.png)
Bitdefender researchers uncovered hundreds of scam campaigns promoted through Facebook ads that use fake news stories, celebrity impersonation, and redirect chains to funnel victims into investment fraud schemes.
The activity ran through 310 malvertising campaigns distributed on Meta platforms from February 9 to March 5, 2026. The campaigns generated more than 26,000 ad sightings with localized content in more than 15 languages.
The operation used three main scam sub-campaigns with a smaller fourth branch, and the infrastructure pointed to two or three separate operator groups using the same playbook.
Anatomy of an investment scam
The campaigns used a small set of recurring storylines to attract victims. Three themes appeared repeatedly in different countries and languages.
One of the most common narratives, “Celebrity Will / Testament,” focused on inheritance claims or alleged final revelations linked to well-known public figures. The ads suggested that a celebrity had secretly invested in a trading platform or left behind financial advice that could make ordinary people wealthy.
Another frequent theme, “Banking / Financial Scandal,” staged dramatic television-style confrontations involving bank executives, central bankers, or financial regulators. In these stories, a public figure appears to reveal a new investment opportunity during a heated interview before the broadcast is supposedly censored or taken down.
A third category, “Political Figure Exposure,” relied on sensational claims about politicians. These ads suggested that a political leader had been arrested, exposed in a scandal, or caught revealing a secret investment platform that could generate large profits.
“Each narrative is localizable, reusable, and emotionally compelling, which makes them effective on social platforms,” researchers noted.
After encountering one of these narratives, victims are directed to a sponsored post that appears to link to a trusted website. Some use legitimate domains. Others imitate well-known media brands through cloned layouts and similar web addresses.
The preview page rarely hosts the scam itself. A redirect chain moves the visitor to another destination with little visible change. The next page usually presents a dramatic news article or breaking story connected to the original ad. The narrative introduces an investment platform and urges readers to register to gain access or start earning.
Registration forms request basic personal information such as name, phone number, and email address. Submitting the form transfers the data to the operators running the scheme. Contact usually follows quickly.
Victims begin receiving calls from individuals posing as account managers or investment advisors. These callers guide targets through initial deposits and encourage additional transfers.
Conversations include promises of high returns and limited-time opportunities. The platform interface shows account dashboards with rising balances meant to suggest successful trades. The figures are fabricated and serve to persuade victims to send more money.
Evasion built into the ad pipeline
The scam infrastructure treated moderation evasion as a routine part of its operations. Observed tactics included whitelisted domain preview abuse involving legitimate news sites and google.com, networks of fake media domains, and Cyrillic homoglyph substitution designed to bypass automated filters.
Bitdefender also observed creative churn, domain rotation, and the migration of techniques between regions, allowing the campaigns to remain active in multiple markets during the study period.
Operational indicators pointed to a shared management layer within parts of the ecosystem. Russian-language metadata appeared in several European scam campaigns. Internal campaign metadata and shared buyer identifiers suggested a Russian-speaking affiliate or management group coordinating elements of the infrastructure.
Researchers found no evidence in the dataset of state sponsorship, intelligence agency involvement, or political direction, suggesting the activity is financially motivated.
The structure described in the research resembled a modular franchise. Shared tooling and a common playbook appeared to support region-specific operators who could deploy localized scams without altering the monetization model.
Reuse appeared in overlapping infrastructure, shared UTM and pixel signatures, coordinated launch timing, and recurring narrative templates adapted to local personalities and media brands.
Meta steps up fight against scam ads
Meta has been under growing pressure in recent years to do more to protect users on its social media platforms.
Recently, the company filed multiple lawsuits targeting companies and individuals in Brazil, China, and Vietnam who used deceptive tactics to run scam ads.
It has also introduced new tools on Facebook, Messenger, and WhatsApp designed to protect users from scams.
from Help Net Security https://ift.tt/xNnQ4BZ
0 comments:
Post a Comment