Schakolad Chocolate Factory bills itself as "Chocolates to Live By". And judging by the 5 star reviews on the Web, the chocoate franchise must live up to expectations. But there's a dark side to this free Schakolad offer, and it's not their chocolate - it's a spam campaign run by homerun.com that hijacks your contact list and sends the following email to everyone in it:
<hijacked sender> sent you a free:
Chocolate Truffles from Schakolad Chocolate Factory
The email goes on to warn that you have only 48 hours to claim your gift (the classic sense of urgency scammers use to try to propel you into action). If you click through to "claim your gift", you'll be taken to a login screen that requires your webmail username and password:
If you provide it (which you must do to actually login), everyone in your webmail contact's list will be sent the same scam email. For all intents and purposes, the homerun.com scam is nothing more than a manually driven email worm. What's worse than having everyone in your contact list spammed? The fact that by logging in to the homerun.com site, you've just given scammers the username and password to your webmail account - which means they can login at any time, sift through your mail, send out other spam, and view any sensitive emails you might have stored in the account.
Homerun.com tries to gain legitimacy by claiming it was featured on websites such as ABC, The New York Times, and CNN Money. Of course, those claims are bogus. The only legitimate sites that are "featuring" homerun.com are those that are calling out the scam.
If you've been the victim of the homerun.com scam, first check your emaill notification settings to ensure those haven't been altered to direct any change notices to the scammers. Then change your password and send your contacts a word of warning about the scam so they too don't become victims.
Oh, and one more thing. Just by clicking the "claim your gift" button in the homerun email, you'll automatically be subscribed to their spam mailing list.