Facebook users are being targeted by a fraudulent e-commerce network that uses hundreds of fake websites to impersonate brands and malvertising tricks to steal personal and financial data.
Recorded Future’s Payment Fraud Intelligence team discovered this campaign on April 17, 2024 and named it ERIAKOS due to its use of the same content delivery network (CDN), oss.eriakos(.)com.
“These fraudulent sites were only accessible on mobile devices and through advertising lures, a tactic intended to evade automated detection systems,” the company said, noting that the network consisted of 608 fraudulent websites and that the activity spanned several short-term waves.
What’s notable about this sophisticated campaign is that it exclusively targets mobile users who land on the scam sites through Facebook ad leads, some of which offer limited-time discounts to lure users into clicking. According to Recorded Future, up to 100 meta ads related to a single scam site are served per day.
Fake websites and advertisements have been found to mainly pose as major online e-commerce platforms and power tool manufacturers, targeting victims with fake sales offers for various well-known branded products. Another key distribution mechanism is the use of fake user comments on Facebook to lure potential victims.
“The merchant accounts and associated domains linked to the fraudulent sites were registered in China, indicating that the threat actors running this campaign have likely established businesses in China that they use to manage the fraudulent merchant accounts,” Recorded Future noted.
This is not the first time that a criminal e-commerce network has emerged with the aim of harvesting credit card information and making illicit profits from fake orders. In May 2024, a large network of 75,000 fake online stores called BogusBazaar was discovered to have made more than $50 million by advertising name-brand shoes and apparel at low prices.
And last month, Orange Cyberdefense exposed a previously undocumented Traffic Direction System (TDS) called R0bl0ch0n TDS that was being used to facilitate affiliate marketing fraud through a network of fake shops and sweepstakes survey sites with the goal of obtaining credit card information.
“Given that several different vectors were used for the initial distribution of URLs redirected through the R0bl0ch0n TDS, these campaigns are likely being carried out by different affiliated groups,” security researcher Simon Burnin said.
The development comes after fake Google ads that appear when searching for Google Authenticator on the search engine were found to redirect users to a malicious site (“chromeweb-authenticators(.)com”) that delivers a Windows executable hosted on GitHub, ultimately installing an information stealer called DeerStealer.
According to Malwarebytes, the ads appear legitimate because they appear to come from “google.com” and the identity of the advertiser has been verified by Google, and “unidentified individuals have successfully impersonated Google and distributed malware disguised as Google-branded products.”
Malvertising campaigns have also been observed spreading a variety of other malware families, including SocGholish (aka FakeUpdates), MadMxShell, and WorkersDevBackdoor. Malwarebytes has found infrastructure overlaps between the latter two, suggesting they are likely run by the same threat actor.
Additionally, advertisements for Angry IP Scanner were used to direct users to fake websites, and the email address “goodgoo1ge@protonmail(.)com” was used to register domains delivering both MadMxShell and WorkersDevBackdoor.
“Both malware payloads are capable of collecting and stealing sensitive data and provide a direct intrusion path to the initial access brokers involved in deploying the ransomware,” said security researcher Jerome Segura.
