Facebook Ads Lead Users to Fake Sites Stealing Credit Card Data

Facebook users have become targets of an extensive scam e-commerce network that employs hundreds of fraudulent websites to steal personal and financial information. These fake sites are designed to impersonate well-known brands and use deceptive advertising techniques to lure victims.

The researhcer uncovered the campaign on April 17, 2024, and dubbed it “ERIAKOS” due to its reliance on a specific content delivery network (CDN) named oss.eriakos[.]com.

According to the report, these scam websites were only accessible via mobile devices and through ad lures, a strategy intended to bypass automated detection systems. The network consists of 608 fake websites, with the malicious activity occurring in short, intense bursts.

One of the most striking features of this sophisticated scheme is its exclusive focus on mobile users who encounter these fake sites through deceptive ads on Facebook. Some of these ads use time-limited discounts to entice users into clicking. Researcher reported that as many as 100 Meta Ads related to a single scam site were being served in a single day.

The fake websites and ads primarily mimic a major online e-commerce platform and a power tools manufacturer, tricking victims with false sales offers on products from well-known brands. Another key tactic used to draw in potential victims involves fake user comments on Facebook posts.

The merchant accounts and domains associated with these scam websites are reportedly registered in China, leading researcher to suggest that the threat actors behind this campaign may have established a business in China to manage these fraudulent merchant accounts.

This isn’t the first time that cybercriminals have created fake e-commerce networks to steal credit card details and profit from fraudulent orders. In May 2024, a massive network of 75,000 fake online stores, named “BogusBazaar,” was discovered to have made over $50 million by selling counterfeit shoes and apparel from popular brands at low prices.

Just last month, Orange Cyberdefense revealed a previously unknown traffic direction system (TDS) called “R0bl0ch0n TDS.” This system is used to drive traffic to fake shops and sweepstakes sites in an effort to obtain credit card information through affiliate marketing scams.

In a related development, fake Google ads appearing in search results for Google Authenticator have been observed redirecting users to a rogue site that distributes an information-stealing malware named DeerStealer. What makes these ads particularly deceptive is that they seem to come from “google.com,” with the advertiser’s identity apparently verified by Google.

Malvertising campaigns have also been seen spreading other types of malware, including SocGholish (also known as FakeUpdates), MadMxShell, and WorkersDevBackdoor. Malwarebytes researchers discovered that the latter two share overlapping infrastructure, indicating they may be operated by the same group.

To prevent falling victim to scams, be wary of clicking on ads offering deals that seem too good to be true, especially on social media platforms like Facebook.

Always verify the legitimacy of a website before entering any personal or financial information by checking the URL for inconsistencies or misspellings. Use secure payment methods and consider using a virtual credit card for online purchases.