Facebook scammers are hacking accounts and running ads with stolen money

Scammers are hacking Facebook accounts, running ads with stolen money, and bragging about their fraudulent fortunes right on the social network.

If you're one of the 10 million Facebook users running ads on the platform, beware of a growing scam ring that's hacking advertisers' accounts, using their credit cards to steal tens of thousands of dollars in Facebook ads, and openly bragging about the money they're making off the scheme right on the platform.

What's going on here?

The scam

Digital marketer Loni Mayse knew something was wrong when ten of the Facebook ad accounts she manages started running $15,000 per day ads for what she describes as a "Santa Clause on a stripper pole" Christmas decoration.

The fraudulent ads running on Loni Mayse's Facebook pages were pushing users to this ecommerce store. Credit: mashable screenshot

"Let's be honest who the fuck wants that?" she said, referring to the product being hawked via ads on a Facebook post describing the nightmare scenario she just went through.

"[The scammers] were in about 10 of my accounts within minutes," she explained in an online conversation with Mashable. "All running this ad. Bypassed every single Facebook security protocol as well."

Mayse says the scammers quickly placed two unauthorized users inside her Facebook Business Manager, which is the backend portal that allows social media managers and marketers to run multiple Facebook Pages and ad accounts from one dashboard. They also changed the names of the Facebook pages.

She explained how their emails and usernames tried to disguise what they were doing. In one instance, the scammers tried to spoof Facebook support by using a fake customer service email address for the user being added to the account. In another, they added a fake profile utilizing her own name, Loni Mayse, perhaps in an effort to make the duplicate look like a glitch and not an actual separate unauthorized account added to her Business Manager.

This is not a glitch. One of thoseLoni Mayse accounts are not really hers. Credit: Loni Mayse

The scammers were also able to raise the billing threshold on her ad accounts, allowing them to spend more of Mayse's and her clients' funds. Mayse pointed out how this requires approval from Facebook.

"I just do not understand how they got it approved so fast," she told me.

A screenshot of Loni Mayse's Facebook ad manager showing the scammer's ad and the $15k per day advertising budget that they set. Credit: Loni Mayse

The tens of thousands of dollars a day in Facebook ads that the scammers had access to were pushing users to an online shop called "HappyStore.info." The site is built using ShopBase, an ecommerce platform like Shopify located in San Francisco. In fact, the majority of the ecommerce shops involved in this particular scam ring appear to be built on the ShopBase platform.

ShopBase did not immediately respond to Mashable's request for comment.

The hack

How are these scammers gaining access to all these Facebook ad accounts?

It's pretty sneaky. A scammer will reach out to a digital marketer via Facebook Messenger posing as someone looking to hire a Facebook ad campaign manager. After their pitch, they'll send over a project proposal with all the details about the company, budget, and what they're looking to do. This proposal is cover for a .exe file download, disguised as an innocent PDF, which gives the scammer access to the target's Facebook Business Manager.

A PDF is just simply a document file. An .exe on the other hand is an executable file often used to run or install applications on a Windows-based PC. A user should never download an .exe file from someone they don't know as its often used to install viruses and other nefarious software on their computers.

Ecommerce strategist Alex Stiehl tells Mashable he was also targeted, but had seen the spreading warnings about the scam.

The unsolicited Facebook messages sent to Alex Stiehl. Credit: Alex StiehL

"They pretended to want me to run ads for them," Stiehl said. "I did not accept the [Facebook messages] and they have not gotten access to my accounts."

In the messages provided to Mashable, the script used by multiple scammer profiles have been similar, with each sending the target a Dropbox or MediaFire download link to a compressed file that includes the .exe disguised as a PDF. In one instance, the scammer even checked to make sure that its target had been using a PC as the .exe file would not be able to run on a Mac.

Unfortunately for Loni Mayse, she did download the file.

The unsolicited Facebook messages sent to Loni Mayse. Credit: Loni mayse

Upon doing so, the scammers were able to completely bypass the two-factor authentication she has on her Facebook account. However, she doesn't think the .exe file provided the scammers with remote access to her computer as she was monitoring the actions in real-time. One possibility is that the scammers were able to swipe Mayse's EAAB, a static access token that provides a user account with access to Facebook's API.

The scammers

Perhaps the most incredible thing about this scam is that the alleged perpetrators are openly bragging about their success right on Facebook, on what appears to be legitimate profile pages.

That's right. It's known who they are, or at least what they go by on Facebook, thanks to sloppiness on their part.

"They left way too many breadcrumbs," Mayse tells me, providing the Facebook Pixel used by the scammers.

A Facebook Pixel is a piece of code that allows the social media company to track the effectiveness of your ad campaigns. Using this, one can find all the campaigns attached to the ad account connected to the pixel. For example, the Facebook pixel tells us that one of the other websites they were advertising is an ecommerce shop called "joynesse.net."

According to the scammers' Facebook Pixel, their scheme appears to be very successful. Credit: Loni Mayse

Using the Facebook pixel, we can see that the scammers were still running ads on Facebook to their ecommerce stores as of the night of Oct. 27. But, the most revealing information came from a crucial mistake that the scammers made while changing the settings around on Loni Mayse's Facebook Pages.

Not long after taking over Mayse's accounts, it appears as if the scammers were attempting to add their fake Loni Mayse profile as an editor to a different Facebook Page they ran. Instead, they mistakenly added Loni Mayse's real Facebook profile, revealing the other profiles that were running the page.

The scammers accidentally addedLoni Mayse as an editor on one of their own Facebook Pages. Credit: Loni Mayse

The scammers appear to be based out of Vietnam. When Mayse posted some information to her Facebook profile, one of her followers reached out.

Nguyen Luan, a computer engineer based in Vietnam who is familiar with the scam says he's aware of the scam tactics because he runs legit ecommerce shops that have all but gone out of business as an effect of the grift. Luan says he does not know these individuals personally.

In a conversation with Mashable, Luan explained how these scammers often track what legit ecommerce shops are selling to see what's popular and then clone the websites and its products. Next, they target ad agency owners and use their hacked ad accounts and stolen funds attached to them to run high-priced Facebook ads. The legit ecommerce shops cannot compete because the scammers are outbidding them on ads with this "free money."

Are the scammers at least sending the unsuspecting buyers the product listed on their ecommerce site? That part is unclear. However, if they are, they are most likely selling cheap, scammy knockoff versions from dropshipping websites of the actual advertised item, a common tactic used in other Facebook scams.

The accounts of some of the alleged scammers provided to Mashable by Luan match the users that took over Mayse's accounts, such as profiles belonging to Bá Tiệp and Võ Văn Kiều.

The alleged scammers are making bank. Credit: Mashable Screenshot

Luan pointed to this braggadocios Facebook post from Võ Văn Kiều, with a screenshot attachment of an ecommerce earnings dashboard, as an example of the alleged millions of dollars these scammers are making from their fraudulent activities.

"Guess the result and win a prize," posted Võ Văn Kiều in a Facebook post asking his friends and followers to guess the first number in the 7-figure earnings from the alleged scam.

"They live like a king here with the stolen money," Luan told Mashable. "They have [run the scam campaign] for like 2 years now. The trend is going up and more people are doing this. They can't be caught or go to jail because they live outside the U.S. Shutting down their profiles can't stop them."

What can be done

Unfortunately, it appears Luan is right.

This Facebook ad hack and scam is only getting worse, and it appears like not much is being done about it. For example, Mari Smith, one of the biggest names in the Facebook marketing world, recently shared that she fell victim to this very same scam too.

There is a history of Facebook-related ad schemes attached to scam rings from Vietnam, yet Facebook seems to be struggling to keep up with it. Just this past summer, Facebook announced it was suing four Vietnamese individuals for taking part in a similar ecommerce-related Facebook account takeover scam. While Facebook was able to shut down that particular scheme, the scammers were still able to ring up over $36 million in unauthorized ads.

For users, like Loni Mayse, who've been affected, all they can really do is reach out to Facebook support and wait for help.

"I've had a support ticket open for six days," Mayse told me. While the scammers no longer have access to Mayse's pages or Business Manager, Facebook has put limits on what she can do, too. As of right now, for example, she can't run any Facebook ads.

Most users that fell victim to this scheme who've shared their experience say they've been able to recoup most if not all their funds. Mayse says she caught the issue while the scammers' ads were still in-review and not yet approved by Facebook, so she had not yet been charged.

Facebook declined to comment on record for this story. The company provides information in its Help Center on avoiding scams on its platform and has recently taken additional steps to warn users about possible suspicious activity. Facebook says it is also developing a new type of account so users will no longer have to use their personal Facebook logins to access Business Manager.

While the scammers are no longer inside Loni Mayse's account, they're still on Facebook. On Alex Stiehel's Facebook post warning his friends and followers about the scheme, there are dozens and dozens of comments from users just this week saying they just fell victim to this scam.

Nguyen Luan believes that the only thing that can stop these scams is to cut them off at the payment processor level. If the scammers can't collect their funds via platforms like PayPal or Stripe, then the majority of ecommerce scams will die out.

"Facebook can't do anything about it," Luan explained to me. "What can you do about it?"