Winning a contest is a rush. If it’s ever happened to you, then you know.
We know this and businesses know this. And cyber-criminals also know this.
Join me as we journey through the steps of an attempted hack that was foiled (hopefully before any unsuspecting “winners” entered their credit card information).
February 26, 2021 marked National Chili Day. As is par-for-the-course on “National Days”, businesses and organizations having an affiliation with the celebrated day often post promotions and sweepstakes on social media channels offering people the chance to win company branded apparel, merchandise and/or gift cards. National Chili Day was no exception and Skyline Chili, the Cincinnati-style chili restaurant chain, posted opportunities on Twitter, Facebook and Instagram enticing lucky fans to win “Swag Sets” (containing a hat, shirt and $50 gift card).
As you can see from the above screen capture, to enter the contest an account must be following @Skyline_Chili, they must tag a friend and also include the hashtag #SkylineSweepstakes.
For any avid contest-seekers, be aware: In some recent instances, I have found cybercriminals targeting niche hashtags, like those that containing the words ‘Winner’, ‘Sweepstakes’ or ‘Giveaway’. Consider this your first warning and a bold one: We must be informed when entering “free” contests.
In this Skyline Chili case, Facebook users who responded to the Skyline Sweepstakes post and posted the #SkylineSweepstakes hashtag were immediately greeted with a Friend Request that appeared to be coming directly from Skyline Chili.
It appeared legitimate, but if you had on your detective hat, would the “manager’s signature” seem fishy (or should I say “phishy”) to you?
Upon accepting the Friend Request, the Facebook user instantly received a direct message congratulating them on winning the Skyline Chili contest. See below.
The congratulatory direct message itself contained an embedded short link so the unknowing user could claim his/her time sensitive prize. But to an informed and aware user, the message also contained grammatical errors and a pressuring tone that should “tip us off” as being fraudulent.
Upon clicking on the phishing link, the user is redirected to the following webpage:
Again, we must be savvy in our tech-awareness at all times, on all sites, and in all tenses. The grammatical choice of “You are selected as the giveaway winner of my event.” Would be more professionally worded on an official document/contest website as “You have been selected as the giveaway winner of our event.” Take the time to evaluate what you are reading, because errant words or phrasing may reveal fraudulence.
At the very bottom of the page, there is a “Register Now” link.
Upon clicking on the ‘Register Now’ button, the following page is opened and displayed:
Common sense will always count for more than we give it credit for, and if an email says, “Please Wait you are a winner 100%”, then a little caution flag should wave in your mind signaling that perhaps you are not a “winner 100%”.
This site eventually redirects the user from an Ad Server to the following Signup page.
After creating an account and entering the created Username and Password it will then ask for Credit card details. (Hint: This is always a complete red flag.)
After entering your credit card details, a blank page appears. (If you have gotten this far in their “process”, it is fair to begin worrying.) The credit card information is then relayed to a control center where it will likely be accessed and maliciously used by the cybercriminals or malicious organization of individuals.
All the noted webpages used in this example were actual attempts made by a cybercriminal(s) to mimic Skyline Chili communications and dupe unsuspecting online contest applicants. But be comforted in the fact that subsequent backlinks have been properly reported and tagged as Fraud and Phishing, and this phishing attempt is no longer reeling people in.
But we must be on our guard because cyber criminals are always hoping to bait us and then set the hook.
In order to falling victim to such scams, here are some vital safeguards:
– Implement complex passwords.
– Don’t open attachments from unknown sources or click on links embedded in emails, in direct messages or on social media sites.
– Be skeptical of unsolicited phone calls.
– Maintain regular Operating System and 3rd party software updates.
– Don’t download apps from unknown sources
– Install strong antivirus/endpoint security protection.
—Be aware of grammatical errors and pressuring time limits—these are often indicators of fraudulent claims
– Use Common Sense
As stated earlier, winning a contest is a rush. There is a thrill in the chase of a reward and businesses know this. But be advised and consider this recent evidence as proof that cyber-criminals also know this.
While winning free things can be fun, exciting, and rewarding, common sense always wins out. When messages and emails appear too good to be true, they usually are. The best bet is always the safe bet.
Interested Thirtyseven4 Endpoint Security? You can request a Quote today!
Born out of a desire to better connect antivirus protection solutions with premium customer support and service, Thirtyseven4, LLC seeks to protect schools, businesses, governmental agencies and home‐users with the best antivirus products available. Thirtyseven4 is an American company built on honesty, trust and value for the customer. http://www.thirtyseven4.com.
Thirtyseven4, LLC is dedicated to serving customers with a full palette of security solutions including AntiVirus, AntiMalware, Anti-Ransomware and Zero-Day Threat Protection.