The experts at G DATA SecurityLabs deal with cyber criminals on a daily basis but there are always seasonal particularities. Especially now in spring, the questionable offers of popular sunglasses entering the market are springing up again via spam mails, social media platforms and even short messages on mobiles. The analysts have followed the tracks, explain background information and provide tips to help you avoid shopping flops.
The current investigation explicitly deals with suspicious offers of very popular brand sunglasses – especially Ray-Ban and Oakley. Glasses by these two brands are particularly popular with spammers and, in keeping with the season, offers are sprouting up like mushrooms. In most of these cases, the ads reach computer users completely unintentionally and in some cases the mere use of Facebook even turns users into advertising vehicles without their consent.
Spam has undoubtedly been on the IT security experts' minds for a long time. In the past, computer users were only bothered by undesired emails but now cyber criminals have discovered newly created digital channels as well. Let's take a look at the different channels through which we have received advertising for suspicious sunglasses shops:
As expected, there is a wide range of promises. In the emails we have analysed, we were promised discounts ranging from 65% to 85% for sunglasses. None of the analysed emails contained an attachment. However, each of them contained references to web shops in which the advertised glasses could apparently be bought.
As the selection of screenshots illustrates, there are quite a few differences in the design of the emails in HTML view. Some of them appear quite professional and look like they could be legitimate advertising by a popular brand. Others, in contrast, are quite drab and should immediately arouse suspicion. Further indicators for such spam:
They all have one thing in common: They contain links to websites of suspicious shops, which we will later cover in the context of potential risks.
The function for tagging friends in photos has been around for a long time. Facebook has now enabled tagging for status updates as well. Spammers are using this function. To do this, they use hacked Facebook profiles but also accounts created specifically for this purpose as well as repurposed accounts that once served a different purpose.
They use a profile to create an event with photos and information on Ray-Ban bait advertising and then invite unsuspecting users to this event.
As you can see in the screenshots, it looks like an account that has been inactive for an extended period of time has been abused here – unless the attackers specifically deleted all timeline posts except for one from the year 2013. In total, 9,553 people were invited to this event and some actually accepted the invitation!
The purpose of the event is to publish and spread the URL to one of the suspicious shops. The URL appears over and over in the entries for this event, as illustrated by the screenshot (on the right). The events as such do not pose a risk to Facebook users, but the people behind them can present their potentially dangerous websites.
Users who find out that their good name has been abused often inform their friends quite quickly and can only hope that nobody has fallen for the scam:
Click-jacking is one of these options. Here, initiators might integrate invisible Like buttons on websites, place them over a legitimate button and thus "force" users to make a positive click for the bad guys. We must not forget about actual organic spreading from one person to another as a distribution method either. "Dirty" Facebook apps are another option: Sometimes the event organisers claim that a Facebook app must be installed in order to participate in an event or competition designed in a similar fashion. This method is also referred to as sharebaiting. The advertised app generally requires all sorts of permissions to the user's social media account and can then distribute new spam to friends and friends of friends – the digital snowball keeps rolling on and getting larger. |
They hack the account of an existing Facebook user and post intrusive advertising images in the user's name. To do this, they tag persons in the list of friends because it is a well-known fact that a recommendation by a friend is much more trustworthy than a recommendation by a stranger. To avoid being discovered immediately, spammers usually tag only a few friends in order to make the advertising appear more authentic. Furthermore, using only a few tags might make any existing spam protection mechanism of the portal act less aggressively.
The colourful images and outrageously low prices are designed to tempt the tagged persons to visit the specified websites and shop there.
There are again two possibilities for spreading the content: Attackers can vreate new accounts and spam walls of accounts that do not restrict the possibility to post on walls. Furthermore, attackers can hack accounts of Facebook users and also Facebook sites and can then spread the ads on the respective wall or on other walls in the hacked accounts’ names. Such a case of a hacked account overtook a New Zealand Bed & Breakfast account which then involuntarily served dubious ads for a few weeks. Interesting fact: The ad gained 132 Likes, more than the site itself was able to accumulate!
In the summer of 2014, US Americans experienced a remarkable wave of this type of spam for fashionable eyewear. The iMessage service by Apple, in particular, was abused by spammers using short scripts. Senders could quickly write code on a Mac for sending a bait message to what felt like every single user. Prior to sending a message to a phone number or email address, the iMessage service provides information about whether or not the recipient is registered for iMessage. This leads to a very high success rate!
A selection of screenshots from these websites shows that they look very similar. The people behind them often use copies of the original websites, which are integrated into so-called phishing kits to enable quick adjustments. All the operator of a site has to do is to enter the target data for form fields and the like in order to place a supposed original shop site online without much effort.
The reconstructed sites often look just like the originals and it is rather hard to spot mistakes; however they stick out because of bad translations. German text we saw, translated to English now, would be something like "discount crazy" or "view, find your style here" or "new entry block harmful light" or even “Free Shippng for Mini Order 1 Pieces”. The language the website is presented in – in case the web server does not adapt because of location sharing options – gives a hint at the intial target audience. Missing or very unusual information on Imprint pages can also be an indicator of copy cats. Some of the websites feature supposed certificates of authenticity and security certificates, which are also mere copies from original websites. For more tips on identifying such websites, refer to our info graphic on secure online shopping.
These are not the tricks of an individual person or organisation, but there are certainly overlaps in the instances of email and social media scams we have recently analysed: 24 of the 40 domains analysed were still active. All active domains were registered using Chinese registrar information and there were various names of registrars, registrant organisations and registrant names that appeared several times. Five of the active domains are currently stored on servers in Istanbul (Turkey), two in Florida (USA) and 17 in California (USA). In contrast, 16 websites are already under legal investigation, which the Luxottica S.p.A company has initiated against the operators.
Luxottica S.p.A (NYSE and MTA) is the world's largest eyewear company and has its headquarters in Italy. It unites glasses, sunglasses and retailers from this industry as well as medical services under one roof. The most well-known brands here are Ray-Ban and Oakley, as well as many others.
Ray-Ban, the brand most frequently used in this scam, is an American brand which now belongs to the Italian corporation. The previous owner Bausch&Lomb used to produce sunglasses for the US Army under the name Ray-Ban (do you remember the movie Top Gun?!) and sold Ray-Ban to Luxottica in 1999. After a year of abstinence, the products re-entered the market and have been the Italian company's best seller ever since. They are sold for approx. US$ 150 a piece whereby the sunglasses are currently sold for approximately 20 times their estimated production price. Last century, they were sold for approximately US$ 30.
Hence, it comes as no surprise that cyber criminals are exploiting this booming business and specifically target the global market leader with their sunglasses scams.
No, not at all. Many other industries and brands are also affected. There are "irresistible offers" for designer handbags, luxury watches, the latest sports gear and, last but not least, medication.
The possible effects are at least as varied as the scams described: