Let’s Celebrate Best Buy's 20th Anniversary
Last week, I was checking my Facebook account and noticed I had an Event Invitation from a fellow security researcher. Very intriguing. This friend is a world traveler and doesn’t currently reside in the United States, but the Event Invitation was for a Free $1000 "Best Buy gift card to celebrate Best Buy’s 20th Anniversary".
Alarm bells started ringing and I knew it had to be a scam. But let’s take a look...
There was no reason I could think of why they would use a bit.ly URL unless they didn’t want people to notice right away that it wasn’t a Best Buy site. This way, people are forced to click through. (There are good reasons for using bit.ly. For example, a medium such as
Twitter restricts the size of your entry. Or you have a legitimate need to obfuscate the URL.)
The first thing I noticed was:
"AmazingFreeRewards.com is not affiliated with Best Buy®, Inc."
ALL of the links on this page return you to this page, except for the Gift Status link that requires a login, a login that you would create if you followed the process through to that point. Thus, there is no Privacy Policy nor any other information available. But if you enter a ZIP code, you will be transported to…
All the links here react similarly as the previous page (see tabs; returns or requires login). But look at all the information they want. Those are many data items that qualify as Personally Identifiable Information (PII) for which a Privacy Policy is required because there are legal ramifications for their inadvertent dispersal. (I hesitate to call them legal protections as all we get is notification.)
Quote