Recently, we hosted a “cyber boot camp”, teaching high school students to attack and defend networks. One of our presenters, John Moffat, who often delivers security awareness seminars to teenagers and stresses the dangers of the “free” Internet, referenced this scam in his presentation. While Mr. Moffat doesn’t claim to be a malware expert, he knows a scam when he sees one, and does his best to help others avoid falling prey.
So what happens if you fall for one of these types of scams? Below we follow the trail of one example, with screenshots of what you might see.
In this example, I clicked on a highly ranked Google search results link, which pointed to a YouTube video itself, purporting to give instructions on how to convert their videos to .mp3’s.
When I did, it showed a non-video screenshot inside their video player, which directed me to visit a website directly. The video description came completely stuffed with keywords in the description to inflate rankings. Here’s a screenshot of what I was presented with:
I chose the Best Buy gift card offer. When I clicked on it, it took me to a page that shows that I could get a $1,000 gift card, even better!
But surprise, after I completed the last question, I then had to enter my email, presumably to get the gift card. When I entered a fake email, I was then taken to a screen where I had to enter much more personal information, including my physical address, age, sex, and phone number. I also had to consent to being called by third parties about magazine subscriptions, etc:
Once you click ‘continue’ you get the next screen:
At this point, I notice that the original password that was promised to unlock my video converter download never materialized. It seemed clear that this rabbit trail I was following would not likely end any time soon, so I exited the websites, and finished up this article, hoping this accounting of what happens if you take the bait would dissuade others from falling for similar scams.
What’s the payoff for scammers? For some time now they have continually adapted their scam platforms to match new potential streams of traffic, and this is no exception. By gaining high search rankings through BlackHat SEO (BHSEO), every time a user clicks, their search popularity rankings, and associated ad revenue, goes up. Even if the user doesn’t fall for installing a “free premium .mp3 player” (laden with malware) or some such because they’re the “lucky one thousandth viewer” of the website, the scam website still makes money by cashing in on the traffic.
And many users might be convinced to download a premium, java-based player, with free malware as a bonus.
At that point, I went to my favorite reputable .mp3 vendor and purchased a great blues track from yesteryear for 99 cents, and decided to forego the personal information harvest “for free”.
Reprinted with permission; screen captures courtesy ESET.