Spammers are traversing through various social networks in order to find a new pool of users to dupe. We recently observed spam on social photo-sharing app Instagram. This campaign is similar to an earlier blog post which highlighted how spammers use social networking accounts to get users to click through to affiliate pages. Instagram users will see a comment on their photos claiming Instagram has partnered with an organization, in this particular case Best Buy, encouraging visits to the fake profile with free gift card giveaways:
Links are masked behind a short URL service (in this case, TinyURL). When a user follows the link, they are asked to input their cell phone number to win a $100 gift card:
Scrolling down you can find the fine print:
In the fine print (which isn’t even readily visible unless you scroll down) users are advised they will be presented with some third party offers and that completing these does not increase their chances of winning.
Here are two example third party offers:
The above requests do not really explain much. They just ask the user to input their personal information, once again, which will more than likely be used for future spam. There are links hidden in there to skip this process ("pass" and "skip"), but they are placed in a way so not to be noticed.
Once the user has gone through all the offers they are presented with a thank you page. At the bottom of this page they will find the contest rules—including details of how their personal information will be used:
Sure enough, their numbers will be used to enroll them into a subscription offer. This is how these spammers monetize these campaigns on the mobile side.
If you have given your cell phone number up during one of these scams, be sure to check your next phone bill to see if there are any unwanted charges on it for some kind of subscription service.
We’ve reached out to Instagram and Best Buy and they share the frustrations of users faced with spam or misleading offers. Both actively take measures to remove spam accounts or fake brand messaging. Instagram users are encouraged to report spam by clicking on the wheel icon in the top-right corner of their Instagram profile (highlighted red below) to report a spam account and flag it for removal:
Remember, if something sounds too good to be true, it probably is.