Cybercriminals quickly took advantage of news of Amy Winehouse’s death by staging online attacks. Amy Winehouse—a multi-awarded English singer and songwriter—passed away at age 27 over the weekend.
This is actually a standard behavior of cybercriminals. One attack we’ve seen on Facebook is the usual survey scam that involves an age verification page and a fake video page before getting the victim to take part in a supposed survey.
We noted that the survey involved in this attack is similar to the one described in the blog entry, “Survey Scam Offers Google+ Invites.” Users who are familiar with these types of survey scam attacks on Facebook are in a better position to protect themselves and to warn their contacts if they find malicious posts in their News Feeds.
The details of the Amy Winehouse Facebook survey scam are as follows:
- The user clicks a Wall post that supposedly features an Amy Winehouse video taken before her death.
- The user is then led to the following page:
- Clicking the link on the page redirects to a fake video page, which is actually a clickable image that redirects to an age verification dialog box.
- Upon clicking the age verification image, another dialog box appears. It notifies the user that the link will be posted on his/her Facebook Wall.
- Next, a so-called Human Verification window appears, which encourages the user to prove that he/she is a human being by taking either the “Stupid or Genius?” or “Are You and Your Partner Compatible?” test.
- One of the surveys—the “Stupid or Genius” test—leads to the following survey:
- The last requirement is inputting one’s mobile phone number. A digital PIN will supposedly be sent to his/her mobile phone.
We’ve seen some other cybercriminal attempts to leverage news of Amy Winehouse’s death. We encountered some malicious URLs using the search string “amy winehouse death” in a blackhat search engine optimization (SEO) attack. According to Trend Micro threats researcher Marco Dela Vega, these malicious URLs led to malware that redirect users to a fake scanning page in order to scare them into downloading malware. The malicious file this downloads is a FAKEAV binary we currently detect as TROJ_FAKEAV.CLS.
Trend Micro protects product users from this attack via the Smart Protection Network™ by blocking all related files and URLs.
As cybercriminals consistently find new ways to trick users into participating in their schemes, social media users may check our report, “Spam, Scams, and Other Social Media Threats.”