A Social-able Phish – A Tale of Meta

Author: Paul Cronin, Co-Founder of Rootshell

Phishing scammers, we generally assume, will typically use email as their delivery mechanism to their target audience.  The scattergun approach and not targeted (SpearPhish) is mostly used by them as they are generally lazy unless they have a good, targeted data source to use.

Wouldn’t it be great for them to have good, targeted data and know their target audience’s product interests?  They could target a specific Spear Phishing marketing campaign against a group of individuals with the same interests and get good results!

Well, Meta is currently giving them the platform to launch such attacks across Facebook and Instagram targeting users with sponsored ads in platform advertising fake brands.

I’m not sure if the recent layoffs within Meta have contributed to this lack of awareness of this type of activity but it’s clearly happening on a regular basis within Meta. In the last month I’ve spotted multiple sites, examples include Volcom a surf brand and Helly Hansen an outdoor clothing company.

What’s concerning is these ads are delivered on a platform that people generally trust and are targeted based on the intended victim’s interests (mine Surfing and Outdoors).

Let’s look at one of the ads that’s appeared in my feed for Helly Hansen.

90% off, wow sounds too good to be true right?  Notice only 1 comment but 144 likes. I believe when posting ads on Facebook the poster has the ability to delete comments.

With Winter coming in the UK, I could do with a new jacket. Let’s click on the link and have a look at the bargains on the site.

The general hook on these sites is that they are closing down an outlet store or the products are last season.  For example, they offer a $182 jacket for $18…just too good to be true.

The thing about this site is that it’s generally a perfect clone, there are no spelling mistakes, and the site looks and feels real plus you didn’t get sent it via an email. You clicked on an ad in a trusted social media platform, right?

Typical lazy Phishing mistakes are present in this example, in this one, they haven’t used a great domain name.  The Helley Hensen fake site is called laudepp.com.  The phishers lose some marks here and get only a C- for this. They have obviously used an SSL certificate (You wouldn’t get to the site with modern browsers these days) however they could have used a domain name similar to the brand.

Let’s take a look at the DNS records for laudepp.com.

We can see that the domain was registered recently on the 15-9-23, not Phishy at all.  Oh, and we can also see that it’s registered in Guang Dong, China.

Ok, we know this is very Phishy, so let’s see what other ads they have running from Meta (Facebook & Instagram).

Wow three of them are running, so let’s report it to Meta and I’m sure they will want this removed from their platform ASAP!  Well, you would think that but I reported the advert three times as a scam fraud site and it still kept appearing in my news feed.

When you report a scam or fraudulent site within Meta you receive the message below, telling you that it will continue to be seen while it’s reviewed.  They also inform you that you will be notified once it’s reviewed.

In the screenshot below you can see me reporting the Ad and notice one is called Helly Deals the other example is Helley Hanson.

I contacted Helley Hensen directly via their official website and we had an exchange of emails. I sent them a detailed report and they were very quick to respond, notifying their legal team and highlighting that they, like other high-brand retailers, have experienced this before. Good work Helley Hansen.

I also contacted Volcom (Surf wear clothing company) who the Phishers also had a fake site operating on the same server (this had a better domain name volcomforsale.shop). I had a few issues trying to report this to Volcom with receiving an automatic reply but eventually got a response from them.

Interesting that they also report these sites to Google as well as the ads to Meta.  Google does have a lot of power over internet browsing and share data over “Dangerous sites” with other browsers such as Firefox and Safari but they are not the Internet Police.

24 hours later let’s see if meta has confirmed if this is a Phishing site.

…….Nope, the site is still being reviewed, not great Meta!

Let’s take a look at the website today is it still active?

It is but everything (well mostly) regarding Helley Hensen has now been removed and laudepp.com now claim to be a legitimate clothing business!

Just over 26 hours after reporting the sites I got the following message from Meta:

Great, so they have removed this one ad and a few hours later the Volcom one was removed also (I wonder how many people got scammed into placing orders on those particular ads).

After I had interacted with the ad, the algorithm on Facebook started sending me loads of similar fake sponsored ads! Including more for Helley Hansen, Volcom and other related brands which continue to appear in my feed.

A quick look at the tweets made about this kind of Phish and the sites I’ve seen myself other brands are seeing this as a common trend on Meta.

And it isn’t uncommon to see that consumers are being tricked into this ‘clever’ scam:

I would personally agree with the tweet above “Don’t buy anything from Facebook ads ever” and it’s no surprise that Meta makes its money from advertisement revenue, but this is a serious failure to its user base.

With the recent developments of AI language models such as OpenAI and Google’s BARD dodgy spelling mistakes and bad English are a thing of the past for Phishers and as you can see these types of targeted scams can be very very convincing.

Over this past year, Meta along with others in the tech industry have made job layoffs.  It’s clear to me that Meta is not doing sufficient checks on ads being placed and is relying on machine learning to identify fraud and not humans unless it’s users of the platforms reporting them like myself.