Cadbury Warns of Easter Egg Scam

Cyber-criminals are impersonating the confectioner Cadbury online to steal personal data. 

Users of social media platform Facebook and messaging platform WhatsApp have encountered a scam that lures victims with the promise that they will receive a free Easter basket packed with chocolate treats.

Cadbury has confirmed that the offer is “not genuine” and has stated that it is taking action to resolve the issue.

A tweet posted to the Cadbury UK Twitter account on March 31 stated: “We’ve been made aware of circulating posts on social media claiming to offer consumers a free Easter Chocolate basket.

“We can confirm this hasn’t been generated by us & we urge consumers not to interact. Your security is our priority & we’re currently working to resolve this.”

The scammers have taken a direct approach, sending targets a malicious link in a direct message. The message includes an image of a white rabbit on a lawn in front of a large historic home. In the rabbit’s paws is a purple Cadbury Easter egg, printed with the message “Join the Cadbury Easter egg hunt.”

Along with the image is the text “Cadbury FREE Easter Chocolate Basket, 5 free gifts for you,” together with a link. 

Following the link takes users to a page where they are asked to share their personal information.

“This attack highlights again our weakest link in security–the human factor,” commented Miclain Keffeler, application security consultant at nVisium.

“Receiving messages from trusted contacts skews our opinion on the content, and thus makes us trust the content inherently rather than questioning it with the same intensity as we do messages from people we don’t know.”

Keffeler told Infosecurity Magazine that social media companies need to improve their cybersecurity to protect customers. 

“There is a responsibility on social media sites like Facebook. There is work to be done in who can create new pages and can claim to be somebody they are not,” said Keffeler. 

“There is an additional responsibility on WhatsApp. Their authentication mechanisms are certainly lacking in industry standards and their 2-Factor authentication, which they coin ‘Two-step verification,’ is just adding a 6-digit fixed pin to your authentication.”

What’s Hot on Infosecurity Magazine?