Deceptive Facebook Advertisements Result in Fraudulent Websites Stealing Credit Card Details

Aug 01, 2024Ravie LakshmananOnline Fraud / Malvertising

Individuals using Facebook as a social platform are being targeted by a fraudulent online shopping network that operates multiple bogus websites with the intention of stealing personal and financial details through impersonation of well-known brands and deceptive advertising techniques.

The team at Recorded Future’s Payment Fraud Intelligence identified this malicious operation on April 17, 2024, and labeled it as ERIAKOS, based on its utilization of the oss.eriakos[.]com content delivery network (CDN).

“These deceitful websites were exclusively reachable via mobile devices and advertisement enticements, a strategy designed to bypass automated detection systems,” as mentioned by the organization in a statement. They pointed out that the network consisted of 608 fake websites, and the scheme unfolded in several transient phases.

An interesting aspect of this elaborate scheme is its exclusive focus on mobile users who visit the fraudulent websites through enticing ads on Facebook, some of which offer time-limited discounts to allure users into clicking them. Recorded Future disclosed that up to 100 Meta Ads related to a single fraudulent website are circulated daily.

The counterfeit websites and ads predominantly imitate a major online shopping platform and a manufacturer of power tools, attempting to deceive victims with falsified sales offers for products from various reputable brands. Another key method of distribution involves the use of misleading user comments on Facebook to attract potential victims.

“The merchant accounts and associated domains linked to the fraudulent websites are registered in China, indicating that the threat actors managing this scheme most likely set up the business operations for handling the deceptive merchant accounts in China,” as highlighted by Recorded Future.

This isn’t the first instance where illicit e-commerce networks have emerged with the goal of harvesting credit card information and profiting from bogus transactions. In May 2024, a large network of 75,000 fake online stores – referred to as BogusBazaar – was discovered making over $50 million by advertising footwear and clothing from reputable brands at discounted prices.

Moreover, Orange Cyberdefense recently unveiled an undisclosed traffic routing system (TDS) named R0bl0ch0n TDS, utilized for promoting affiliate marketing scams through a network of fabricated online shops and sweepstake survey platforms, all aimed at gathering credit card data.

“Multiple distinct channels are used for the initial propagation of the URLs redirected through the R0bl0ch0n TDS, suggesting that these operations are likely carried out by various affiliates,” mentioned security researcher Simon Vernin in a report.

As part of this trend, counterfeit Google advertisements shown when searching for Google Authenticator have been observed directing users to a rogue website named “chromeweb-authenticators[.]com,” which distributes a Windows executable hosted on GitHub, ultimately delivering an information-stealing malware called DeerStealer.

One reason these advertisements appear authentic is due to their presentation as originating from “google.com” and having the advertiser’s identity verified by Google, as shared by Malwarebytes, who noted that “an unidentified individual managed to impersonate Google successfully, pushing malicious software disguised as an official Google product.”

Malvertising campaigns have also been identified disseminating various malware strains like SocGholish (also known as FakeUpdates), MadMxShell, and WorkersDevBackdoor, uncovering similarities in infrastructure between the latter two, suggesting they are possibly operated by the same threat actors.

Furthermore, ads promoting Angry IP Scanner have been utilized to lure individuals to bogus websites, with the email address “goodgoo1ge@protonmail[.]com” being connected to domain registrations delivering both MadMxShell and WorkersDevBackdoor malware.

“Both malware payloads have the ability to acquire and steal sensitive information, as well as providing a direct pathway for initial access brokers involved in ransomware activities,” noted security researcher Jerome Segura in a statement.