Your hacked Facebook account may be bankrolling scam ad campaigns
As Henry Lau slept on Oct. 15, hackers quietly took control of the ads manager page for his Facebook account. By 6:15 a.m. PT, Facebook had approved a widespread advertising campaign with a budget of $10,000 per day to promote a 13-second video in the US, Mexico and Australia.
Lau, who hadn’t taken out any Facebook ads in two years, had no idea his credit card racked up thousands of dollars in charges until he got an alert that the ad campaign was shut down — six hours later.
But Facebook didn’t stop the campaign because it was pushed by hackers, Lau said. Facebook shut it down because his credit card had expired, and he wasn’t able to pay for the ads.
“Had my credit card not been expired, they would have run the ads for $10,000 or more,” Lau said. “It could have been days before I found out.”
He said he “freaked out” once he saw what hackers were trying to charge on his account — and then he grew angry at how the fraud was allowed to play out under his name.
Lau isn’t the only person with growing frustrations over Facebook’s handling of fraudulent ads. The more than 2.45 billion people who log on to Facebook each month make an attractive target for ads with malicious links, and utilizing someone’s ad account has become an increasingly popular way for an online criminal to bankroll the scam for free.
It’s led to a lot of headaches for the victims. Some ad account owners affected by these hacks have found little help from Facebook and have complained that the tech giant isn’t doing much to prevent these attacks. In July, Digital Trends detailed several cases in which Facebook’s customer support failed to help people whose ad accounts had been taken over.
They’re essentially using free money from stolen Facebook accounts to then commit credit card fraud.
Another blogger described how hackers took over his Facebook account and started running ads at £1,200 (about $1,550) per day, and how he didn’t get an alert until PayPal notified him about the transaction.
“This is, and has been growing to be, an even more viable opportunity for fraudsters and cybercriminals,” said Emily Wilson, vice president of research for data protection service provider Terbium Labs. “There’s a lot of people on Facebook, and they’re often interacting with it quite mindlessly. Cybercriminals only need a small percentage of people to click on the wrong ad.”
Facebook said that it takes measures to prevent these kinds of hacks and also keeps a close watch for any ads that lead to malware. When it approves an ad, the company said, it checks the website that the post leads to and will ban people who direct viewers to malware.
“Linking to landing pages containing malware is against our policies. When we find bad actors using techniques like cloaking to avoid our reviews, we immediately take action and remove their ability to advertise on Facebook,” a company spokesperson said in an email.
Facebook has taken several measures to protect people from ad scams, like rolling out tools to report these schemes in the UK. To prevent foreign election interference, Facebook added a new authorization process for political ads, in which you need to verify your identity and mailing address.
But hackers have been able to circumvent these protections by taking over people’s accounts instead and running ads under someone else’s name. And even if the campaigns are banned within hours, cybercriminals have found that they’re able to trick hundreds of people on Facebook within that window.
Using ‘free money’ to commit fraud
The ad posted using Lau’s ads account was a video clip of a toy wagon for kids and purposely listed with a pricing error — showing five items for the normal price and one item “accidentally” listed at 99 cents. Lau said it was designed to make people want to click and buy something immediately, taking advantage of the low prices and perceived mistake.
Though the ads weren’t promoting any real products, they were doing something valuable for hackers: The fake sale site had credit card skimmers embedded on it, Lau said. People rushing for a deal online would instead end up giving away their credit card information to hackers.
Lau, whose account was taken over because of a compromise on a third party, said the posts reached 64,784 people before Facebook shut them down. The price for reaching tens of thousands of people: $915.95, or $38.16 per promoted post.
Because Facebook ads offer tracking pixels, Lau got a rare inside view of how effective this scam is. More than 3,000 people clicked on the ads, and 813 people added their payment information on the website, according to metrics from Facebook. A small handful actually went through with trying to purchase the fake item, he said.
“They ended up ripping off at least 24 people in the hour or so that it ran,” Lau said. “They’re essentially using free money from stolen Facebook accounts to then commit credit card fraud.”
Lau isn’t a stranger to the ad industry. He runs Privolta, a company he co-founded that specializes in privacy-focused ads. He said that the ad industry suffers anytime fraudulent ads slip through and that Facebook should be putting in better protections to prevent these scams.
After the hackers launched the $10,000-a-day campaign, Lau saw there was a warning on the checkout page.
“You’ve set a daily budget that is significantly greater than the average on this account ($231.59). If this was intentional, please ignore this warning,” read the Facebook note. For him, it showed that Facebook has systems in place to detect fraudulent behavior but that the company allowed the payment to go through anyway.
“Clearly, if they wanted to, they could,” Lau said. “But the problem then becomes, it stops them from printing money. It slows that process.”
Hackers have coveted Facebook accounts for years, often selling them to cybercriminals online, Wilson said. The older an account is, the more valuable it is, she said.
She’s found markets where people will set up Facebook accounts and have them lie dormant for five or six years, then sell them in bulk to potential scammers. Older accounts are more valuable because Facebook’s fraud detection algorithm is often looking for brand-new accounts, she said.
But the supply of fake accounts might not meet the demand; not all cybercriminals have time to wait for a dormant account to become available. That’s when they turn to real ad accounts, where everything has already been set up for them.
Wilson said that with live accounts, cybercriminals have control only until victims realize they’ve been hacked. As Lau saw, sometimes just a few hours is all a dedicated scammer needs.
“The way Facebook is designed, and we’ve seen this play out with serious ramifications, is that it’s really easy to run ads for whatever you want,” Wilson said. “Facebook’s model is to approve first and ask questions later.”