From International Cybersecurity Forum in Lille, France (FIC2019): Facebook has become an outcrop of the dark web – it’s a security and privacy nightmare

[ Pour la version française, veuillez cliquer ici

 

See no evil

People are being used as ‘ad-mules’. They rent their Facebook accounts to
launder illicit ads, including possibly those from state actors.
Has the ads industry ever sounded so much like the drugs trade?
This is a security and privacy nightmare that will get your Facebook account banned.

 

12 February 2019 (Brussel, Belgium) – The content (and conversations) available at an event like FIC2019 can be enormous. As I have noted in years gone by, when you have the brain power in attendance at an event like Le FIC, you cannot help but have deep conversations on all aspects of technology … subjects you tend not to address at other conferences. So you need to grab these brilliant people, these fabulous communication channels … folks like Michael Daniel, Philippe Dubuc, John Frank, David Grout, Pascal Le Digol, Philippe Dubuc, Colonel Cyril Piat,  to name but a few.

And the technology. Yikes. Always moving faster than governments. Just one example: a conversation I started last year at FIC2018 and continued this year … the development of internet provision and data storage by networks of cubesats. You have undoubtdly read about these “swarm satellites”, as well as unauthorized rogue satellites. These cubesats are roughly the size of Rubik’s cube and “fly” in low earth orbit. Their launch is causing issues which will throw a spanner in the works of national data firewalls and other regional governance rules.  If you can access the network and your data directly from any place on the globe it will be difficult (though not impossible) for governments to interfere. In two weeks I have a meeting with a cubesat OEM and a NASA scientist at my next stop, the Mobile World Congress in Barcelona, and I will have a detailed post/video in the coming months.

The advertising business does not have a real footprint at FIC2019 but chats about the “dark side” of data and social media is discussed there and it brings me to the main story in this post which I had with several cyber security mavens at the event, which was also the subject of several news articles during the event: renting your Facebook to the “dark side” for cash.

The ads look something like this:

 

They are run by shady internet marketers who’ve been banned from advertising on Facebook … and very often run by representatives of state actors. They have come up with a way to keep running campaigns on the platform: paying people to “rent” their Facebook accounts. The rental economy for Facebook accounts is yet another example of how people attempt to exploit the platform’s ad system in order to avoid bans and conceal who is really behind a campaign. With a rented account, a person can create a new page and quickly begin running ads. And even if Facebook eventually blocks those ads and bans the account, an ad launderer can move to another rented account and start over — without Facebook or anyone else knowing who they are.

As a cyber security sleuth at Le FIC told me (and he prefers remain unidentified):

People who sign up for these programs are effectively ad-mules. These schemes are “ad laundering,” because the people running them find and pay others to help them bypass Facebook restrictions. I have looked at hundreds of websites, YouTube videos, and message board threads where people are being promised as much as $500 a month to let someone use their Facebook account to run ads. Some ad launderers even send people a free laptop if they sign up. The laptop comes preinstalled with software that enables the launderers to run ads from the user’s Facebook account, along with potentially engaging in other invasive and risky behavior. Based on my research I am estimating thousands of people have signed up for these schemes. So it’s safe to assume they’ve been wildly successful.

He says Facebook has been aware of this … the rental schemes appear to have been running for two years or so … and Facebook “does take action to find and terminate affected accounts” but it is a battle.

Security risk? Oh, yeah

The sites offering to rent Facebook accounts have domains in almost every language. And they typically say they are looking for people with real Facebook accounts that have existed for at least one year, that are based in the US, and that have not previously run ads on Facebook. Those interested in renting their account fill out a contact form and, if accepted, are asked to do one of two things: install a browser plugin built by the ad launderers or enable the launderers to virtually access their computer in order to set up a Facebook ads account linked to their profile.

Some sites utilize a program called TeamViewer that’s typically used for technical support, and that requires a user to provide remote access to their computer. Yes, giving remote access to your computer to an unknown party is a huge security risk. They can easily install a backdoor or steal your personal files including but not limited to personal photos, electronic tax records, banking information, etc. And one security expert I spoke to after Le Fic told me he examined the code and behavior of the Chrome extensions and found they also gain an alarming amount of access to your computer. After completing registration, the user is asked to install a backdoor on to their system for the purpose of manipulating their Facebook account to purchase ads. The Chrome extension is installed in such a way that it continues running in the background even when the browser is closed as long as the computer is on.

And needless to say, the websites for these schemes go out of their way to assure people that it’s not a scam or security risk and that it does not violate Facebook’s policies — none of which is true. Many of the sites even offer a referral fee to users who recruit other people to rent their accounts. This way an ad mule can still earn money even after they lose their account. Partially as a result of the referral programs, there are people promoting account rental services on websites, YouTube, Twitter, and elsewhere.

One of the most dangerous? A trace led a security analyst to find a “known state actor” who was paying people to connect a small “free” computer to their internet router in addition to handing over their Facebook account login. An analysis showed the device was buying ads on Facebook … as well as connecting to a botnet set up to perform distributed denial-of-service attacks (DDoS attacks), steal data, etc.

The money involved? $15 per day to rent a Facebook account. But on the message boards you can also find deals to rent five accounts for $3,000 to $4,000 a month.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

scroll to top