Some redirects take to potentially unwanted programs

Apr 15, 2015 15:44 GMT  ·  By

A fake page is currently available on Facebook purporting to belong to Disney and luring users into clicking on potentially malicious links with the promise of a $1,000 / € 950 Visa gift card.

The page already has close to 18,000 likes, and it seems to be very profitable for the cybercriminals as the two posts published since its creation recorded tens of thousands of shares and likes.

Crooks use attractive bait

The main objective of the operation is to redirect users to a page outside the social network (www[.]disney-world-comp[.]com) that hosts online surveys. With each survey completed, the crooks earn a commission

The alleged Visa gift card and the money on it seems to be an attractive bait since the first post on the account announcing the bogus raffle registered more than 50,000 likes and about 70,000 shares, suggesting that the campaign is a source of steady money stream.

“Summer is coming and we're giving you the chance to get this amazing Disney World vacation for up to 5 people on a date of your choice with a $1000 Visa Gift Card,” one of the posts reads.

Online surveys, PUPs and marketing

The survey page is localized, so potential victims see the content in their language. However, as soon as they access the website, access to the subscription page of the promotion is blocked, and surveys have to be completed in order to move on.

Users are recommended not to act on impulse because the links lead to different software downloads (potentially unwanted programs) that could install malware on the computer. Alternatively, they could be redirected to various web pages that have paid to get promoted online.

The advertising offers keep rotating, but the one we’ve seen to appear most often is AliExpress.com, a website owned by Chinese online retailer Alibaba.

[UPDATE, April 16]: The crooks have set up multiple Disney World Facebook pages (with Education, University and Community displayed as the domains of activity), all promoting the same scam. The first post appears to be published on April 13 on all of them.