Many people have likely seen this Aldi coupon scam appear on their Facebook news feed by now, and some have attempted to get the coupon. Unfortunately (sorry to burst your bubble, couponers), it’s completely fake, but the coupon post is still gaining a lot of undue traction.
I stumbled across the coupon last morning on my Facebook feed. At Gillware Digital Forensics, Cindy Murphy and I firmly believe in the concept of “forensic addiction,” so I just had to do a little forensic digging to see what was going on here. I could tell right away that the coupon was fake. But I just had to know what the scammer’s motivations were. Were they just trying to farm contact information to later be used to generate sales leads? Were they trying to gain access to user’s Facebook accounts? Or was this ad trying to run some malicious software on the computers of unsuspecting victims who just wanted to save on groceries?
So you don’t have to click it to find out for yourself, here is a screenshot of what the fake Aldi coupon scam looks like on your Facebook timeline:
The easiest way to identify this coupon as fake is to look at the web domain that it goes to.
A web domain is a portion of the URL (Web Page Address) that points to a specific web server. In the case of the fake Aldi coupon, the domain is ALDISTORE.US, which can be seen towards the bottom of the post on Facebook. It seems very believable. .US is a common type of domain, although not as common as .com, .org, or .net.
After I determined that the domain of our fake Aldi coupon was ALDISTORE.US, I immediately went to Google and searched for “Aldi”. Typically, when you search for a company, the top result is their actual website.
As you can see in the red box on the screenshot of the Google search results, the domain for Aldi is actually aldi.us, not aldistore.us as our fake coupon would like us to believe. Aldistore.us actually goes to an entirely different web server that is not owned or operated by Aldi!
Domains can identify fake emails as well. My email is email@example.com, so all emails that I send come from firstname.lastname@example.org. If I sent an email to you from email@example.com, you might think it was actually me, but it’s just someone pretending to be me. This is a very common social engineering technique hackers use to successfully distribute ransomware and other malicious software to individuals and small businesses.
In the simplest form, the domain is just the part before the .com, .org, .net, .us, .biz, .ca, etc. and the first period before that (if it has one). For example:
When you go to aldistore.us, you find yourself presented with a few simple questions about your experiences with Aldi. Then you are presented with two things that you need to do on Facebook. Here on some screenshots of what you would see:
Now, the scam doesn’t seem too great, because it is showing a Kroger gift card when the users are expecting an Aldi gift card, but I have seen variations of this in which it shows an Aldi gift card. At this point, the “Collect 100 Points and get a free gift card” page wants you to answer a few questions (to earn points, ostensibly):
For every question you answer, you come slightly closer to getting the “100 points” you need to get the fake gift card. Based on the nature of these questions, this scam certainly seems like a way to generate sales leads. Whoever hosts this website likely sells the leads to other companies. If you can collect a few hundred thousand individual’s personal information and sell the data for a few pennies a person, you can quickly make some (probably illegal) extra cash.
The ALDISTORE.US website is a very simple website. The website loads a main index.html file, which is aldistore.us/index.html. This index.html contains a lot of CSS, which creates the look and feel of the webpage. This is what they use, along with the Aldi logo, to try and make it seem more legitimate. In this situation, there did not seem to be any malicious CSS, so I removed all the CSS code from the index.html file I was evaluating for security threats.
jquery is a very legitimate piece of code, and it used on millions of websites worldwide. jquery.com is legitimate, and this does not download any malicious code.
This is another legitimate jquery library that is used all over the world.
In conclusion, as far as I can tell after taking a quick glance, the ALDISTORE.US site is not doing anything malicious. However, once an individual clicks the button “Like ALDI.US,” they find themselves redirected to any different number of URLs that begin to farm their data as they fill out forms.
If you clicked on the Aldi coupon scam after one of your friends shared on Facebook, realized it was a scam, and closed the windows without sharing any personal data, you probably have nothing to worry about.
If you went through each step and clicked the “Like ALDI.US” button, the scammers might have farmed some of your data. But compared to recent data leaks, this is nothing to be overly concerned about aside from perhaps a bit more junk mail in your inbox.
In the future, make sure to look at the domain before clicking malicious URLS!