Can simply answering three or four questions and paying a nominal handling fee qualify people to redeem tickets, receive expensive products, $500 or even $1,000 gift cards, store credit or compensation from well-known brands? No, that's not true: In the first quarter of 2023, Lead Stories tracked a large-scale phishing operation on Facebook that manipulatively tricks people into divulging personal information. The bait is false promotions, naming a wide array of famous products and companies. This article will explain the patterns observed and the structure of the deception.
False promotions of this kind were appearing on Facebook as early as the spring of 2022; KitchenAid stand mixers appeared in many deceptive posts in April of 2022 (here and here). Another example is a suspicious promotion from June 29, 2022, mentioning T-Fal cookware, targeting Facebook users in South Africa. On January 26, 2023, this suspicious post from the Facebook page "Promo Amusement Tickets" was captioned:
Disney is looking for women over 40+ y/o Get 2 Disney Full Weekend Tickets for only $1! Answer 4 questions to get your tickets!
This is what the post looked like on Facebook at the time of writing:
(Source: Facebook screenshot taken on Fri Mar 17 20:19:11 2023 UTC)
Microsoft Security describes phishing attacks as aiming "to steal or damage sensitive data by deceiving people into revealing personal information like passwords and credit card numbers."
Listed below are some of the common patterns observed in this phishing scheme, regardless of which brand name is used as a lure:
- Fake Facebook pages made to match the product or promotion;
- Page made on or near the same date as the promotion post itself;
- Promotional image edited to add price signs and salespeople;
- Text caption suggesting that the offer is time sensitive;
- "Just answer 3 (or 4) simple questions";
- Offer frequently targets women over 40 years old or born before 1980;
- Offer may combine two well-known brands;
- Offer may be presented as a settlement against the company for some wrongdoing;
- Fake profiles leave encouraging comments and photos of what they purportedly received;
- The website linked from the "Apply Now" button was recently registered and is unrelated to the brand in the promotion;
- Website frequently disguised as a cooking or travel blog;
- Personal details are required to redeem the offer;
- A nominal fee must be paid with a credit card.
Easy come easy go
In the Disney tickets example above, Promo Amusement Tickets is listed as an advertising agency. There is a button at the bottom of the post that says "Apply Now." This button takes users to a website off Facebook, zoaklsa.info. According to the Whois record, the website was registered on January 23, 2023. The Promo Amusement Tickets page was made on January 26, 2023 -- the first and last day a post was made to the page.
While there are many details to the false promotion scheme, not much is invested in any particular piece. The profiles, Facebook pages and websites are used for a few days before they are abandoned or deactivated. The zoaklsa.info website may show the characteristic survey of four questions as the landing page from the post promising Disney tickets. Or the survey may be hidden and instead zoaklsa.info may display innocuous blog content (archived here) about grocery store rankings, for instance, a deceptive tactic called "cloaking" (described later in this article). This type of broken functionality hides the tracks, and is common once the short-lived page has served its purpose.
A method to the madness
The methods of this network vary very little. Lead Stories did not determine how many people are involved, if they all work together or are copycats, or where the network is based. When it comes to the false promotions, regardless of whether it involves a clothing brand or airline, the design of the path that would lead a person to eventually offer their name, email and credit card information to a bad actor is identical. This list is bound to change, but at the time of writing these are some of the brand names Lead Stories found used in these false promotions:
Aicook ice makers, American Airlines, Amtrak, Arctic King refrigerators, Barbie, Costco, Craftsman generators and toolboxes, Delta, DeWalt, Disney, Feeding America food banks, H & M clothing, Hilton hotels, KitchenAid toasters and stand mixers, Kroger food stores, Lego, Louis Vuitton bags, Lowes, Macy's, Marriott hotels, Nike shoes, Ninja Foodie knives and cookware, SHEIN clothing, Shell and Speedway gas stations, Target, Tesco, T-Fal cookware, Toys R Us, Universal Studios, Walmart, and Yeti coolers
This Lead Stories composite image below (this image will open larger in a new window) shows over 50 screenshots. These posts are using different brands, all with the same false promotion ruse.
(Image Source: Lead Stories composite featuring Facebook screenshots from many pages -- Fri Mar 17 21:48:53 2023 UTC)
Bring in the reinforcements
Coordinated Inauthentic Behavior is a violation of Facebook's community standards. A detailed report on this policy rationale is posted on the Transparency Center webpage:
We do not allow entities to engage in, or claim to engage in Coordinated Inauthentic Behavior, defined as the use of multiple Facebook or Instagram assets, working in concert to engage in Inauthentic Behavior (as defined above), where the use of fake accounts is central to the operation
The fake profiles used by this spamming network are typically bare bones, with nothing but a name and a profile picture that shows an upload date. They post comments under the promotions. Additional fake profiles add likes and loves to the fake comments, causing them to rise to the top. The image below shows nine profiles that were featured in a Lead Stories fact check about a false promotion of Walmart Store gift cards. All nine of these profiles were made between June 30, 2022, and July 3, 2022.
(Image source: Lead Stories composite image from Facebook screenshots taken on Wed Mar 15 18:39:37 2023 UTC)
Featured in the Lead Stories composite image below are two fake accounts from this network (will open larger in a new window). The profile photos of "Derrick Cohen" and "Ali Rivers" were uploaded on consecutive days, June 18, 2022, and June 19, 2022. Except for the one profile photo, neither account has any additional posts or photos. The accounts were used in a coordinated way to give the appearance of an audience -- fake likes and follows to some pages (thumbnail images are shown below each profile). These pages are also posting false promotions (examples below center).
Although not a rule in the network, in this example most of the Facebook pages are represented by a female face and have a female name such as Charlene Rogers, Jhenzkie Rebato or Janice Smith, rather than a name that sounds like a business. Except for one, these are not photos of real women; these are AI-generated faces made by a program called StyleGAN. Lead Stories published an analysis article about StyleGAN images in December 2019.
(Image source: Lead Stories composite image with Facebook screenshots taken on Tue Mar 21 17:42:52 2023 UTC)
Many people commenting are justifiably concerned this could be a scam. The Lead Stories composite image below shows fake comments that aim to reassure people. These glowing reviews frequently show photos of the promised gift card in hand, or the products unboxed. Some of the comments appear to come from people having doubts, but these are also planted. The fake profile Derrick Cohen offered:
To set the record straight, I contacted the company and they confirmed that it is legitimate and that they are clearing out their warehouses. However, the availability is limited, which could be the reason why it's not widely advertised.
The other fake profile Ali Rivers, thanked Derrick.
(Image Source: Lead Stories composite featuring Facebook screenshots from many pages -- Fri Mar 17 21:48:53 2023 UTC)
On the Google web search page on spam policies, Google Developers describes cloaking:
Cloaking refers to the practice of presenting different content to users and search engines with the intent to manipulate search rankings and mislead users. Examples of cloaking include:
- Showing a page about travel destinations to search engines while showing a page about discount drugs to users
- Inserting text or keywords into a page only when the user agent that is requesting the page is a search engine, not a human visitor
When a Facebook user clicks on the post's "Apply Now" button, the link carries tracking info that the click originated from that Facebook post. If the phishing website is still working, the user will be shown the survey of four questions at a hidden part of the website. These questions are non-essential, but function as a "sunk cost" investment. Making the person spend a little more time in the process helps to motivate them to follow through at the finish.
The website does not always load the survey. In some cases a dummy website, usually a cooking or travel blog that was randomly scraped from the web, will load instead. This cloaking hides what is really going on from search engines and archiving services. In the example below, the survey for a false promotion promising $500 Walmart grocery gift cards shows on the left and on the right is the cookbook website that was offered to the WaybackMachine archive. Both were served up from the same link on a single website.
(Image source: Lead Stories composite image from bostore.info and web.archive.org screenshots taken on Wed Mar 15 18:39:37 2023 UTC)
This phishing scam shows a keen understanding of how false scarcity can be used to drive more people to respond to calls to action, such as seeking users' participation in a survey. In a blog post about the scarcity principle, security solutions trainer Lenny Zeltser explains:
The scarcity principle, popularized in Robert Cialdini's book Influence: Science and Practice, dictates that people assign more value to opportunities that are less available. Scammers take advantage of this psychological tendency when social engineering victims on-line.
In the fake promotions scheme, false scarcity is repeatedly used.
The caption in the post may indicate that the offer is only extended to certain people:
Costco is sentenced of discriminating women over 40 y/o! Victims get 500 $ store credit. Qualify by answering 4 questions.
Or, the post may declare that supplies of the free goods are limited (here and here):
Don't wait! You can snag a 17-piece Ninja Foodi Knife Set for only $3, but act fast because stock is limited. Click 'Shop Now' to get your hands on this amazing deal while supplies last.
Another example of false scarcity pressure is a countdown clock giving them only minutes to fill out the survey or they may be told only four prizes are left.
In the example below, after filling out the survey they are offered a chance to win the thing that earlier had been promised. The challenge is set to lose on the first try -- but a second try is granted, which of course, wins.
(Image source: bostore.info screenshot taken on Wed Mar 15 17:35:37 2023 UTC)
Counterfeit trust verification seals
The "winners" are transferred to a final website to fill out their information. After filling in the name, email and phone number on the form, the next step is for the user to pay a nominal fee, purportedly for shipping of the gift card or product -- usually $2 or $3. This is simply a way to get people to hand over their credit card information.
To inspire confidence when the credit card comes into play, the web forms offer "trust verification" seals. These are counterfeit. These are just small images of the trustmarks but they lack the essential functionality. A trustmark should be a hyperlink back to a credible organization that verifies trusted seller status.
In the composite image below are the final information collecting forms of two websites and their counterfeit trustmarks, mygreatwin.com and techdealgiveaway.com.
(Image Source: Lead Stories composite featuring mygreatwin.com and techdealgiveaway.com screenshots -- Thu Mar 16 16:05:56 2023 UTC)
Lead Stories reached out by email to TrustedSite, a cybersecurity company to enquire about these trust verification seals. TrustedSite offers a variety of certifications to websites. Lisa Dowling, the co-CEO of TrustedSite replied on March 17, 2023. She explained:
Since the McAfee SECURE™ service was retired in 2021 and replaced with the TrustedSite certification, any 'McAfee SECURE' trustmark you'd find today is fake.
You can tell if a trustmark is authentic by clicking on it and confirming that it leads to a verification page from the certifying brand. You should be wary of any website using trustmark images that can't be easily verified with a click.
Established trustmark brands, like TrustedSite, always allow you to click the trustmark to verify its authenticity and understand what the trustmark means.
Real trustmarks are hyperlinked. A similar design of hyperlinked verification can be seen in the green IFCN Signatory badge at the bottom of every Lead Stories fact check -- it is not simply a picture of the badge. When clicked, it links to Poynter.org -- to a page naming Lead Stories and certifying the organization was deemed compliant with the principles of the International Fact Checking Network.
The website Scam Detector evaluates websites by a number of criteria. Techdealgiveaway.com rates a 1.6 out of 100 on the site's trust index.
At the bottom of the page there are comments left by many people who were surprised by subscription charges between $89.95 and $155.90 they had not authorized. Most had encountered these deceptive false promotions on Facebook but some found them in email and on website ads.
Lead Stories has written about several of these false promotions naming SHEIN clothing, KitchenAid stand mixers, Walmart (here, here, here and here), Costco, Target, Speedway, and Shell gas stations.
(Editors' Note: Facebook is a client of Lead Stories, which is a third-party fact checker for the social media platform. On our About page, you will find the following information:
Since February 2019 we are actively part of Facebook's partnership with third party fact checkers. Under the terms of this partnership we get access to listings of content that has been flagged as potentially false by Facebook's systems or its users and we can decide independently if we want to fact check it or not. In addition to this we can enter our fact checks into a tool provided by Facebook and Facebook then uses our data to help slow down the spread of false information on its platform. Facebook pays us to perform this service for them but they have no say or influence over what we fact check or what our conclusions are, nor do they want to.)