Scam e-Commerce Campaign Steals Personal and Financial User Data via Facebook Ads

• Hundreds of ads on Facebook promote scam websites with false discounts for various items.
• The malicious campaign impersonates known brands and only targets mobile users lured in by the falsely low prices.
• The scammers ultimately steal the information victims enter on these fake websites, including payment card data.

Facebook users are targeted by a scam e-commerce network that uses 608 fake websites orchestrated by a single threat actor or group, as per the latest report from Recorded Future’s Payment Fraud Intelligence team. The actor used brand impersonation and malvertising tricks to steal personal and payment card data as well as victims’ funds.

The ads presented fictitious limited-time offers for various articles boasting incredibly low prices, and the scam websites promoted via the campaign’s Facebook ads screened their visitors, allowing users on mobile devices and blocking desktop users. This tactic helps evade automated detection systems.

The suspicious Facebook ads mostly impersonated a major e-commerce platform and a power tools manufacturer and used fake user comments on Facebook to add credibility.

The ERIAKOS campaign was detected on April 17, and the advertisements and scam platforms were meant to be short-lived, as hundreds of promoted posts flooded Meta’s social media platform. 

For instance, the advertising campaign included 220 ads for one of the domains associated with these scam advertisements, ‘aisicheh[.]com.’ These promoted posts often had duplicate comments for ads linked to different scam sites.

Facebook Ads occasionally blocked the scam advertisements and ultimately blocked the account responsible for the ad campaign.

All scam sites used the same content delivery network (CDN), oss[.]eriakos[.]com as, and two specific IP addresses (47[.]251[.]129[.]84 and 47[.]251[.]50[.]19) were consistently used. This led the security researchers to name the campaign ERIAKOS.

The scam domains were registered with Alibaba Cloud Computing Ltd. and exhibited specific misconfigurations between their main domains and www subdomains.

Merchant accounts behind these scam websites processed payments through major card networks and Chinese PSPs, adding another layer of complexity to the fraud and further complicating the detection and takedown efforts.