Thursday, July 14, 2016

Pokémon Go: An invitation to spammers

Today we have another Guest Blog from Arsh Arora, PhD student at UAB. Arsh is a malware analyst in my lab and I asked him to look into the theory that Pokémon Go was being used to trick people into installing malware. In this particular case, the scammers aren't delivering malware, but they are still getting TONS of personal information through this scam that shares a great deal of features with the "Gift Card Scams" that we have written about before. A similar scam that followed a top news trend was our 2014 Target Data Breach Spam story where people got caught in a similar privacy trap. Now, take it away, Arsh! . . .

Pokémon Go: An invitation to spammers

Since its release, Pokémon Go has become a sensation. With over 7.5 million downloads in the United States, it became an attracting force for spammers. The launch of any game brings a launch of its cheat codes. The man hunt began for cheat codes of Pokémon Go, and the spammers took advantage of it. While researching for cheat codes, I ran into a website hackmobilecheats[.]com, which stated that you can get “Pokémon Go Hack Tool” for free. This is tempting, how can a gamer avoid it when at a standstill in the game and needs extra PokeBalls/PokeCoins?

I was not able to control my temptation and thought it would be noble of me to click the “Get Access Now” button. Let’s see what happened when we clicked it:Here’s the Fiddler capture of the redirect stream:

So, the magic button of “Get Access Now” redirects you to “trianglefoxfile[.]com as you intended (not really). After reaching the destination, the following page is displayed:

Wow! You can produce as many PokeCoins or PokeBalls as you want. By following these steps: enter username, choose your count to produce, and then Click to Start.Once the processing is complete, the following dialog box pops up:

The pop-up stated that the website has detected signs of you being a SPAM ROBOT! You have to verify that you are a HUMAN by clicking on one of the offers. The offers were so amazing, and it became extremely difficult to pick one. Also, I needed the cheat codes, so I had no option.
  • Get a Glade Sample Pack
  • Get Starbucks Samples (Coffee Lovers )
  • Get a New Samsung S7!
  • Get a Brand New Xbox One!
  • Do You Fly Delta? (Sidenote: Gary is not a loyal member)
  • Who Would You Conquer in a Battle?
I am a fan of video games so decided to go with an Xbox One. After clicking the following option, I was redirected to onlinepromotionusa[.]com.

Below is the Fiddler capture of the redirect:

So far we have changed 3 websites and no sign of cheat codes. It is just the beginning. Now we are required to fill a survey about Xbox.

Privacy Policy -- (note: You have none!)

An important thing to note while performing these surveys is to read the privacy policy and more specifically, how our information is going to be used by the website operators. The following is a snippet of the survey’s privacy policy.

Here are some of the types of Information we collect from users:
• Name • Postal address • E-mail address
• Telephone number • Cell/landline phone number • Gender and date of birth
• IP Address • Survey responses • Device ID & location
• Browser User Agent • Referring URL
We may use third party sources to augment and/or verify the Information we collect from users and may also associate demographic and other data we collect such as the user’s browser and device with their Information.

Children and Non- US Residents: We don’t knowingly collect or retain information from the Websites from children under the age of 13. The Websites are intended for use by U.S. residents who are not minors. If you are a minor, not a U.S. resident or don’t agree with this Policy’s terms, please don’t access or use our Websites.


We may use Information and share it with third parties (who may compensate us) in many ways and for many purposes including the following:

  • To fulfill an incentive;
  • To maintain suppression or opt-out lists that we may share with third parties so that a user is not contacted when the user has asked not to be;
  • For site operation;
  • To provide users with information and/or offers for products or services from us or third parties;
  • To notify the IRS that a user has received an incentive if the value exceeds the reporting threshold;
  • To track online behavior for behavioral advertising and other marketing purposes. If a user registers on one of our Websites, the user may receive relevant third party daily emails from that Website, its exclusive emailing partner and other websites we or our affiliates own and operate;
  • To develop and/or enhance our Affiliates’ and/or third parties’ products and/or services;
  • If we are acquired by or merged with another company, we may transfer our users’ information to the acquirer;
  • To respond to subpoenas, court orders, or legal process, or to establish or exercise our legal rights or defend against legal claims or when we determine it is necessary to comply with applicable laws or regulations; and
  • To assist with site operation and other communication services, we may share Information with third parties, including vendors and contractors who provide services to us.
We will use commercially reasonable efforts to limit use of the Information by these third parties as necessary for the purposes set forth above.

Behavioral Advertising: Behavioral advertising enables us and our third party marketing partners to deliver to users what is hoped to be more relevant information and/or offers for products or services. We and our third party marketing partners may use cookies, web beacons and other technological means to track user’s online behavior and to collect Information that enables the tailoring of targeted offers and advertisements. We may share this and other Information with our third party marketing partners, who may compensate us. We are not responsible for the Information they collect, for their use of this Information or for the privacy practices of other websites that are linked to our Websites.

Personal Health Information: Our surveys may ask health-related questions which we may share with our third party marketing partners who advertise health-related products and services on our Websites or who otherwise promote health-related products or services. We will use this health information only with your consent and for the purpose of displaying offers for health-related for products and services or to provide Information to these providers so they can contact you. You may always request modification or removal of your information by contacting us at

We use commercially reasonable efforts to prevent unauthorized access or disclosure, or accidental loss or destruction of your Information. We currently do not encrypt Information that we store. Given the nature of the Internet, your Information passes through entities that we are unable to control. Therefore, we cannot guarantee that our security measures or those of third parties who access or transmit your Information will prevent your Information from being illegally accessed, stolen or altered.

They are interested in your online Facebook activities too. What’s next?

Hooray! We qualified for the reward, just one step away. Now we will not only get the cheat codes, but an Xbox with it.

Not Really! What does having a car have to do with getting an Xbox One or cheat codes? I am not going to drive and playHere’s the Fiddler traffic of what actually happened:

After confirming our email address, we were redirected to amarktflow[.]com. The Fiddler trace shows that we were transferred from one marketing program to another and another. In short, everyone should benefit from our information and get compensated well in the end for scamming us.Additional questions to be answered to obtain the reward and cheat code.

There were about 15 questions that required our answers. Let’s check the NEW privacy policy before proceeding.

Awesome! You must complete 1 Silver, 1 Gold, and 6 Platinum offers, within 30 days from when you complete your first offer. Also, completion of the offer usually requires a purchase or entering into a paid subscription program for goods or services.
So after everything is in place, it is time to confirm.

Jack and Jill went up the hill! So, by now you have given quite a bit of information to the website operators. Don’t forget your date of birth and address. Let’s hope this is the last step to glory.

Unfortunately not! They wanted to re-confirm our information. After the confirmation, a pop up window is displayed and they want to install a plugin into our web browser.
After the installation of the plugin, the browser redirects us to joinpiggy[.]com, as noted in the Fiddler Trace below.

So “Joinpiggy” is another coupon website. Such Browser Helpers invade your normal web surfing by popping up advertisements and "Coupons" for things that may or may not be related to what you are surfing.  While not "malware" these are considered by most Anti-Virus products in the category "Potentially Unwanted Programs" or PUPs.

It was high time that one should realize that this is a vicious circle, and getting out of it seems to be impossible.

After wasting enough time, I thought of pressing the skip button and move forward. I was treated with a different survey while moving forward.

Now they were interested in my family and information about how much money I make. Why should I tell you? OH WAIT! I have already given them a lot of information. Frustrated, I decided to skip and move forward.

Below is the Fiddler Trace to where I am redirected, “promoandsweeps[.]com”

Now I can either buy Dr.Seuss books, join Disney Movie Club, try the number 1 kids learning app, and many others. And here I was trying to get the cheat codes for Pokémon Go—Phewww!!

Lastly, although was a free app, I still have to pay $5 for 2 months.
This is how you get trapped when being greedy and trying to cheat your way up in Pokémon Go. What’s the best way to avoid this? Try using your time to do something good like a responsible person, and use the DELETE app function in your smart phone. This will not only prevent you from scammers but save your valuable time.

Guest blogger Arsh Arora came to UAB to earn his Masters Degree in Computer Forensics & Security Management (MS/CFSM). As part of his degree, he and other students participate in real-world cybercrime investigations. Arsh has decided to stay for a PhD to continue his malware research.

For those interested in the Computer Programming side of Computer Science, but aren't interested in seeking a graduate degree afterwards, please consider our new Bachelor of Arts in Computer Science! The BA focuses on applying data analytics and programming skills to complement the student's interest in another field. Think of it as "Computer Science APPLIED TO Biology/Chemistry/Criminal Justice/name-your-major-here."

1 comment:

  1. This comment has been removed by a blog administrator.


Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.