Click with care: Pinterest falls prey to phishing scams

We knew it wouldn’t be long before Pinterest, the image-based social network, would attract spammers. We spotted a new scam on the site today, luring users to click for coupons to popular stores.

[aditude-amp id="flyingcarpet" targeting='{"env":"staging","page_type":"article","post_id":399149,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"security,social,","session":"D"}']

Pinterest is growing rapidly with an estimated 13 million users since its birth in the last 10 months. The site allows you to grab images from the web using the “pin it” bookmark tool, which then publishes the image to your Pinterest “board.” A board is a collection of images associated with a particular theme such as recipes. The pins often entice people to click through to the original website to, for instance, get a recipe or purchase a shirt.

Because Pinterest makes it so easy to post any image, and because the images are linked to outside websites, it is a petri dish for sleazy marketing tactics — one that is just starting to be used.

“I know that users aren’t very familiar with the platform, so they’re more easily scammed,” said Cameron Camp, a security researcher with ESET, in an interview with VentureBeat.

While surfing Pinterest last night, I saw the above image, a coupon offer for the Cheesecake Factory. It is set up to look like a promotion exclusively for members of the growing social network, but it doesn’t actually come from the Cheesecake Factory. If you click on it, your browser redirects itself several times and winds up at a survey site.

Many businesses try to entice new customers with customized promotions, but this simply looks scammy. This isn’t the only one: Security company Trend Micro noticed a few of its own fake promos, including Starbucks and Coach handbags. According to Trend Micro, the images lead to a survey site, which first prompts you to re-pin the image to get the coupon code. It is not yet known whether the image downloads any malware to the victim’s computer. This falls more in line with a phishing scam, promising discounts for personal information.

Camp explained that the phishing scam is quite new, appearing only within the last couple weeks. He has also seen e-mail scams that appear to be from Pinterest, but are really spoofed by cyber criminals. But there’s a reason why such similar scams appear across social networks such as Facebook, Google+, and Twitter.

“There’s an entire behind the scenes machine that’s already in place,” said Camp. “They have the ability to flood the market extremely fast … You just plug it in to [the] network and off it goes.”

Cyber criminals are business people as well. They have found a way to quickly and easily distribute their “product” across different networks, with low cost and high proliferation. Camp says he hasn’t heard of Pinterest doing anything to directly stop the scams, though its terms of service do issue a warning about third party services.

[aditude-amp id="medium1" targeting='{"env":"staging","page_type":"article","post_id":399149,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"security,social,","session":"D"}']

According to Pinterest’s terms of service, advertising is not prohibited on the service. In other words, it would be perfectly OK for the Cheesecake Factory to post a legitimate ad like this. But Pinterest’s parent company, Cold Brew Labs, also absolves itself of any responsibility for links that lead to malicious websites:

The Site and Application may contain links to third-party websites or resources. You acknowledge and agree that Cold Brew Labs is not responsible or liable for: (i) the availability or accuracy of such websites or resources; or (ii) the content, products, or services on or available from such websites or resources. … You acknowledge sole responsibility for and assume all risk arising from your use of any such websites or resources.

Pinterest, which has only developed an iOS application, is also the subject of an Android app scam. According to GottaBeMobile, cyber criminals have created a fake Pinterest Android app, which really takes you to a mobile website and serves up annoying advertisements. In reality, Pinterest does not yet have an Android app.

We have reached out to Pinterest and Google for comment and will update the post upon hearing back.

Starbucks screenshot via Trend Micro

[aditude-amp id="medium2" targeting='{"env":"staging","page_type":"article","post_id":399149,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"security,social,","session":"D"}']