radford Sarah</span> Wow, i won a free tickets from Delta Airline. </p> <p class="combot"><span class="ago">Just Now</span> Â· <span class="fblike">Like</span></p> </div> <div class="item"> <img class="profileimg" src="https://randomuser.me/api/portraits/women/46.jpg" /> <p class="comtxt"><span class="name">Deleon Sandra</span> Such a Great Service! Thanks Delta Airline.</p> <p class="combot"><span class="ago">11 minutes ago</span> Â· <span class="fblike">Like</span><span class="likes totlikes">267</span></p> </div> <div class="item"> <img class="profileimg" src="https://randomuser.me/api/portraits/women/89.jpg" /> <p class="comtxt"><span class="name">Brenda Vaughn</span> I am finally going to France with my friends.. Thanks Delta Airline!</p> <p class="combot"><span class="ago">17 minutes ago</span> Â· <span class="fblike">Like</span><span class="likes totlikes">63</span></p> </div>
The more interesting part about this is that the site never asked for any information from me and based on the source code, I don't think it was ever going to. Based on the code below, it seems as though the host just wants you to share the link. It doesn't have a way to verify that you actually did it, and there aren't any conditional statements to advance the user to another section. No matter what the user did, they would always get a pop-up telling them to complete Step 1 when they tried to progress to Step 2. If getting personal information from the user isn't the objective here, then this site isn't a phishing site. It's more than likely used to deliver malware.
I also went back through the site with Google Chrome's inspection tool to watch network traffic and found that the site was pulling information about my browser and operating system, as well as information about my mouse movements. The site also collected information about my geographic location. All of this seems to be in line with my theory about the site delivering malware. Collecting information about browser version and operating system could be used to determine whether or not the user's machine is vulnerable and code on the backend could be making a decision about whether or not to deliver the malware.
I ran the host through a malware scanner called VxStream (hosted on Hybrid-Analysis.com) and found that if the user is running Internet Explorer the website actually does something more interesting. It launched another instance of Internet Explorer. Read through a bunch of registry settings, including security settings for the system. It requested access to the rasman service, which is used to establish remote connections to a service, and dropped a few files. It does look like it was preparing to install something if the user was running the operating system and browser, but I can't be entirely sure. I was in a sandbox and that isn't always reliable if the malware is used evasion tactics.
- Server IP: 220.127.116.11
- Hosted by: Cloudflare
- Web server: nginx
- Domain: Deltaa-com.us
I did a WHOIS lookup on the domain and found out that our registrant didn't bother to obscure his personal information.
For this investigation, my results are inconclusive. I'm fairly confident that this site does distribute malware, but I cannot say what kind and what it does other than establishing a connection to a remote host (possibly a botnet?). VirusTotal now has 2 URL scanners that have identified this host as malware (when I first checked it didn't have any hits).
It has also now been blacklisted on Sucuri's Sitecheck.
I assume it's only a matter of time now before Cloudflare shuts down the host, but it will probably pop up again somewhere else with a different IP address and/or hostname. This is the game of Wack-A-Mole that happens all of the time with these types of sites.
Have you guys seen any particularly nasty scams on Facebook? What was the most outrageous claim?
Update 06/12 This host is a known affiliate link site. The user makes money when others share the their link. Harmless to the user.