Wednesday, November 11, 2015

Free Disney World Tickets? Nah, it's another Facebook scam (Part 2)



Some of this article appeared on this blog a few weeks ago; it has been updated with more examples, as well as some investigation into the possible motivations for such scams.

Disney is giving away hundreds of tickets to Disneyland and Walt Disney World! All you have to do is like a page on Facebook and share it with your friends!

Or not.

My friends and family know I am in the cyber security field, so often ask me questions or send suspicious things my way for my opinion. And occasionally, they send things my way not realizing they've been hooked by a scam. The week before Halloween a friend shared what appeared to be a drawing for Disney theme park tickets. At the time I grabbed a few screen captures and pointed out a few things that led me to believe it was a scam, but left it at that.

In the time since then, I've seen about a half dozen similar scams and figured perhaps it's time for a more thorough discussion of what is going on, as well as possible motivations for the scammers.

Internet scams are as old as the Internet itself. In fact, I can remember email "chain letters" before web browsers were a thing. Social media simply makes it easy for a hoax to travel faster and farther. The scams that I came across fell generally into two categories: "earn" tickets by completing "offers," or a random drawing from those that like and share a page or join a group. In both cases, the only winners are the scammers, who abscond with something of value. What could that value be?



Earn free tickets by completing "offers"


This type of scam is common with in-demand items - iPhones and iPads are popular bait, but Disney theme parks seem to show up in late spring and late fall - times when families are planning summer or winter getaways and might fall for a vacation scam.

The motivation here is pretty clear: in order to "earn" the prize, you have to sign up (generally giving away personal information such as email and mailing addresses, household income, and other data that can be used to identify or market you).

In many cases, the offers involve buying an item or signing up for a "trial" of a service, which of course require that you supply a credit card number. I wonder what the scammer might have in mind for that card number?

With your email address, it would be easy for a scammer to send everyone a "you won!" email with "tickets" attached. Naturally though, the tickets would be either malware, or a document that exploits weaknesses in Microsoft Word or Adobe Reader; upon opening the tickets, your computer is now controlled by the scammer.

A real-world example from recent weeks is below. This scam is spread by joining a particular Facebook Group.


In this scam, you are invited to "surprise your family and get your tickets" by clicking on a link and completing the instructions that follow. Please don't follow the link from an actual computer you use - I did this from a virtual machine that I use for research, and which I reset to a "clean" state after each investigation. After clicking the link, I get this:


The scammer would like you to invite all of your friends to join this group, thus providing the scammer with fresh new victims to con. Since the invitation comes from you - you are in fact inviting your friends to join - they are more likely to accept than if the invitation came from a stranger.

If you don't know what a program or piece of code will do on your computer, it is generally not a good idea to run it. This holds true whether it is a program you download, or some code you are asked to run in a browser console.

In this case, the scam makes no attempt to verify that you followed the instructions - the "continue" button is active regardless, leading to this:


Ah, so here's the catch: in order to "earn" the park tickets, you have to complete one or more of the offers. As I explored the offers, each came with fine print:


Of course, nowhere are the "required Silver, Gold, and Platinum Sponsor Offers" defined, nor is there any explanation of how many or what class of offers are required to obtain the park tickets. Buried in the fine print though is the clause "after completion of purchase requirements." It's becoming clear that no one is giving away free Walt Disney World tickets, and in all likelihood, no one is actually "earning" them either.

One more click, and in order to "get my favorite pizza" (wait a minute, weren't we talking about Disney tickets? Where did pizza come from?), I have to fill out a form with some personal information. Which earns me a Target gift card. Huh?


This rabbit trail has led far away from the original bait, and I put the chances of my actually receiving a $500 Target gift card (or free pizza, or Disney park passes) at approximately zero.

Bottom line? There's no such thing as a free lunch, and no such thing as a free Disney vacation.


Share and Like a Facebook Page or Group


The second common scam still uses Disney park tickets as bait, but in the form of "random giveaways" to people that like and share a Facebook page. In this scenario, the scammer's motivation is less clear-cut. Here are the more likely outcomes though.
  • "Like-farming" - gaming Facebook's popularity algorithms to build up a substantial following. CNN wrote about this a couple of years ago, citing the case of a cancer-stricken child whose photo was taken and used in a heart-tugging campaign that went viral. The scammers use bait to build up a following, then take the now-valuable page (valuable since it has a large following) and either sell it to someone else, or switch out the content.
  • Data harvesting. Facebook provides you with a high degree of control over how public or how private your information is. However, the default settings are reasonably open. If you have not intentionally adjusted your Facebook privacy settings, a number of things are by default visible to anyone in the world. This includes your name of course, but also your birthday, where you live, where you work, where you went to school, and other pages and causes that you like.

    Granted, any information or posts set to "public" are available to anyone whether or not you "like" their page. The act of liking a Facebook page does not allow the page owner to see private information about you individually. It does, however, allow the page owner to see fairly extensive anonymized information about page followers in aggregate.

    If nothing else, those that like and share a scam page have identified themselves as gullible, and perhaps likely to fall for other scams.
  • A setup for malware. Imagine a scam page that garners tens of thousands of likes. The page owner can then post a "see if you won!" link, or send a message to every follower with "tickets" as an attachment. Naturally, the "tickets" would instead be malware.

Below are a few examples I've come across of late; regardless of the scammer's motivation, for you and I, there is no chance whatsoever that liking and sharing these pages will win us free Disney tickets.

In each case, these are "offered" by non-official pages, that slightly mangle the actual park property names, and that are brand new Facebook pages created just for this scam. A Disney-sponsored giveaway would know that the parks are properly called Walt Disney World, and Disneyland (written as one word), not "Disney World" or "Walt Disney World Epcot," and not "Disney Land" (written as two words).

One of the pages managed to attract over 30,000 likes within a couple of days. Free is enticing. Sadly, there's no such thing as a free lunch, and no such thing as a free Disney vacation.






If you see more examples of Disney park ticket scams, send a note to david [at] securityforrealpeople.com and I'll gladly add them to the list.

Update November 27: Here's another that just popped up.


Update January 25, 2016: A reader tipped me off to another scam that just popped up today. This one managed to collect over 30,000 shares in under 24 hours before Facebook took it offline:

Clicking this link WON'T win you a 7-night Disney World trip and $5,000 cash.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.