Sketchy Facebook pages masquerading as businesses are nothing new, but a spate of recent scams is particularly brutal.
A handful of verified Facebook pages have recently been hacked and spotted slinging probable malware through ads approved and purchased through the platform. But the accounts should be easy to catch – in some cases, they were posing as Facebook itself.
Social adviser Matt Navarra first saw some ads and shared them on Twitter. The compromised accounts contained official-sounding pages such as “Meta Ads” and “Meta Ads Manager”. Those accounts shared suspicious links with tens of thousands of followers, though their reach probably extended much further through paid messaging.
In another case, a hacked verified account posing as “Google AI” directed users to fake links for Bard, Google’s AI chatbot. That account previously belonged to Indian singer and actress Miss Pooja before the account name was changed on April 29. That account, which was active for at least a decade, had more than 7 million followers.
Facebook now maintains and publicly displays a history of name changes for verified accounts — a welcome bit of transparency but a security that apparently isn’t enough to flag some obvious scams.
Most egregious in these cases is that the hacked pages not only posed as big tech companies, included Meta itself, but that they could buy Facebook ads and then distribute suspicious download links. Despite very recent account name changes, those ads apparently passed without a hitch in Meta’s automated advertising system.
All impersonator pages Navarra identified have since been disabled.
This week, Meta shared a report on a recent spate of AI-themed scams. In those cases, hackers lure Facebook, Instagram, and WhatsApp users into downloading malware by posing as popular AI chatbot tools like ChatGPT. One such cluster of malware, known as DuckTail, has been plaguing businesses on Facebook for a few years now.
As TechCrunch’s Carly Page explained this week:
Meta says attackers spreading the DuckTail malware are increasingly turning to this AI-themed bait in an attempt to compromise businesses with access to Facebook ad accounts. Targeting Facebook users since 2021, DuckTail steals browser cookies and hijacks logged Facebook sessions to steal information from the victim’s Facebook account, including account information, location data, and two-factor authentication codes. The malware also allows the threat actor to hijack any Facebook Business account that the victim has access to.
It is possible that the Facebook pages that impersonated Facebook and then bought ads loaded with malware were compromised via DuckTail or similar malware.
“We invest significant resources in detecting and preventing scams and hacks,” a Meta spokesperson told TechCrunch. “While many of the improvements we’ve made are hard to see – because they prevent people from having problems in the first place – scammers are always trying to get around our security measures.”
Impersonation accounts and compromised business pages have long been a headache for business owners on Facebook and Instagram. Meta Verified, the company’s recently launched verification program, is positioned to improve the company’s notoriously thin level of customer support for businesses that rely on its apps. Controversially, Meta’s promising offering of “proactive account protection” isn’t a free enhancement — Instagram and Facebook accounts will have to pay $14.99 a month to secure the higher level of customer support, a price many businesses will likely be reluctant to pay. prevent them from drowning. a sea of scam accounts.
