Fruity browser survey

I searched for diet spam tweets on Twitter and found one link that looked promising: ongarciniacambogia.com:

new-garcinia-tweets

Quick check on Pinterest using the /source/ – parameter – lots of fruity images:

new-garcinia-pinterestI had to visit one link to see if this really is diet spam. Safety tip: I’m running disposable Linux in a Virtual Machine in case of  malware or other nasty things.

The page looks quite different. No annoying videos or pop-ups, the page has links to Twitter, Facebook, Google+ – not spam or scam?

ongarciniacambogia

 

The source code of the page didn’t reveal anything clearly malicious. The site is powered by WordPress. Lets proceed and click on the “free trial” and see what happens:

exclusiverewads-honkeyproductionsI was redirected to exclusiverewards.honkeyproductions.com. The “survey” page is localized saying I might win a 1000€ gift certificate just by answering five simple questions about my browser usage. The page recognizes at least Firefox, but gets confused with other great browsers such as Opera and Safari.

Quite confusing. I expected to land on a diet scam page. Before completing the survey, I checked the page source code & JavaScript. There are plenty of other possible prices: mobile devices, flight tickets, dental products, underwear and so on. The site really doesn’t care about your browsing habits. But it might want your e-mail address or phone number – obviously you should not give any personal information to sites like this.

I completed the survey, because the page source code didn’t reveal what is going to happen next. I landed here:

survey-landing-fiYet another competition and spammers most likely got one more click worth of some money. The final landing page seems to depend on your location. Here is the Italian version:

survey-landing-it

Interesting journey: diet products, fake (and possibly malicious) browser survey and finally some random competition. This scheme is too complex and confusing. Hopefully so confusing that users will close the browser window after the first step – or before it.

Update 14-July

I have reported the domains and links to F-Secure. You can check the status e.g. from F-Secure’s Browsing Protection site.

This campaign involves several typosquatted domain names. I have found the following ones:

  • goggle.com, goggle.net
  • youtude.com
  • faecbook.com
  • twitterr.com
  • linkedinn.com
  • tmublr.com
  • pinerest.com
  • hotmil.com (possibly related)
  • myspce.com (possibly related)

They all redirect to the same scam survey. Below is a screen-shot of the “faecbook”:

Faecbook redirect

 

Leave a Reply

Your email address will not be published. Required fields are marked *