Analysis Summary

A fraudulent e-commerce network is targeting Facebook users by deploying hundreds of phony websites to steal financial and personal information through brand imitation and malicious advertising.

The campaign was named "ERIAKOS" by the researchers because it used the same content delivery network (CDN). The researchers discovered the campaign on April 17, 2024. The only ways to reach these fraudulent sites were through mobile devices and ad lures, which was a method used to get past automatic detection systems. The 608 bogus websites that made up the network were part of multiple transient waves of activity.

One noteworthy feature of the campaign is that it only targeted mobile users who clicked on Facebook ad lures, some of which used temporary discounts to draw consumers in, which led to fraudulent sites. Up to 100 Meta Ads linked to a single fraudulent website are provided in a day. It has been discovered that the fake websites and advertisements mostly pretend to be a well-known power tool manufacturer and online e-commerce platform. They also target specific victims with false sales offers for goods from other well-known brands. A further important method of propagation is to entice potential victims with fictitious user comments on Facebook.

The fact that merchant accounts and associated domains connected to the fraudulent websites are registered in China suggests that the threat actors behind this campaign most likely founded the company they use to handle the fraudulent merchant accounts there. Criminal e-commerce networks have already emerged intending to obtain credit card information and profit illegally from fictitious orders. It was found in May 2024 that a vast network of 75,000 fraudulent internet retailers known as BogusBazaar had gained over $50 million by selling clothing and shoes from well-known brands at discounted costs.

Cybersecurity experts then made public last month a traffic direction system (TDS) known as R0bl0ch0n TDS that was previously unreported and was used to spread affiliate marketing frauds via a network of phony retail and survey websites for sweepstakes, all to steal credit card information. The URLs that redirect through the R0bl0ch0n TDS were first distributed using several different vectors, suggesting that these campaigns are probably run by various affiliates.

The development occurs when users are seen being redirected to a rogue website by fake Google ads that appear when searching for Google Authenticator on the search engine. This website hosts a Windows executable that is hosted on GitHub and drops an information stealer known as DeerStealer. The advertisements seem authentic because they seem to be from "google.com" and the advertiser's identity is confirmed by Google which also said that an unidentified person was able to successfully pass for Google and distribute malware that was disguising itself as a branded Google product.

Additionally, malvertising campaigns have been observed spreading other malware families, including WorkersDevBackdoor, MadMxShell, and SocGholish (also known as FakeUpdates). Researchers have discovered infrastructure overlaps between the latter two, suggesting that they are probably operated by the same threat actors. Also, emails have been used to register domains that transmit WorkersDevBackdoor and MadMxShell, and advertisements for Angry IP Scanner have been used to trick victims into visiting phony websites.

Impact

• Sensitive Data Theft
• Financial Loss
• Identity Theft

Remediation

• Ensure all operating systems and software are up to date with the latest security patches.
• Employ reliable antivirus and antimalware software to detect and block known threats.
• Regularly update these tools to maintain the latest threat intelligence.
• Implement IDPS to detect and prevent unusual network activity, system behavior, or similar threats.
• Enable two-factor authentication (2FA) on your accounts adds an extra layer of security and can help prevent unauthorized access even if your login credentials have been stolen.
• Regularly backing up your important data can help ensure that you don’t lose any critical information in the event of a malware infection or other data loss event.
• Be wary of emails, attachments, and links from unknown sources. Also, avoid downloading software from untrusted sources or clicking on suspicious ads or pop-ups.
• Use email filtering solutions to block malicious attachments and links that may deliver malware to users via phishing emails.
• Segment your network to limit lateral movement for attackers.
• Employ application whitelisting to only allow approved software to run on systems, reducing the risk of unauthorized applications being executed.
• Implement robust monitoring solutions to detect any unusual or suspicious activities, such as unauthorized access attempts or data exfiltration. Establish an effective incident response plan to respond to and mitigate any potential breaches quickly.
• Make sure all of your software, including your operating system and applications, is up-to-date with the latest security patches. This can help prevent vulnerabilities that info-stealers and other types of malware could exploit.