The popularity of sites such as Facebook and MySpace have spawned malicious imitators. The main tactic they use to peddle their scams is “social engineering”. Wikipedia has a good definition: “Social engineering is the act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access.”
I recently got an email from a friend asking me to log onto tagged.com and look at her photos:
Tagged.com advertises itself as a Social Networking site. Notice three things on the screenshot: 1) Tagged shows a link at the bottom that essentially appears to be a sort of “unsubscribe” request (and you’ll soon see why that’s pertinent to this issue), 2) They are engaging in a bit of social engineering by implying that the sender will be disappointed if you don’t go to tagged.com (“Please respond or JoRose may think you said no” ), and 3) They used JoRose’s last name twice (not necessarily remarkable, but again you’ll see why this is pertinent).
Since JoRose is a close friend and DOES send me photos now and then (though this is the first time a request to look at her photos came via tagged), and since this tagged thing raised my eyebrows a little, I fired up my sandbox, loaded some extra security software, and went to the site in my sandboxed browser.
What I saw raised my eyebrows even more:
They wanted a lot of Personally Identifiable Information (“PII”). That is not necessarily unusual for Social Networking sites, but it really raised my eyebrows when I saw that they wanted my email password. Ironically, they have a spambot field too . . . ironic, because they themselves are engaged in spamming, as I later found out.
But JoRose does in fact have friends named “Kathy H” and “Craig E”, so it did appear to be legitimate (that’s part of the scam too, again as I later found out).
In any case, I wasn’t about to release my email password. I was going to email JoRose to resend the photos another way. But before I did that, I got another email from her that confirmed all my suspicions:
“Someone “tagged” me the other day and somehow everyone in my address book has now been tagged. I don’t know what it is or how it happened other than that I opened the one sent to me. I can’t seem to unsubscribe. If you haven’t opened it, don’t. If you have and can figure out how to get rid of it, please let me know. It has not caused me any problems, but I am not sure what it is. I do NOT have any pictures in it even though it says I do. I am not going to open any “tagged” items and hope it will go away. I hope it isn’t causing you any inconveniences!
Jo Rose”
So, now it all made more sense. The reason they used JoRose’s full name is because it came out of someone’s address book and it ended up as part of a script. And as JoRose unfortunately found out, they don’t honor unsubscribe requests (like all spammers). An unsubscribe request (and they pitch this from the very beginning with their “Click here to block all emails from Tagged . . .” nonsense shown in the first screen shot) will just get you elevated to their “live addresses” spam list.
Phewwww . . . dodged a bullet there, since I never opened it. That email prompted me to do some investigation . . . the usual who is, IP searches, robtex.com stuff, blacklist searches, etc. Tagged.com is in fact listed in blacklists for spamming, failure to execute an unsubscribe request, fraudulent scams, etc.
The “social engineering” tactic is central to the propagation of their scams. Most people are so curious about what these pictures are, especially when they see a familiar name and a photo that they fill out the info (as JoRose did).
Tagged.com is not the only culprit here. As I said in my opening, these fake social networking sites are cropping up more and more.
Come to think of it, I think my girlfriend gets about a million of those emails every day. I think I’ll let her know not to open them.
I just got that yesterday. Same as you, I was leery of it, but yet it was someone that would send me picture. I only filled in non personal info and left out my email password, phone number, address and almost everything. When I clicked submit, it said need more info, so I clicked cancel figuring its not worth it, and it made me a member. I saw immediately that my friend is not a member and there were no pictures, but at least I hadn’t given them any info. I just hope I don’t have any problems with them in the future.
Do you know what exactly they are scamming for?
I have a business e-mail address where I get a lot of e-mails a day inquiring about my service. I started getting tons of these a days, and could not figure out why these people are sending me photos, and we have only corresponded over business matters.
I guess it makes sense now.
Thanks
I’ve been getting something similar for a while now… I don’t remember if it was Tagged, but it as another network where it said so and so would be sad if you didn’t join. If I’m suspicious, I put in fake info (crappy email address for spam only, false birthdate, password I don’t use elsewhere, etc) to sign up with, and then check it out. Otherwise, I just don’t bother.
yeah that looks like a potential scam,
i think i should change my passwords regularly as i use common passwords,
i mostly dont try those kind of sites,if he/she want me too pictures i would ask them to upload to image sharing site like flickr or tinypic
Kliedung,
It’s important to change your password often and use special characters.
Great article and I found this site through Digg.
I agree and this has happened to me once or twice…So I am very wary now…sites like Hi5 are similar.
Frank J got it right change your password very frequently and I for one never let browsers save mine…That might be paranoid but I still do that
Mick,
Thanks for your feedback and glad that you are cautious and practice proper password management.
Hey Connect,
They sell their spam list to “professional spammers”. Since their list is “live” addresses, it can be sold for a pretty penny.
There are three types of spam lists these “pros” buy: 1) A list of addresses where there has been no response, thus the seller/buyer can’t be sure any of these are active (this is the cheapest), 2) A list of “live” addresses . . . this sells for more than the “unknown” addresses, and finally, the most expensive 3) A list of addresses where people have actually made a purchase of scam products.
There is an entire subculture of spammers. Those that sell lists are at the top of the pecking order . . . and they don’t do any of the dirty work. Those that broadcast spam are at the bottom of the pecking order . . . they do the dirty work.
Hey Kikolani,
Didn’t have the presence of mind to try one of my disposable email addresses on these clowns . . . like Spamavert. Would be interesting to see if that address filled up with nonsense . . . have you ever tried that?
Hi Bob,
These really are a pain in the butt! I have had a couple but know of many who get loads of them and all we can do is keep warning users about such scams.
Users should also set up a separate email account and use it for everything apart from their most trusted sources, it reduces the risks.