View my documents ()
 Home > Insights > Blogs 

CA Community

This Blog

Syndication

FanIQ Spam Technique to Invite New Customers

Published: March 26 2009, 12:49 PM
by Eugene Bodenshtein

FanIQ is one of the numerous sport social networking sites. What makes it less ordinary is a viral social engineering technique they use to solicit new members to create a FanIQ account.

The technique includes:

  • Sending an invitation letter to all contact addresses listed in a recently joined member’s address book, without providing clear notice to the user that this will occur and that the user’s name will then be used to market their services without explicit authorization.
  • Making a user think they are registering for something they are not.
  • Providing not enough information about their service at the time of registration.
  • Misattributing their wording to lure new users.
  • Presetting attributes on the registration page to settings that the vast majority of users probably do not want.
  • Not clearly explaining how users may opt to send invitations only to selected contacts
  • Sending follow up messages on behalf of the user without making him aware his name is used to send repeated invitations to everybody in his address book.
  • Using “expiration” warning to make others think the invitation is something special.

Below in steps 1 through 7 I will walk you through the steps FanIQ takes to acquire new members.

Step 1. FanIQ invitation e-mail may arrive as a private message with the name of a person who is in recipient’s contact list.  Here, FanIQ sends a message to a recipient from what the recipient would deem a “trusted source”, leveraging the trust of that individual without that individual knowingly initiating the communication.

Note that email addresses in red circles are legal private addresses, so even though sender’s e-mail address actually belongs to a FanIQ automated service, the user might get impression the email was intentionally and purposefully sent to him by the person he has in his contact list – may be even his friend.

Step 2.  Hyperlink in this e-mail takes you to FanIQ registration web page: 

The page looks like an invitation to pass some funny IQ quiz which allows comparing results. It might be tempting for a friend to do so. And again, the page contains the original e-mail address of a person who sent the invitation. Registration is also asking to provide the user’s favorite sport and the sport athlete, which looks exactly like password protection and restore questions at this stage.

Important note, the phrase: “Hey, this quiz was fun – do it so we can compare” looks as though it is the user’s wording. By sending a so-called “private message” and attributing those words to the person on whose behalf the message has been sent, FanIQ is trying to convince the new member the original user said it. It is obvious misattribution.

Step 3. After pressing the “Done” button, the user is presented with a webpage that looks like it is just another step in the registration process, connected to Google Account services.

Notes:

  • Username field is prefilled with the user Gmail account.
  • Checkbox right under "password" field is set by default.
  • Fine print near the checkbox and on the bottom could easily be overlooked.
  • No additional information is provided on the page regarding how exactly the invitation is implemented. (Looking ahead, FanIQ sends 2 messages on user's behalf to his contacts)
  • Safety note at the bottom states "We will only send invitations to the friends you select". In case you leave "Invite everyone on my contact list" checkbox enabled, no choice will be given.

Step 4. Next page doesn’t look anything like the quiz that was promised. The “quiz,” which can be found at right bottom corner, is a poll of sorts and nothing close to an “IQ” test.

Since the page looks far from what a user would expect – it probably will be closed and forgotten right away.

Step 5. Remember the checkbox with fine print on previous page? Every contact in the user Gmail account, not just “Friends” but EVERYONE (for example, my “All Contacts” list contains over 500 e-mail addresses and everyone got spammed) will be sent a FanIQ invitation to participate in this “quiz” as a private message from the user.

It is clear to me, that FanIQ intentionally makes the spamming process vague and does not provide clear, sufficient information for the typical user to give an informed consent, particularly with regards to Step 3, above, so that they can spam the user’s entire contact list and then spam their contacts and on and on -- type of viral spamming through social engineering.  It is obvious, the site uses spam techniques to make a person believe he/she registers for one thing while he/she is actually fooled to become a source for sending spam to all people on her/his contact list.

Step 6.  After few days, every potential new user who received an initial invitation as part of the spamming, and did not register on that site, will receive another message, a warning, stating:

This time, there is a message expiration time set for users so they would think the invitation is something really special.

Step 7.  Basically, in order not to “spam” all his contacts with the invitation, an attentive user should stop on Step 3 of the walkthrough and intentionally deselect the “Invite everyone on my contact list” checkbox under username/password form. Now, after pressing “Done”, only then will the user be presented a page where he can choose specifically who to send the message to.

Note that only here FanIQ explains properly what kind of message will be sent, and how many times.  Those who didn’t opt-out by deselecting “Invite everyone on my contact list” checkbox, never get this information at the registration time.  Personally, I would prefer to see that page right after I pressed “Done” on the Step 3, regardless of the checkbox selection, so I could select all, some or none of the contacts after reading the important info circled in red and know what those invitees will receive using my name.

Conclusion

FanIQ has developed a refined social engineering technique and uses a misleading quiz message to lure people in, then uses the email address book of new registrants to spam all contacts in the address book to gain new members.  During registration, FanIQ does not present enough information to the user to inform them that all their contacts will be spammed by filling in their username and password.  The emails sent to potential members originate from a trusted source, so these contacts are more likely to follow through with the registration and start the whole spamming process over.  You might call this a “viral social engineering” technique.

Share this post:  EmailEmail
ShareShare

Tags: , , ,

Leave a comment

By: Eugene Bodenshtein
Eugene Bodenshtein is a software engineer with the CA Internet Security Business Unit (CA ISBU). Eugene's research related interests include network exploits and intrusions, malware, penetration techniques and reverse engineering. Before he joined CA Israel in 2000, Eugene was a network and system...
Read More..

42 people have left comments:

I got lured into this scheme and now fan iq are emailing my contact list.  Can I do anything to stop this and get the spam out of my computer?

Posted by: todd schilperoort | March 28, 2009 10:23 PM

A similar thing happened to me with Reunion.com.  When I became aware of what happened, I Emailed everyone on my contact list to explain the scam.  Then I went to the Reunion site & unsubscribed.  I haven't been bothered since.

Posted by: *** Bartell | March 31, 2009 10:00 PM

This happened to me last week, too. I sent an email out to my contact list to advise them not to open the email, but I'm still getting emails from contacts wondering if I sent it. How did so much damage happen so quickly?

Posted by: Jeff | April 7, 2009 6:00 PM

I received this FanIQ from one of my nephews.  I didn't know what it was.  If it was from a friend of anyone else but a close relative, I would have deleted it  Now I'm getting emails from other family members and friends asking if I sent it.  They are still getting emails.  How do I stop this?

Posted by: Elizabeth | April 11, 2009 6:46 PM

This happened with me yesterday and everyone on my contact list has got this mail seemingly from my side. This is terrible and I wish some hacker will just put an end to this faniq site by giving them what they deserve.

<...>

Posted by: vaiibhav | April 13, 2009 3:40 AM

I consider myself an experienced techie, and as such I clicked on the "Don't find my friends" link and never had to enter the password to my email account.  I am glad I read the whole page as I quickly realized there was no IQ quiz and my "friend" had not yet completed the quiz.  A quick Google search proved this is a spam scam.  

Posted by: Matt | April 23, 2009 7:55 PM

McAfee SiteAdvisor rates FanIQ as safe, so I fell for this technique. I joined and, using to FanIQ, I wrote to the person who "asked" me to join. The response I got was from someone I didn't know and who was totally baffled by FanIQ. I immediately cancelled my account and cleared my cookies.

Posted by: Terry | April 24, 2009 2:19 PM

This is how all web 2.0 companies work.  You invite your friends.  I am a top user on FanIQ and they don't spam any of my friends.   If I invite them to join, they send an email.  This is clearly just an angry person who didn't realize what they were doing.

Posted by: Anne | April 24, 2009 3:53 PM

Thanks for the heads up, I thought these e-mails looked a little suspicious, even though it came from someone I know.

I would be mad too if a website tricked me into getting all of my Google e-mail contacts!

I think that Eugene was not trying to say that FanIQ site is illegitimate. I am sure there are a lot of fun features that this website offers. He was merely talking about the registration process. First it makes you register for something when you really don't have a clue what it is. Second, it tricks you into giving them permission to spam all of your contacts, unless you read the small print. Does this sound like an honest website to you?

Posted by: Nate | April 29, 2009 2:19 PM

The registration process has been changed, and there should not be any more problems.

Posted by: Dave | May 13, 2009 5:33 PM

I always investigate things like FAN-IQ. In fact, am not into signing up for stuff like this. I'm on facebook and if somebody decides they want to contact me in another fashion, then 'tuff-luck'! Facebook is a good intermediary contact system which alleviates spam with my personal email. I get enough of it and don't need more jamming my inbox! I'll 'Zotero' (bookmark) this website, to investigate future spam.

Kudos to Eugene for taking the time to present this data in words and pictures!

Posted by: TChase MdPhee | May 19, 2009 11:06 AM

Thanks for the great article.  I too received a "Fan-IQ email'.   Before going any further I did a quick goggle search and found this page.  You did a beautiful job describing this Spam.   Kudos

Posted by: Esteban | May 24, 2009 7:13 PM

I also got same kind email and when I was told to register, it sent email to all my contacts without knowing me. This is ridiculeous. Now I never open any mail from FanIQ and advise same to others. This is big spam.

Posted by: Manoj | May 25, 2009 10:17 AM

 SOMETHING SOULD BE DONE TO STOP THIS.  OBTAINING UNAUTHORIZED INFORMATION AND USING IT IS ILLEGAL, THIS SITE HAS PREYED ON THE ELDERLY AND THAT CERTAINLY IS ILLEGAL.  

Posted by: barhout | May 31, 2009 9:15 PM

Out of all the comments no one answers how do you stop this from asking your freinds to join???  Please help!!!  I have 2,500 contacts who now hate me!!!!

Posted by: Fan IQ hoax | June 2, 2009 9:15 PM

FanIQ will send up to 3 messages on a person behalf to his entire contact list. As far as I'm aware, there is no way to stop the spam. After all - you are the one who agreed to this during the registration. I'd recommend sending immediate follow up to your closest contacts with an explanation. FanIQ will stop sending messages after third e-mail has been sent.

Posted by: Eugene Bodenshtein | June 3, 2009 12:04 PM

Eugene, thank you for explaining this fraudulent member gathering system. You have done us all a great service. I didn't open the "private message" emails, and now I won't!

Posted by: mtmind | July 9, 2009 11:26 AM

Thanks for the informative post. I received a variety of spam mails from FanIQ from a business associate who's account information was stolen by FanIQ through this social engineering tactic. After receiving several spam emails from FanIQ, even one this morning, I registed on FanIQ and then immediately started posting replies and articles about how much I loved receiving spam from their site, along with posting a link pointing to your article.

Wouldn't you know it that the moderator of FanIQ suddenly started msg me about 20 minutes after being on the site, claiming that their system was hacked by an "e-mail virus hack" back in March. Very believable. He then proceeded to delete my account.

My advice is that if you are on the receiving end of FanIQ's social engineering tactics, turnabout is fair play. Register as a user and then start posting how much you like receiving spam to as many msg boards as possible. It appears that at least moderators are paying attention to the content. As no business wants the reputation of a spammer, maybe they'll stop spamming people if enough people waste their time.

Msg archives (posted July 10, 2009) to my account from the moderator:

--------------------------------------------------------------------------------

All right, you've made your point. Although you seem to be an unfortunate recipient of an email virus hack we had for a week in March that caused the spamming. There has been nothing like that since.

100%InjuryRate | 48 minutes ago

[Reply] [Delete this comment]

It's a string that seems to still be alive about there. This happened for one week in March and has caused multiple problems since. None of this has been in the registration process since then. I thought it had ended but it still seems to be going. Just delete the emails, or tag them to be junk if possible.

100%InjuryRate | 42 minutes ago

[Reply] [Delete this comment]

We shouldn't be, this is from March, and nothing is the same in the registration and hasn't been for a long, long time.

100%InjuryRate | 29 minutes ago

[Reply] [Delete this comment]

Posted by: Rainbird | July 10, 2009 3:18 PM

Avoid this at all cost's.

Posted by: Larry Garza | July 14, 2009 10:37 AM

Yes, the FanIQ moderator is clearly lying about this no longer being part of their flow. I received one of these engineering fraudulent invites on July 28th.  Note the date and the domain keys signature (indicating that it was in fact sent from their domain and not forged)

DomainKey-Signature:   a=rsa-sha1; c=nofws; q=dns; s=s1024; d=ci.faniq.com; b=V2WEI2344O4gQpStu1nSO9SMopDdrzckYfYztcFZfbIpennewXl5XKmBVDhkVCGi+w6+4XTEJ/CS rnqrH6UjpCPjW5+2SnAjOEp41AKXhN7wZAKpgj/SMSOqfubZ5Ntvkc3JfbeXYhueSim3FlCR9gxy GFDLNeKzd8ArggK9f4I=;

Received: from 127.0.0.1 (10.10.20.9) by mail04.faniq.com id hdrnbo0qdtkt for <X@Y.Z>; Tue, 28 Jul 2009 06:52:44 -0400 (envelope-from <messages@ci.faniq.com>)

Posted by: Another FanIQ victim | July 30, 2009 3:51 PM

This same thing happened to me early last week, when EVERYONE, almost, from my email address account was emailed this "private message" ***.  I've reported them to Internet Crime COmplaine Center.

Found out Faniq.com is an email harvesting site, and a sleezy one.

Posted by: Sharla | August 4, 2009 1:05 AM

My concern is for newbies just putting their toe into social networking. This could turn them away. This article and others like it are needed to inform and educate. I think the comments are excellent also to get the full picture

Posted by: rosie | August 4, 2009 11:13 AM

Thanks for the detailed post--it's interesting to see the whole process, and the comments people have posted since the first post.

But I'll add my story since I haven't seen anything quite like it here or on the other pages my google search turned up.

I was suspicious when the "private message" showed up in my inbox because it WASN'T from anyone I knew, and instead the email account I found it in is the safest email account I have, one that has barely received a piece of spam in the past 3 years.  I glanced at the email itself, just to confirm that I didn't know the person--nope!

I saw the same image as in Step One above, and immediately started googling "Fan IQ spam" and turning up this and other sites describing the same thing.

But the process described above, and what most people are saying, insists that the messages get sent by being sent to email addresses harvested from the gullible subscriber's address box when they don't deselect the check box.

How could I have received a message from an email address I've never seen, with an associated name that I don't recognize?  ...Unless there is some sort of actual virus involved here, or even sneakier address collecting than meets the eye.

I also googled the supposed sender of the message, and I got exactly 3 hits where this person had left their email address behind on 3 sites.  That was it.  My own email address doesn't show up in a google search, and I'm not a member of facebook or any other social networking site.  I give out a completely separate email address any time I have to register with any online retailer (amazon, etc).

I have no idea how my email address could have been listed in this random person's address book.  And it's alarming that this overall problem has been aggravating people for at least 6 months now!

Posted by: Unknown FanIQ Contact | August 9, 2009 2:22 PM

I just got a message from my 'rarely used but with family and close friends' email, from an address that I have NO idea who it is, inviting me to read a 'private message'. I thing faniq is seriously heading down the wrong road.

THANK YOU for this post!

OH, I got 'no' sites where this person's email address was listed. No info at all

Posted by: KJO | August 14, 2009 9:10 PM

We need a Class Action Lawsuit filed on these bastards, this is exactly the "Ill Will" that has been nurtured by the "Greed is Good" Mentality of the Conservative Capitalist Free Market whackos.

Posted by: shroomduke | August 20, 2009 1:53 AM

samething happened to me last night 8-20-2009. over two hundred addresses in my business account. some very dissappointed clients. most likely will bring about ruin of client base and business. going to consult a attorney on what can be done.

Posted by: tommygunn | August 21, 2009 12:49 PM

Glad I found this before proceeding, have Tweeted the article link, please Tweet this article to your followers /friends so they know not to proceed if they get these messages.

Posted by: Steve | August 21, 2009 5:00 PM

As of today, Sept. 3rd 2009, this is still happening.  Unfortunate.  

Posted by: Peggy | September 3, 2009 3:45 PM

Thanks so much for this posting.  It has prevented me from responding to just this scam.

Posted by: Stu | September 4, 2009 12:19 PM

These low-life scums are still spewing their scam spams as of 2009 September 21.

It is unfortunate that Gmail allows these to pass through so easily.

Posted by: JC | September 25, 2009 12:49 PM

After receiving a couple of these spams from FanIQ, I added FanIQ to my blocked senders list.  No more FanIQ spam.

Posted by: ksu499 | September 29, 2009 9:56 AM

Well, it's October 16, 2009 and the "March virus" problem still exists.  

Last week I received a FanIQ email from someone I trust, and ended up opening it (exactly as it shows in this post).  I actually remember that it stated only selected emails would be sent, but there was no list to select, so I stupidly thought there would be no emails sent.  

I started receiving emails from everyone on my email list asking if I sent the invite.  I quickly sent out an apology email, asking them to delete this thing, and sent a note to the site asking them to stop using my private information.  No response and today a 2nd email to all of my contacts.

I sincerely hope that the 3-email rule holds true because this is ridiculous.  A friend has suggested taking legal action for use of my private information without proper notice.  If this continues, I will seriously consider looking into legal recourse.  Anyone care to join a class action suit? ugh

Posted by: Sam | October 16, 2009 3:14 PM

somebody please help me...

I received mail from this noreply@ci.faniq.com

Without sender name, the subject only [SPAM], and empty message.

I've tried to black list, move them to junk mail but the spam still continued till now...

Any body please let me know how to stop receiving this mail....

Posted by: erwin | October 26, 2009 8:30 AM

I got an email and it was from my best friend and i didn't  think she would spam me on pupose!!!

so i opened it and all my contacts are getting it and joining i keep telling them to cancel it!!!  

Posted by: jayne | October 27, 2009 5:18 PM

It is still alive and well - I just got one today.

Thanks to the original poster for the excellent step-by-step description of the process.

There is one thing that I can never understand, and is common to this and similar scams,

and I am surprised was not pointed out in the original posting:

 Why would anyone give a third-party site the password to their email account?

Never, ever give any site your credentials for another site or service. Ever. If it won't let you join without doing so,

then it is an obvious scam.

Posted by: Mike | November 8, 2009 11:04 AM

"Posted by: Nate | April 29, 2009 2:19 PM

The registration process has been changed, and there should not be any more problems."

Yeah, right, Nate. I just started getting FanIQ spam today. I'm not even a sports fan!

Posted by: Billy | November 17, 2009 7:56 PM

I just received it today on my yahoo mail account. The sender address was actually a very old friend who i hadn't talked to in a long time. I got suspicious because no old friend would try to reunite with a very spam-like email. I googled it and the different articles online have helped. Thanks all.

Posted by: AMN | November 30, 2009 8:57 AM

I got that too and totally felt regret for it. I wish i could take back every spam it sent and BTW, someone know how to take it back because 2 of the name in the list was my teacher, i'm so doomed!

He said i'm not allowed to sent anything ot him outside school work and i'm so mad at my friend who get me stuck in that FanIQ thing!

Posted by: angela santiago | December 15, 2009 7:46 PM

Some one know how to take the spam back? I was the most stupid person to register on it because the same reason up there. It said that my friend send me something and i thought if my friend send it then it would be ok.

Now the websites automatically send message to everyone on my email list included 2 of my teacher! I want to take the spam back because the teacher was really strict. I'm going to die! I already email the moderator and i don't think she would fix the problem for me!

Do some one know how to take the spam back!?

Posted by: angela santiago | December 15, 2009 8:02 PM

I received the private message from someone I did not know.  I got to Step 2 but did not press the "Done" button.  Now I can't log on to Facebook on this computer.  There seems to be a connection between Facebook and FanIQ.  Does anyone know how I can fix this so I can log on to Facebook?

Posted by: Celeste | December 31, 2009 10:52 AM

Thanks for the heads up, almost tricked in to giving my password for my email account

Posted by: barry | December 31, 2009 1:23 PM

Please tell me how to unsubscribe an Email Id from faniq domain

Posted by: Aarif | January 6, 2010 6:14 AM

Leave a Comment

* An asterisk indicates a required field

* :  

:

* :  
 
 
Page Tools
ShareShare