McAfee Labs

Peering Into a Pinterest Scam Toolkit

0
By on May 14, 2012

Pinterest is getting lots of media attention lately. Spammers are also starting to exploit the social-media “pinup” site to make quick money. We have found that there are already lots of ready-to-use tools that make it easy for anyone to start Pinterest scams without much difficulty or technical skill. These tools are so easy that many require only the attacker or scammer to change a couple of lines of code in the available kit. They can literally start a new Pinterest scam within minutes! Such tools come bundled with all the required software: account creator, mass follower tools, mass liker tools, comment posters, etc.

We found a couple of such toolkits on the Internet. They are also available for sale on various forums over the net.

Each tool performs a specific function. For example, the folder Pinterest Content Locker contains a couple of scripts to set up scams. This particular one is a scam technique in which victims visit the website and get a “content locked” message stating that they need to click on the “Pin It” button to unlock the content. Here is an example:

In the php code we can see the following:

The code contains an array of links and it randomly selects one to post on Pinterest. It also uses an “unlocked” cookie to check whether a user has already visited the webpage and clicked on the pin button.

The scam requires that a victim click on the “pin it” button before seeing the content of the web page:

The code then calls a function Clicked. This function opens a new window and takes the user to Pinterest for pinning the content. Then it calls another function Remove_Overlay:

This function sets the cookie “unlocked” with value =1 and expiration date as the current date plus one. This is done so the next time users open the same URL, they will not get the content-locked message.

The code also has the folder viral script, which contains a php file used to display various scams:

The image asks the user to click on the “pin it” button, which posts the URL to Pinterest. Then it asks the user to perform the final step, which leads to an attacker-defined survey URL.

The trick is to get victims to click on the “pin it” button before clicking on “Final Step.” If users first click Final Step, then they see this message:

Let’s look at the code of “Click Here”:

It has a link element with id=”linkos” and whose value is javascript:window.alert(“Please Complete Step 1”).

This value can be modified at runtime after the user has clicked on the “pin it” button, shown in the next image:

When a user clicks “pin it,” it calls the function “PopupCenter, which will post the link to Pinterest and call the function “RevealLink.” This function changes the value of “linkos” as follows:

Another template employs the preceding technique with a different GUI, which seems like the actual Pinterest site:

The template contains an executable named Pinterest Amazon Product Submitter. This is a bot that scrapes Amazon for products based on given keywords and then submits them to Pinterest.

When victims click on a Pinterest post they are redirected to the scammer’s site, which will contain a “redirect script” or “cloaker script” that will simply redirect users to Amazon with the scammer’s affiliate ID. Amazon does not see the referral as Pinterest but rather as the scammer’s custom page–and the scammer can earn money:

There is also a mass bit.ly link generator, which will generate random links for the scam’s URL:

The trick here is to use “?” at the end of the URL so that tool will add a random string after “?” and get different URLs from bit.ly. This technique makes it possible for an attacker to generate as many random URLs as needed, with all pointing to same location.

Another script, “Detecting Mobile Phone Visitors,” can check the user agent of the web browser and determine the device from which a user visits the site.

Depending upon the device, a user can be redirected to a variety of URLs. We have observed that in the case of mobile devices, the redirection often leads to pornographic images which, upon being clicked, open a phone dialer with premium calling numbers. In the case of nonmobile devices, the redirection often leads to various survey scams.

The toolkit also includes “Pinterest follower bot,” which can be used for mass following on Pinterest:

We also find a tool for making mass comments on Pinterest posts:

Another tool generates Pinterest invites:

And would you believe that these tools even come with well-written documentation?

Such toolkits make it very easy for scammers to start their own scam sites and become functional cybercriminals with a minimum of skills and time. They need only change a couple of simple things, such as URLs, and they are ready to go. Almost all these steps–from creating mass Pinterest accounts to mass liking, commenting, and posting–have been automated.

Most of these scams try to lure users with titles such as “get free gift card,””Shocking Video,” “you can not believe it,” etc.:

When users click on such URLs, they will be:

  • Redirected to a survey scam, where scammers earn money when users complete surveys
  • Redirected to Amazon or another site, where scammers can earn money by referral
  • Led to premium calling numbers of mobile devices

Please follow these guidelines to stay safe:

  • Never share your password with anyone. Such tools make it very easy to mass-comment or post from any account.
  • If any web page asks you to “Pin It” before you can see the content, most likely it is a scam
  • If any web page offers you a “free gift card” and redirects you to surveys, most likely it is a scam
  • Be careful while clicking links that have catchy titles like “shocking video,” ”you will not believe it,” ”free give away,” etc. Most of the time, they lead to scams and trouble!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>