Online retailers' fake news problem

Just as fake news circulated around the web ahead of the presidential election, bogus ads are spreading on Facebook and Twitter as a vehicle for delivering malicious software.

A holiday window display at Macy's in Manhattan.

Alex Wroblewski/Reuters

December 19, 2016

The scourge of spurious headlines and bogus information hasn't just plagued politics and politicians over the past year, it's also become a menace for American businesses.

Online criminals and fraudsters are impersonating real companies by pedaling online deals and promotions to dupe unsuspecting consumers. Clicking links in these phony offers delivers malicious software designed to harvest personal and financial information, according to research by cybersecurity firms.

While fake news stories promoting Hillary Clinton conspiracy theories ricocheted around the web ahead of last month's election, social media platforms have been – and still are – passing around fraudulent ads. 

Tracing fentanyl’s path into the US starts at this port. It doesn’t end there.

"The echo chamber of fake news is the same as the echo chamber of holiday offers and coupons," said Evan Blair, cofounder of the firm Zero Fox that tracks social media scams. "There are hundreds of examples out there – maybe even more."

Researchers see the scams taking many forms. Phony advertisements and promotions circulating on Twitter and Pinterest are the most common outlet for cybercriminals interested in extracting money from consumers by getting them to purchase goods and services they will never receive.

Other criminals play a longer game: using enticing offers and stories to trick consumers into clicking a link that will install a malicious mobile application on their phone, or give up the username and password they use to access a social media or e-commerce website, Mr. Blair said.

One phony ad circulating on Twitter promised Bass Pro Shops gift cards. But the link for the gift card to the sporting goods retailer instead delivered a malicious Android application. Bass Pro Shops told Passcode that it monitors social media for accounts that misrepresent the company's brand online. (Customers who aren't sure about an offer can contact the retailer at 1-800-BASS-PRO.) 

Other tweets promoted coupons for retailers such as Kroger, Macy’s, and Hertz Rent-a-Car. But when Twitter users clicked the ads, the sites secretly collected their personal information before giving them a fake coupon, according to the Zero Fox research.

As with the fake news, retail scams are benefiting from the popularity of Facebook, Twitter, and Pinterest. And, all too often, users of these platforms click – or share – first and ask questions later. Fraudsters may benefit from misplaced trust that many Facebook and Twitter users place in the ads that show up on those platforms. 

In one recent example, false stories and promotions about money from the purchase of deeply discounted Ray-Ban sunglasses going to The Nature Conservancy have been circulating on Twitter and Facebook for months.

Cybercriminals are also getting more clever and mixing up their tactics in an effort to deceive consumers. Researchers at the digital security firm RiskIQ have noted an increase in the use of internet web addresses that may make scam sites seem more legitimate. For example, the fraudulent site could include the names of legitimate retailers in the web address. For instance, a (fictional) URL like this: http://homedepot.scamcoupon.com may look like it belongs to the home improvement giant, but is really a part of the web domain scamcoupon.com. Clicking it would be unlikely to bring you to the real home improvement store. 

That practice, which RiskIQ terms “subdomain infringement” is available to anyone who controls a web domain. Unlike registering imposter web domains, it is invisible to the broader internet and the affected brand, at least until complaints start rolling in, said James Pleger, RiskIQ’s director of research.

Fake news websites use a similar approach. During the presidential election, for example, sites such as abcnews.com.co used subdomain infringement to play on the identity and reputation of established news outlets while pedaling fabrications. The ruse works because most Internet users cannot spot the difference between the real website’s address (abcnews.go.com) and that of the fake (that telltale .co top-level domain in the example above). 

The tactic is gaining traction as the increasing use of mobile devices to browse web content makes less of the actual web address (or URL) visible to the reader. Less screen real estate makes tricky URLs harder to spot, Mr. Pleger said.

Like the problem of fake news, solutions to the fake promotions and brand impersonation problem aren't simple or straightforward, experts agree. Social media platforms and retailers that use them need to pay more attention to internet traffic patterns to spot emerging scams. Consumers, says Pleger, need to be more vigilant.

The problem isn’t one that you can simply “throw technology at,” he says. “People need to own their security and integrate it into their lifestyle ... . They need to stop and think about what domains and URLs are and start asking where their content comes from.”