Scam Alert: “Testers needed to test the Apple iPad” – testitandkeepit.com

i got an email last night sent from a client we did a website for about a year ago inviting me to become a tester for an Apple iPad.  actually, i got two emails — one sent to each of my main addresses.  The subject line of the email was “Testers needed to test the Apple iPad.” redundancy aside, i was curious — also, skeptical.  it’s a little late in the game for there to be iPad testing; usually testing (and certainly anything calling itself “beta testing”) is conducted before the device is ready to ship — the iPad already has a hard release date.  the only kind of testing that would even be feasible is some kind of user experience testing for the purposes of market research (in which case it wouldn’t matter when the product was released, but it would probably make more sense after the producer got some initial sales figures). barring someone hanging out in your home and following you around as you use the thing, something like that would almost certainly need some special software installed, and it’s been well documented and established that the only software that gets onto an iPad is — like the iPhone or iPod Touch — from the iTunes App Store.  The body of the email had this to say:

Hello [my name],

Your contact “[contact’s email address]” invited you to join our TestitandKeepit program.

At this time we are actively searching for people who will be willing to test the new Apple iPad. The testing period will take only two months, after which you may keep it as compensation.

To see more details and register to our program, follow the link below:

http://www.testitandkeepit.com/1

Thanks,

The TestitandKeepit Team

This immediately made me search for “test it and keep it ” — certainly if this was an established company, their website would be high ranked on a search for their own business name.  and, if it was a scam,  i should see some blog posts or scam reports on such.  the results?  well, i didn’t find the company, or even their website, by searching for “test it and keep it”, but i did find several posts in various different places that gave the impression that it was, in fact, a scam.  most of them, however, were not based on any hard evidence as the authors hadn’t actually gone through all the steps.  it wasn’t until i found this post on the sophos blog from earlier this month that i could see what the take was, summarized in this handy-dandy youtube video.

all of these so far, though, are referencing this as being a facebook scam, and it wasn’t an email (or invitation to join a group) from facebook that sent the invitation i received.  thus prepared, i ventured to the site.  a few things caught my attention early on:

  1. the top navigation links work, sure, but the links to “contact”, “home”, and “rss” links at the bottom of the site don’t link to anything.
  2. while there is what appears to be a newsfeed on the right side of the page, complete with number of comments, none of the “posts” actually link to anything.  neither do the comments.
  3. there is no specific evidence of this group ever conducting a test like this before, other than a mention in the non-functioning news feed
  4. although the company description freely says that they are not directly related to the product manufacturers and are an outside organization called in to select participants for product tests and report back their findings, a company as large as apple would not be very likely to hire an outside organization — especially their policy for extreme secrecy when it comes to new products.
  5. from their about page:

    Our mission is simple:
    “Make life easier for everyone.”

    We offer solutions hassle-free to companies who want their products reviewed. We select participants and we deal with all the paper work, the logistic behind selecting the participants, getting their reviews, etc… Plus we make life easier for all the people who will purchase the product in the future, because of our help, the product will be improved and fixed from its original conceptual bugs or malfunctionning.

    this is the sort of meaningless copy that people who have never been directly involved with product manufacturers or large corporations might believe.  are there companies that get hired by large organizations to test their products?  sure.  but are the primary incentives in hiring such a company a) selecting participants, b) dealing with paperwork, and c) making life easier?  no, they have staff that can handle stuff like that.  would a company like apple hire the “Test It and Keep It Team” based on their company’s description on their about page?  very unlikely.

  6. and then there’s the little matter of grammar.  most people who receive spam on a daily basis know that the easiest way to detect spam and phishing emails from their legitimate counterparts is that, more often than not, the language and grammar in the spam and phishing emails is atrociously bad, riddled with spelling and punctuation errors as well as simple sentence structure errors that any large company’s PR and marketing team would have caught before going to press.  however it’s also widely known that people don’t read, and certainly when it comes to something like this, they are more likely to skim the page. yuo konw taht eamil taht yuo gte wehre lla teh wrods aer splled wrnog and this is to prove that as long as all the letters are there, it doesn’t matter what order they come in in terms of being able to read it?  well, that just goes to show how much we can skim and not even realize we’re doing it, but anyone somewhat trained in picking out errors like this will see these things as glaringly obvious.  certainly no company trying to impress the likes of apple would let such mistakes be published on their website.

none of these things looked too promising for this little site, but out of pure curiosity, i decided to see what happens when i try to sign up.  like the facebook version, the signup is split up into 3 parts.

step 1 — submit your name and email address (interestingly, though, the name fields are labeled as “Name” and “Last Name” — usually, when first and last name are required, they are at least listed as “first name” and “last name”)

step 2 — invite all your friends.  since they can’t do this automatically directly on facebook, they’ve built in a method by which you can invite all of your friends from various different networks simply by entering your username and password!  (because i love giving out my username and password to shady companies.)  presumably this mass emails all your friends on various different networks with a message similar to what i received trying to get more people to sign up for step 3.

step 3 — complete registration.  you might think that this would be like a submit button or send you a validation key or something like that.  in fact, this button redirects you to a completely different site, online reward center (i am providing the link for reference purposes only, submit your information at your own risk).  at first glance, this looks exactly like those other sites where you go through 20 pages of offers and surveys to get a free iPod, only to come to the last 2 or 3 pages which require you to sign up for 10 different trial offers in order to receive your iPod.  no good will come of these sites — trust me, i’ve tried.  at one point in time i had heard a story of someone i knew personally who had set up a fake email address and gone through the steps and did actually get their ipod which led me to try it myself.  i chickened out at giving out my credit card number, though, so the only thing i got was spam and added onto Camel’s list for product samples and coupons.  i don’t smoke, but at some point there was an option to choose which cigarettes i preferred, marlboro or camel, and neither wasn’t an option.  as a sidenote, i googled “online reward center” too, and found several entries on the scamminess of that, too, including several questions to Yahoo! Answers to the effect of “is the free stuff you get here for real?” to which the answers were “no,” “no,” and “sometimes if you’re lucky and prepared to get a lot of spam.”

so here’s what i think: this started out as a facebook scam.  ultimately, though, it got banned from facebook from so many complaints (but not before racking up thousands upon thousands of fans).  after that, either a copycat scam popped up, or the same guys with a different catch who, rather than harvesting cell phone numbers, is getting commission on all the crap you sign up for on those survey things — a gimmick that is almost as old as the internet itself (and more than likely based on those publisher’s clearing house sweepstakes offers).

the moral here is: if it looks like a duck, acts like a duck, and quacks like a duck, it’s probably a duck, no matter how much you want that duck to be a free iPad.

also: as a further side note — i contacted the person from whom i received the email originally, including the link to the sophos post.  his response was that he recieved it but did not sign up for anything.  after doing a twitter search, it looks like possibly this scam is even more insidious than it seems, exploiting gmail contact lists to get email addresses.

Update 3-31-2010:

For anyone who’s signed up inadvertently and are interested in “what are my risks” read this from the scam warners forum.  The short response is: don’t give anyone your credit card information over the phone.

If I briefly describe the Florida holiday scam it’ll give you an idea how this can turn into a very shady business.

There are many ways used by marketing companies to collect people’s details. Many sites offer money off coupons and they insist you enter personal details including your phone number. They also have booths at country fairs, race meetings or exhibitions with entries to a free competition for a holiday (of course, there’s no holiday). They then sell these details on to a boiler room with one purpose only – to get your credit card details. They ring up telling you that you’ve won a holiday and that you just need to pay some small deposit, and it’s pressure tactics that you wouldn’t believe. They then clear your account.

It isn’t just spamming.

26 Replies to “Scam Alert: “Testers needed to test the Apple iPad” – testitandkeepit.com”

  1. Thanks for the info. I also got this email and I figured it was some sort of scam. I also followed some of the links to discovered that it doesn't go anywhere. As a general rule, I normally do not click on any buttons or links. Usually, I'll right-click it and find the address in the properties. I then cut and paste that in my URL. I find this to be much safer. Also, I right click to close pages as well. Some scam sites are clever enough to reprogram the close button at the top right of the IE screen. Yes, I agree . . . if it's too good to be true, it's probably a scam. Thanks for your post.

  2. Indeed, thank you for such a well researched article on this scam. I typed up the website to look if it was real but didn't feel like chancing fighting to close all the popups if clicking anything on the page set off that and googled it, finding you. Cleared it up for me perfectly.

    1. interestingly enough, the site didn't have any pop-ups or malware that i could see. i run Spybot Search & Destroy and Avast! A/V and either would have caught any viruses or adware (plus I use Chrome and a lot of that stuff uses IE exploits to get onto your system). I have two theories as to why: either they didn't want to give off the impression that they are anything but legit, or the site is so "website-in-a-box" that they don't actually know how to add that stuff in. either is equally plausible in my mind.

  3. I just got the email and I agree with you Jazz…I was immediately suspicious and the site made it worse. Who is this (we)?? sounds like arrogant idiots. I am glad I found this blog it absolutely helped confirmed my suspicions. Thanks for posting I just tweeted your link as a reference point for anyone in my (networks) that may receive this (testitandkeepit) email from the same contact I got it from.

    Good Day,
    Teressa

  4. It looks like a phishing attempt. I went to the sign up process, put in a fake email address, and was presented with the options to import my address book from various sites.

  5. Hmm… Don't trust anything with glaring spelling and grammatical errors? What about a severe lack of capitalization? Does that count? :P

  6. ok, so i was caught in a weak moment and actually submitted my email address, although I didn't give out my password (step 1 only). I then received the email and stupidly confirmed. What are my risks now?

    Thanks,

    Wish I read this blog earlier.

    1. well, you'll almost certainly get swarmed with spam. that's more or less manageable. i'm not entirely sure what *exactly* they are doing with the passwords, and that makes me nervous, so it's good you didn't go that far. and if you didn't submit your cell number, you won't get subscribed to any kind of premium service that texts you discounts and offers for stuff you probably don't care about. the thing that makes me nervous is that people have said that the scam "hacks" gmail accounts. i'm not sure whether to believe this or whether it's just sensationalizing the issue. what i do know is that google buzz will automatically make connections and build a network of other individuals for you based on who you communicate with most, and that that list can be viewed publicly. i also know that buzz pretty much works automatically whether you use it or not, so my fear is that they can harvest email addresses via some back door in buzz (since it's still in early beta) and spam all your friends even if you didn't give them access to anything other than your email address. that's probably the worst-case scenario, though. the most likely consequence is you'll get subscribed to a bunch of crap.

      1. Thanks for replying. Yeah, I figured I'd start getting a lot of junk and it's not like I don't already so, as you said, that's manageable. I think they already had my gmail account since I got the email in my in-box because they farmed my friend's address book and all those she contacted (she was unfortunate to follow through and supply all the info they requested.)
        That's interesting about Google Buzz. I wondered how they seem to automatically 'friend' me with a couple of my contacts even before I knew what Buzz was! You'd think Google would be more secure but hey, it's just a bunch of bio units doing the coding and I think we all know the high standards of quality that coders attain.

      2. that's been a major criticism of buzz because, whereas with twitter and facebook you get to choose your network, with buzz does that stuff on its' own, which may or may not be a bit of an intrusion (depending on who you are and how accurate their assumptions about your contacts are). personally, i'm avoiding buzz until google starts getting their toys to play well with each other. the last thing i need is yet *another* social network…

      3. Same here. haven't touched Buzz. I'm finding I'm on FB less and less. I may have been on Twitter once this year. Linked In, Plaxo, the list goes on and on. Who has time to read about someone's shopping spree or mountain adventure.
        BTW, hope i didn't hurt anyone's feelings with my coder's comment. I is one meself.

      4. i am fairly active on twitter, but often it's just when i need some brain candy or i have a few minutes to kill. but i use nutshell mail so i find i'm very rarely on facebook itself and just scan the digest email i get once a day.

  7. Hello, I stupidly completed steps 1 through 3. What are my risks now? Should I change my gmail account password? Please help. I am so upset I went through with this.

    1. changing your gmail password would be a good start. also, if you gave any other login info for other networks in step 2, it'd probably be a good idea to change the password there, too. i know of a few somewhat shady Twitter apps that require your logon info (instead of using the standardized OAuth) that will then tweet for you things that will draw traffic back to their site, and the only way to prevent them from doing this was to change the password.

      other than that it depends on what information you gave them, really. the sort of rule of thumb i've heard passed around is that you basically need to assume that any information you give out anywhere on the internet is automatically public, so just be aware of what you're putting out there. this applies to everything, whether it be some free offer somewhere (or a scam claiming to be a free offer) or facebook/linkedin/etc or your own personal blog or website. just about any data you enter into the interwebs is able to be harvested by someone — even facebook freely admits to wanting to get as much information about you and your preferences (and your friends and their preferences) as possible so they can display more relevant advertising on the site unique to those preferences. google does the same sorts of things, only based on your search engine queries and the links you click (that's why buzz is such a big deal for them — more data about user preferences). and those guys are more benevolent than a lot of other people out there.

      basically, expect that anything you put out there can and will be used. if you gave your credit card number, expect charges that you didn't authorize and contact your bank/credit card company the minute you see anything suspicious (or request a new card). ditto with your cell phone number and unwanted text messages — if you start getting anything weird, contact your service provider. if you gave out your mailing address, expect lots of junk mail (more so than usual). if there was anything that requested/needed your paypal account info for, you may be up a creek — i've had some run-ins with paypal re: unauthorized purchases and they tend to side with the seller; as far as paypal is concerned, if the transaction was processed, you authorized it by putting your information in, regardless of whether it was you who finalized the purchase (in my case, someone got into my itunes store account and sent off 2 $200 gift cards to fake accounts. i was able to get my bank to stop payment/cancel the charges on one of those transactions for the amount that spilled over into my bank account, but i happened to have just under $200 in paypal at the time, and they refused to do the same service, saying they don't issue credit for "buyer remorse"). you may need to accept the fact that you will be getting more familiar with the hold music of various institutions as you call to cancel whatever you may have gotten inadvertently signed up for.

  8. I stupidly signed up for this too because I got it from someone I know and like to participate in studies. It sent a link out to all of my 100s of contacts. I didn't want any of them to sign up for it because the email was from me and they might trust it, so I sent them a message not to follow the link. Do you think they will keep getting hit with spam from that site or other sites? I feel so bad that they were all affected. I thought I'd be able to pick a few contacts or make up some email addresses or use my old ones. This is what I get for signing up for it in a tired, stupid state! I changed my password and security question on gmail. I just hope they don't all get hit with tons of more spam.

    1. the way i see this particular scheme working is a two-part system. the goal of the first part is to harvest as many email addresses as possible. once they have the email addresses, they can sell them in bulk to groups and organizations (read: spammers and marketers) to use in their campaigns. while increasingly the US has legislation to combat these sorts of things, from what a previous commenter posted earlier (after having found — if not the individual behind it — what appears to be someone connected to the scam), it looks like these guys are based in russia (or therabouts), and therefore exempt from any US laws prohibiting unwanted email spam. so, since it's pretty much one of the primary objectives of the operation, i'd say it's fairly likely that all your contacts will start getting spam, too. the fact that you, me, and all of your contacts received the email at all means that we're all on a mailing list somewhere, and they're already using the addresses on that list (since we got the email in the first place). it's all going to come down to how good people's spam filters are. gmail's is, generally, pretty good, and i think a lot of spam — especially those that come from domains ending in .ru, .cn, .ck, etc — gets filtered out by default for being from out of the country.

      the second part of the system is to try to get some commission or other compensation once they've reeled you in, promising an iPad (or insert-other-gadget-here), and making you jump through a series of hoops ending (ultimately) in being required to sign up for some trial offer that they then get a referral bonus or affiliate payout for. from the scammer's standpoint, either way they win — even if you don't go to their site, they've still got your email address that they can sell thanks to whoever's contact list they got it from previously, and if you pay it forward — even if you don't fill out "online reward center" part — they've got all your contacts as well.

  9. I replied to the person who I go the initial message from. She said all she did was open the email and it seems to have sent the message "from her" to all of her contacts. I'm not sure how this is possible, but if it is it does seem like it's somehow obtaining user's contact lists (unless its pulling them from buzz, as mentioned above). I guess I'll have to see if I start getting responses from people that they got a message from me like that, since I don't use buzz (its disabled) and didn't do anything other than open the original email.

    1. i'm not sure how it works either, but that seems to be what happened to the person who sent it to me, too. i'm guessing that's where the "gmail hacking" comment i found on twitter comes in, although it still sort of bewilders my spidey-senses of internet security and plausibility. that said, there's a variety of places where you can find someone's contact lists, but my guess is that it would be restricted to specific networks — like gmail — where whatever email-address-gathering script would be able to work the same every time. someone's work or private domain email (presuming it doesn't use google apps) may not be affected (although we all know about macro-viruses that use microsoft office to plunder all your contacts in outlook). the emails i received didn't have a payload, though: there were no attachments and it was sent in plain text. possibly it would have had some effect if i opened it in gmail (i use google apps for one of the accounts it was sent to), but i didn't — i use outlook and pop3.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.