August 1, 2024 at 03:12AM
Facebook users are being targeted by a scam e-commerce network using fake websites to steal personal and financial data through malvertising. The campaign, known as ERIAKOS, targets mobile users with ad lures on Facebook, impersonating well-known brands. Similar criminal networks have been identified, indicating a growing trend in online fraud and malvertising.
From the meeting notes, the key takeaways are:
– A scam e-commerce network is targeting Facebook users through fake websites to steal personal and financial data using brand impersonation and malvertising tricks.
– Recorded Future’s Payment Fraud Intelligence team discovered the campaign, named ERIAKOS, on April 17, 2024, noting that the fraudulent sites were accessible only through mobile devices and ad lures to evade automated detection systems.
– The network comprised 608 fraudulent websites and targeted mobile users who accessed the scam sites via ad lures on Facebook, with some relying on limited-time discounts to entice users.
– The counterfeit websites impersonate major online e-commerce platforms and a power tools manufacturer, as well as use fake user comments on Facebook to lure potential victims. Merchant accounts and related domains linked to the scam websites are registered in China.
– Other criminal e-commerce networks discovered include BogusBazaar, a network of 75,000 phony online stores, and R0bl0ch0n TDS, a traffic direction system used to promote affiliate marketing scams.
– Fake Google ads, seemingly legitimate and verified by Google, have been observed redirecting users to a rogue site that delivers malware disguised as a branded Google product.
– Malvertising campaigns have been spotted disseminating various malware families such as SocGholish, MadMxShell, and WorkersDevBackdoor, with infrastructure overlaps between the latter two indicating they are likely run by the same threat actors.
– Additionally, ads for Angry IP Scanner have been used to lure users to fake websites, and the email address “goodgoo1ge@protonmail[.]com” has been used to register domains delivering malware.
These takeaways provide a comprehensive overview of the online fraud and malvertising activities discussed in the meeting notes.