Pinterest scams – under the hood

2012-09-01

Hardik Shah

McAfee, USA
Editor: Helen Martin

Abstract

Having enjoyed exponential growth over the last year, social media site Pinterest has also become a popular target amongst scammers for making money quickly and easily through various scams. Hardik Shah describes some of them.


Pinterest is a social media site which allows users to ‘pin’ images that they like on a virtual pinboard. A ‘board’ is a collection of pins on a given topic – a user can create a board containing photos and/or videos on any topic. Popular topics include design, cooking, weddings, crafts etc.

The graph in Figure 1 illustrates that Pinterest has grown exponentially over the past year.

Unique visitors to pinterest.com.

Figure 1. Unique visitors to pinterest.com.

With its rapid growth, it has become a popular target amongst scammers for making money quickly and easily through various scams. This article will discuss the various scams we have observed on Pinterest.

PinJacking

Pinjacking refers to a technique in which users are asked to forcefully pin content, without their intention to do so.

Like other social sites, Pinterest is based around users’ interests. Pinterest allows users to ‘like’ or ‘repin’ any post. It also allows its users to comment on the pins and follow the users who posted them. Any pin which attracts people’s interest can become popular amongst Pinterest users and can be spread virally. The more people that like and repin a piece of content, the more popular it becomes. If it contains a URL, users may be redirected to that particular URL. T

hese features can be misused very easily. Consider a case where a scammer has pinned something and wants to spread it virally. In this case he has the following options:

  1. Ask his friends, relatives and colleagues to repin the content on a courtesy basis.

  2. Use various tactics to force users to repin given content and redirect them to the scammer’s site.

Option (1) here does not make the content virally popular unless it is extremely good or interesting, as people will only willingly repin or like content which is of interest to them.

Consider option (2): if a scammer has some way in which he can force users to repin or like a pin, then it can be spread virally. He only needs to drive initial traffic and then it can spread virally based on the users’ trust. If any of your friends share something on Pinterest that looks interesting, you will also want to see what it is, so you will check it out – and if it asks you to repin it before you can actually see the content, many people will do just that. This leads to viral spreading of the link, as shown in the graphic in Figure 2.

Viral spreading.

Figure 2. Viral spreading.

Spammers use such tactics to redirect legitimate users to their sites and make quick money. There are many ways in which a spammer can make money through Pinterest:

  1. Force users to fill out various surveys.

  2. Redirect users to sites such as Amazon that offer a referral fee.

  3. If a user is browsing using a mobile device, calls may be made to premium rate numbers.

The scam techniques

We have found a variety of techniques that are being used for Pinterest scams. They are:

  1. Content lockers

  2. Free gift card, give away scams

  3. Referral scams

  4. Premium calling numbers.

We will briefly look at each scam type below.

1. Content lockers

In this technique, when a user visits a particular scam site, he will see a ‘content locked’ message, as shown in Figure 3.

‘Content locked’ message.

Figure 3. ‘Content locked’ message.

To unlock the content, the user is asked to repin the scam image/URL. Once a user repins the content, the page overlay will be removed, allowing the user to see the actual site. Since the user has repinned the content on his Pinterest account, his friends will be able to see it and, on clicking on the pin, they will be redirected to the scammer’s site, which will show them the same ‘content locked’ message and thus they will also be tricked into repinning the content.

To lock the web page content, a simple JavaScript technique can be used. This basically involves setting the body overflow style to hidden, as shown in Figure 4.

Setting the body overflow style to hidden.

Figure 4. Setting the body overflow style to hidden.

Various div elements are then created and appended to the body, as shown in Figure 5.

Various div elements are created and appended to the body.

Figure 5. Various div elements are created and appended to the body.

(Click here for a larger version of this image.)

The code of these elements is shown below:

The top and left of this div element are set to 0, and the ‘height’ and ‘width’ are set to 100%. This means it will overlap the body. Since the body element’s overflow style is hidden, the body elements will not be displayed and this element will be displayed as an overlay instead. The overlay will ask users to click on the ‘pinit’ button. Once a user clicks on the ‘pinit’ button, the overlay can be removed, as shown in Figure 6.

Once a user clicks on the ‘pinit’ button the overlay can be removed.

Figure 6. Once a user clicks on the ‘pinit’ button the overlay can be removed.

(Click here for a larger version of this image.)

It basically sets the cookie and reloads the document. On document load it checks whether the cookie is set. If it is set, then the overlay will not be displayed and the user can see the content.

2. Free gift card, give away scams

In this technique, users are redirected to a website which has a catchy title such as ‘free gift card’, ‘shocking video’, ‘you will not believe it’, etc., and when a user clicks on them, they are redirected to various surveys. The scammer earns money each time a user finishes the survey. Figure 7 shows a sample post taken from such a Pinterest scam.

Sample post from a ‘free gift card’ scam.

Figure 7. Sample post from a ‘free gift card’ scam.

The code of the post is shown in Figure 8.

Code from the Pinterest scam post.

Figure 8. Code from the Pinterest scam post.

(Click here for a larger version of this image.)

As can be seen, the Pinterest post contains a link in ‘a href’ tags, so when a user clicks on the link he will be redirected to the particular URL. In this case, the URL seems to be offering a variety of gift cards, as shown in Figure 9.

A variety of gift cards are on offer.

Figure 9. A variety of gift cards are on offer.

When a user clicks on any of these, he will be redirected to the survey and the scammer will earn money based on the number of users who complete the survey.

In some cases we have also found that such links first redirect users to another web page which asks them to repin the content before moving forward, as seen in the image in Figure 10. Figure 11 shows the code of the ‘pinit’ button seen in Figure 10. Once a user clicks on the pinit button, they will be redirected to the survey site, as shown in Figure 12.

Users are first redirected to another web page, asking them to repin the content.

Figure 10. Users are first redirected to another web page, asking them to repin the content.

Code of the ‘pinit’ button shown in Figure 10.

Figure 11. Code of the ‘pinit’ button shown in Figure 10.

Once a user clicks on the ‘pinit’ button, the user can be redirected to a survey site.

Figure 12. Once a user clicks on the ‘pinit’ button, the user can be redirected to a survey site.

3. Referral scams

Many sites offer a referral bonus to users for directing visitors to the site and making a sale. This technique is used by scammers to earn quick money without the knowledge of innocent users. They create various posts on Pinterest which have popular product keywords – an example can be seen in Figure 13.

Example of a referral scam post.

Figure 13. Example of a referral scam post.

This post has an embedded link inside, as shown in Figure 14.

The post contains an embedded link.

Figure 14. The post contains an embedded link.

(Click here for a larger version of this image.)

Once a user clicks on such a post, they will be redirected to the embedded link, which is basically a redirector script, as shown in Figure 15.

Redirector script.

Figure 15. Redirector script.

(Click here for a larger version of this image.)

The script shown in Figure 15 redirects users to Amazon with the scammer’s product id, and in this way the scammer can earn a referral fee from Amazon.

Users are redirected to Amazon with the scammer’s product id.

Figure 16. Users are redirected to Amazon with the scammer’s product id.

4. Premium calling numbers

Premium calling number scams check for the user agent string of the browser, as shown in Figure 17.

Checking for the user agent string of the browser.

Figure 17. Checking for the user agent string of the browser.

If a user is browsing the Pinterest site from a mobile device, then such scams display an image which appears to be of a video player, as shown in Figure 18.

Users browsing the Pinterest site from a mobile device are presented with an image which appears to be of a video player.

Figure 18. Users browsing the Pinterest site from a mobile device are presented with an image which appears to be of a video player.

When a user clicks on such an image, depending on which country they are based in, they will be redirected to various websites which display porn images and ask the user to click on them.

When the user clicks on them a phone dialler will open with a premium calling number and if a user makes a call on this number, he will receive hefty phone charges, while the scammer earns revenue.

Black Hat SEO with Pinterest

Pinterest is a great tool for sharing interesting things like photos, videos etc., but its features are being misused by scammers for black hat SEO to make quick money or for getting traffic to their sites. They have come up with tools which automate this entire task. Such tools make it very easy to post comments, create Pinterest posts or follow other users. This can generate lots of traffic for a scammer’s site.

Many forums on the Internet contain ads offering such tools for sale.

Ad offering tools for sale.

Figure 19. Ad offering tools for sale.

Some of these tools can be seen in Figure 20.

Some of the automation tools.

Figure 20. Some of the automation tools.

These tools considerably reduce the time taken to set up scams to just a few minutes. With the help of such tools anyone can easily start a Pinterest scam. These tools contain all the needed software, such as content lockers, account creators, comment posters, auto likers, URL generators, etc.

Setting up a new scam does not require much technical knowledge and therefore this is becoming popular amongst those who simply want to make quick money through such scams.

Conclusion

Pinterest is a site which offers users the opportunity to share images and videos, but with its exponential growth, it has also become a powerful tool for scammers to generate traffic and make quick money. This has also increased the amount of spam on Pinterest. Users should be careful while using Pinterest and avoid repinning content which redirects to surveys or websites offering free gift cards, giveaways, viral videos etc. Pinterest works based on users’ interests and trust. Such automated posts on Pinterest do not reflect users’ interests in any way, and should be avoided.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest articles:

Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

Aditya Sood & Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited to compromise the C&C panel in order to gather threat intelligence, and present a model of mobile AppInjects.

Cryptojacking on the fly: TeamTNT using NVIDIA drivers to mine cryptocurrency

TeamTNT is known for attacking insecure and vulnerable Kubernetes deployments in order to infiltrate organizations’ dedicated environments and transform them into attack launchpads. In this article Aditya Sood presents a new module introduced by…

Collector-stealer: a Russian origin credential and information extractor

Collector-stealer, a piece of malware of Russian origin, is heavily used on the Internet to exfiltrate sensitive data from end-user systems and store it in its C&C panels. In this article, researchers Aditya K Sood and Rohit Chaturvedi present a 360…

Fighting Fire with Fire

In 1989, Joe Wells encountered his first virus: Jerusalem. He disassembled the virus, and from that moment onward, was intrigued by the properties of these small pieces of self-replicating code. Joe Wells was an expert on computer viruses, was partly…

Run your malicious VBA macros anywhere!

Kurt Natvig wanted to understand whether it’s possible to recompile VBA macros to another language, which could then easily be ‘run’ on any gateway, thus revealing a sample’s true nature in a safe manner. In this article he explains how he recompiled…


Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.