Facebook scammers have been targeting users in the Middle East with ads that include purported "investment opportunities" for funding legitimate retail organizations.
In reality, the pages are ploys for duping consumers into sinking money into the fraudsters' pockets. Research from Group-IB and the UAE Cybersecurity Council found that the campaign, which ran last December, included 884 unique scam pages, with 60% of them targeting users from the Middle East and Africa (MEA) region.
The sprawling effort, while now defunct, is emblematic of a dangerous trend not just for consumers, but also for retailers, according to Sharef Hlal, head of Group-IB’s Digital Risk Protection Analytics Team for MEA.
He notes that legitimate retail investment offerings from well-known brands are common in the region, and they've proven to be popular, with investment growing and the process of buying and selling shares becoming ever easier through online platforms.
"We note the ever-increasing number of retail investors worldwide, as both wealthy, middle-class, and even low-income individuals look to put their income to work, especially with the growing proliferation of investment apps and portals available online," he says.
Given how normalized such schemes are, it's little wonder that cyber scammers are seeing an opportunity in masquerading as well-known brands offering funding opportunities, he explains.
"[Middle East] countries are renowned for their prosperity and the pace of their rapid economic development: scammers are attempting to exploit these trends," Hlal says. "The scammers impersonated well-known, recognizable companies that would be popular with potential investors, given their significant market presence and strong economic results."
This latest campaign is part of a broader trend. Earlier this year, researchers that scam websites masquerading as reputable brands from the Middle East and Africa increased by 135% in 2022. Investment experts aren't immune either: In July, British broadcaster Martin Lewis warned his followers about ads using his name and face to scam victims, after deepfaked versions of him appeared on Facebook offering investment advice.
Thus, retailers need to pay attention, given that the fallout from the phenomenon can be extremely damaging for their brands, including a loss of consumer confidence in legitimate investment offerings, or even a misperception that the brands themselves are carrying out the scams.
John Bambenek, principal threat hunter at Netenrich said via email that brand impersonation works because there never has been a way for consumers to authoritatively prove authenticity of the websites they visit, and he says the emphasis is on brands to look at new domain registrations and websites and find impersonations and attempt to take them down.
Bryon Hundley, vice president of intelligence operations at the Retail & Hospitality ISAC, says: "Brand impersonation is among the top challenges facing cybersecurity teams at consumer companies, and is a prevalent tactic used in credential harvesting, which often ranks as the most common attack type reported by RH-ISAC members."
He also says brand impersonation is often the first step in a more complex cybercrime operation, and usually the starting point for an enterprise or customer fraud scheme.
Inside the Facebook MEA Investment Scam
In this latest disclosed campaign, Group-IB researchers found ads placed in English, Arabic, and Spanish. On the Arabic-language scam ads and websites created for this campaign, users were enticed with claims that they could earn millions by investing $200.
In order to exploit individuals' inherent trust in well-known brands, the research found that users were given the opportunity to invest in one of 35 market-leading companies from 13 countries. This text was often accompanied by a logo of the impersonated company; 30% of the scam pages discovered during this campaign impersonated legitimate financial and insurance companies, while transportation accounted for 25% of all scam pages.
Clicking on the ad led users to a scam page containing the logo and branding of a prominent company, which requested the victims' names, email addresses, and phone numbers. They would then receive daily emails from a supposed trading portal encouraging them to invest more, and would receive calls if they did not, from a person claiming to be a customer service representative who pressured the victim to deposit funds. That person would promise the chance to earn immediate dividends, and along the way, collect both credit card and passport details.
Researchers from Group-IB said that users frequently complained that representatives of the portal stopped communicating once they transfer money, and users are also blocked on messaging platforms once they request a refund.
How to Thwart Brand Impersonation
Fortunately, there are a number of steps that retailers can take to protect their brands from nefarious impersonation. Hundley recommends that companies continuously monitor their brand's online presence —including domains, search engines, mobile apps, social media, marketplaces, and email — and have procedures in place to quickly take action on detected fraudulent activity.
"Companies can use threat intelligence platforms to help identify tactics, techniques, and procedures to enable brand impersonation, or work with a third-party firm that manages the full life cycle of brand protection," he says.
He also recommends cybersecurity teams consider partnering with other business units, such as customer service, to educate customers about how to identify and report fraud.
Patrick Harr, CEO at SlashNext recommends organizations have an automated brand protection service that checks for impersonation instances, while other recommendations are to maintain ownership of a brand's trademark, consider using the services of specialty firms that deal with the full life cycle of brand protection to ensure scalability, and engage employees to spot and report instances.