SPECIAL: “Investments” in Romgaz - thousands of deceptive advertisements promoted through Meta.
Good morning,
323 Facebook pages, using the images of politicians or celebrities from Romania, have paid for over 4,000 fraudulent ads promising quick and easy gains through supposed investments in companies like Romgaz or OMV Petrom.
The deceptive ads had a total of over 50 million views in August 2023. The Facebook pages are linked to websites that clone the interface of portals like Digi24, Capital, Mediafax, or Romania TV.
Ovidiu has prepared an analysis for the #175th Edition which details this phishing network that uses the advertising platform of Meta, the parent company of Facebook and Instagram, for its propagation. Phishing is a type of attack commonly used to steal users' personal data, including financial information such as credit card numbers.
What happened?
Beginning with August 2023, Meta introduced an advertising archive for all ads shown to EU users, following the implementation of the Digital Services Act, as previously discussed in Edition #173. This archive is accessible to the public.
We have uncovered that during the month of August 2023 alone, more than 4,000 ads were displayed to users in Romania, all of which promised quick and effortless profits, primarily by suggesting investments in companies such as Romgaz or OMV Petrom.
These advertisements feature the images of well-known individuals in Romania, including politicians and media personalities, with the aim of capturing users' attention. In total, these ads received over 50 million views.
What does the technical analysis reveal?
We have identified 323 Facebook pages used to distribute fraudulent ads. Among these, 272 pages have fewer than 50 likes, including 45 pages with just 1 like and 117 with zero likes.
You can view some of these ads by searching for “romgaz” in the Facebook Ad Library. The ads running in Romania utilize approximately 400 internet domains to host the phishing information and forms.
Out of these domains, 150 are hosted on a server located in Moscow, as indicated by the online data about the IP address (45.9.74.6): LetHost, Moscow, Krasnopresnenskaya emb. 12-17.
At the mentioned IP address, we have identified a total of 679 domains used for similar purposes, containing content in multiple European languages. These domains were registered within the last 3 months and were often purchased in groups of 10-20. The most striking “purchase” was a package of 130 domains acquired within a 30-minute interval.
The domain extensions like .live, .life, or .info are currently discounted on Namecheap, the world's largest domain registrar, and can be each acquired for around $3 per year.
What did we find?
The images of President Klaus Iohannis, Prime Minister Marcel Ciolacu, and former Prime Minister Nicolae Ciucă have been the most commonly utilized. We have identified a minimum of 20 public figures whose portraits have been used in a deceptive manner.
If the President doesn’t sway you to “invest”, perhaps Diana Șoșoacă, Andreea Esca, Mugur Isărescu, or Andrew Tate can do the job. In essence, there’s a promotional ad for everyone. You can view all the portraits used in these deceptive advertisements right here.
Upon clicking the link in the advertisement, users are redirected to a website where, often disguised as a news article, they are encouraged to input their personal information. We've come across articles that replicate the appearance of Romanian news websites such as Digi24, Capital, Mediafax, or Romania TV.
Because Meta has categorized some of these ads as political advertising, we were able to see the currencies used for payment. These ads were paid for in AED (United Arab Emirates dirhams), BRL (Brazilian reais), CLP (Chilean pesos), CZK (Czech crowns), EUR (euros), GBP (British pounds), MXN (Mexican pesos), PEN (Peruvian sols), PHP (Philippine pesos), THB (Thai bahts), TRY (Turkish lira), and USD (United States dollars).
For political advertising, payment is only allowed in the national currency of the country where the ad is being shown, but Meta doesn't impose any restrictions when it comes to commercial advertising.
What actions have been taken?
Meta has only disabled about 400 ads (roughly 10% of the total fraudulent ads we've uncovered), but they haven't implemented any punitive measures against the domains or pages used to deliver these ads. At this moment, there are constantly approximately 50-100 active ads being shown to users in Romania.
Due to the Digital Services Act, Meta now mandates that every ad must include details about the beneficiary and the payer of the advertisement. However, similar to the political advertising archive on Facebook, this information can be filled out with false data, making it essentially irrelevant. In this case, we've come across ads where the beneficiary's name includes random character sequences (like vcfd, tfyfjghj, sdfs, sdf, etc.).
In Romania, the National Cyber Security Directorate (formerly CERT-RO) has issued multiple warnings regarding this type of fraudulent advertising.
In Poland, CERT-PL maintains a list of domains used in phishing campaigns (CERT Polska), and 140 domains discovered in this analysis are already included in that list.
What steps could be taken into consideration?
It's essential to understand that Meta isn't legally obliged to take action against these ads. Furthermore, advertising networks lack any financial motivation to address this issue.
Fraudulent and misleading ads can actually generate income for advertising networks, so investing in their detection and removal might lead to a reduction in their profits. You can find more insights on this topic in Augustine Fou's article, an expert in online advertising (LinkedIn).
Currently, the most practical solution on a large scale is to educate users about these types of ads and advise them not to interact with them.
How to protect yourself from phishing
Since deceptive messages can be quite convincing, here are two services that can help you protect yourself or your loved ones:
Quad9: Quad9 is a free DNS service that blocks access to phishing websites, malware, and other dangerous sites.
NextDNS: NextDNS is a DNS service that provides protection against phishing websites, malware, and other harmful sites.
According to the official website of the U.S. Federal Trade Commission, there are some simple measures you can take to protect yourself. For example, you can enable two-factor authentication (2FA).
If you have fallen victim to a phishing operation, here are some steps to follow, as recommended by sigurantaonline.ro.