5 scams on Tumblr, Pinterest

Security researchers are seeing increasing numbers of scams on both Tumblr and Pinterest, according to Christopher Boyd, senior threat researcher at GFI Software.

The sites—while much smaller and, in Pinterest’s case especially, newer than social media behemoth Facebook— both continue to grow rapidly. Tumblr, a microblogging site where users create their own and follow other blogs, currently boasts close to 50 million blogs and claims to get more than 13 billion page views a month. Pinterest, an image-sharing site where users “pin” content on their “pinboards,” launched in 2010 and already has more than 11 million users.

[Also watch out for 5 scams on Twitter and Facebook| and5 more]

The sites are so hot, in fact, that ready-to-use tool kits are already available for purchase that allow criminals to create and automate a Pinterest attack without having much technical skill.

“It’s interesting how quickly these tools have popped up for Pinterest,” said Boyd. “It’s a case of scammers not wanting to miss the boat. It would be foolish on their part not to create these tools.”

The scams are what Boyd called “the same sort of bandwagons,” we have already seen on Facebook, Twitter and even on email, just packaged up in new ways. Here are five of the most recent social engineering scams Boyd has been tracking on Tumblr and Pinterest.

The Tumblr dating game

A spam run observed by Boyd earlier this month was calling itself “Tumblr Dating Game.”

Boyd said members were receiving spam message that read: “Lol half of your followers are on tumblrdatinggame.com”.

Tumblr users tend to be younger in age and single, noted Boyd, making the ruse more successful.

But the URL in the message took members to a dating website totally unrelated to “Tumblr dating” and urged end-users to “make an account in the area below then activate it via email”, add “tumblrdatinggame” to profiles then “hook up with Tumblr users in your area.”

Unfortunately, that wasn’t how it worked, said Boyd.

“The end-user is taken to an Adult Friend Finder splash page every time the Tumblr Dating Site is opened. It seems likely this is an attempt to make some affiliate cash every time somebody signs up,” said Boyd.

Tumblr tasks

Recently Boyd has noticed in recent days that the “Tumblr Dating Game” template has now morphed into a new form of Tumblr spam called “Tumblr Tasks” and it takes advantage of the topical discussion around ads on Tumblr, which has been a hot topic recently.

Spamlinks sent to users via their “Ask Boxes” (a Tumblr feature for members to communicate with each other) say: “Anonymous asked: have you made $$$ with tumblrtasks.com yet?? my bff just raked in 3k last month its crazy.”

But Boyd said visiting the link takes the user to an advertising landing page linked to an affiliate ID. The banner across the top claims that “You asked for the monetization of your blogs and we listened. While we await the finalization of contracts regarding the placement of ads on your blogs, we invite you to make money in the meantime by following these steps:

1. Fill out the form
2. Pay the $9.95 trial fee
3. Start earning money today

Boyd said it is not surprising this kind of scam would be making the rounds now because the subject of ads on Tumblr has been buzzing lately. But this is just another attempt to fool unsuspecting users into handing over a credit card number.

Get a free giraffe

Another recent Tumblr scam came in what Boyd called a “particularly glorious form.” Hugely glorious, actually, in that it claimed members would get a free giraffe—the actual zoo-animal variety—for reblogging a hoax link that was alleged to have come from the “Tumblr staff.”

“I don’t know if it was a joke or someone literally trying to troll users,” said Boyd. “Clearly people are too caught up in the excitement of naming their new giraffe to care.”

As unbelievable as it seemed, Boyd said his team observed more than 60,000 instances of users falling for it before they stopped counting. The link members were reblogging was, in fact, just a Japanese earthquake and tsunami relief effort donation page—an end result not nearly as malicious as other scams often turn out to be, noted Boyd.

Diablo 3 fever

When the eagerly anticipated PC game Diablo 3 was launched recently, several sites, but particularly Pinterest, were flooded with spam links offering everything from a free version of the new game to tips and secrets for defeating it (no small task considering the game had only been released hours earlier, said Boyd).

[Also read Social media risks: The basics]

Boyd noted Pinterest users were being asked to “pin” content to their board in order to redeem the offers. Instead, the links lead them to unrelated flash games, spam linkdumps, “online key purchasing” websites, and other fraudulent content.

“The tools the spammer use can actually look for users posting on certain types of topics,” said Boyd. “So, for example, if you are looking for video gamers, you can program these bots to target gamers.”

Get a $100 gift card

We’ve been seeing this one for years on Facebook and Twitter. On Pinterest, the visual-centric site makes this trick even more enticing. Users will often see an image that appears to be a legitimate gift card from The Cheesecake Factory or Starbucks (two recent examples), when it is actually just the same old survey or phishing scam social media users have been falling for for ages. Boyd has seen it on Tumblr, too.

“There was a post that claimed the staff at Tumblr was giving away $50 gift cards,” he explained. “Rather than go check the official staff blog on Tumblr, people see it, get excited and hit the “reblog button” and send it on to other friends.”

But clicking the link only takes the user to a site offering up gift cards in return for email addresses and the promise that they’ll complete “two reward offers from each of the silver and gold page options and nine reward offers from the platinum reward page and refer three friends to do the same,” said Boyd.

“Lots of jumping through hoops for one gift card,” he said. And there is a pretty good chance your gift card won’t ever arrive anyway.