This post is going to be a lot of coding nerditry in it so if you want to skip all the mumbo jumbo, there’s a TL:DR at the bottom.

The Marvel Universe has been pretty consistent with their movies and Netflix shows. The hype around these comic book characters are no longer relegated to comic book stores and nerd debates over D&D games. I’m not stereotyping here… I am part of the culture! So with this in mind, internet meme’s, facebook surveys and games often times center around the comicbook genre. So yesterday as I was casually surfing facebook, I happened onto one of the pages I frequent geared at Comic book fans (what? I told you already I was part of that culture) and lo and behold, I see a post getting a massive amounts traction/interaction. The post is simply this:

we are all lemmings

The Ants go marching 1 by 1

So what was this all about? And how did it work? Typing the domain into the comments section actually works as advertised. It will randomly select a Marvel character and post it saying “You are {insert Marvel character here}”. So of course I was a curious as to how this works. So opening up a safe browsing window to avoid any herbie gerbies (read: virus, spyware, adware, etc infections). And the site is pretty basic looking. A Facebook share button at the top. A large image macro with instructions on what to do (with a watermark that’s a little hard to read on it), and multiple image macros with the same instructions featuring different Marvel Characters.

The site looks pieced together fast to serve a purpose. First thing I wanted to do is check the WHOIS to see who developed the site… or atleast bought the domain. There is no hiding set so upon checking, found that it originates from Punjab. The persons name has “Fatima” as one of their names (important in a few minutes) and was registered on May 25, 2017. That’s fine. But I decided to have a look at the code a bit.. So here’s what I found:

First up, there’s a Jquery script right at the top. I would assume that it’s the randomizer that changes the Marvel Character you are for this page. Right after that, there is a Google Analytics script followed by a Facebook Pixel script. This was my first bit of curiosity. For those that have no idea what Pixel is, here’s the description laid out by Shopify:

Pixels are common across most advertising platforms. They’re used to drop a cookie that will track visitors on your website so you can advertise to them later. This is called retargeting. Once you advertise to past website visitors, pixels can also be used to track their behavior when they’re back on your website. This helps you measure the effectiveness of your ads. 

So with that in mind, this is a way for the site to track visitors and essentially leverage that data to push more promotions and “games”. In some scenarios, this could technically be used for showcasing traffic to sell a site. Clever Girl.

This is all just in the header of the site. Down into the body, There is the “Share with your friends” link to share this directly to facebook. Below that are the image macros I discussed above, but the real kicker is the bottom:

There is a script that is pointing traffic in an embedded script to a site called blogsitestep. So what is there? Well, it’s a page about internet marketing. And it redirects to multiple websites all with similar text. Not EXACTLY the same but pretty similar. After looking at the WHOIS for THAT site… the email address has “fatima” (see from the beginning of this post) in the address and it also originates from Punjab.

So my Hypothesis to all of this is that this site was created with the sole purpose to get users posting the link, generating the randomized Marvel Character, one right after the other, raising the rank of the page, and in turn raising the rank of the blogsitestep site as well. While not nefarious, it does raise question with the integration of Facebook Pixel and how they’ll use the tracking of everyone posting. Getting everyone to simply post the domain into the comments on a platform like Facebook that has over 400 million site visitors per day is going to raise the ranks of these sites with a major spike, right out of the gate! My advice? Always be careful hopping on the latest FB trend because “everybody is doing it”… data aggregation and social engineering is at an all time hi! I’ve been considering doing a few posts about the rampant use of social engineering happening on FB lately.

Update: There is a now offshoot of this. Tryben10. com seems to be another one that is working to raise their page rank. Sneaky as hell. Clever. But sneaky.

Anyhow, here’s the short version:

TL/DR: The site isn’t necessarily “malicious” but it is tracking your movement and may be used to retain and/or sell information about it’s site visitors (you). 

As always, be careful where you click!

Questions? Comments? Post em below!