Over recent months, unfortunately, talk of hacking has become a frequent news item. It seems every week, another prominent institution has been breached.
As well as the high-profile hacks, Facebook Business Manager account hacks are on the rise, too. How do we know? Because we were one of the agencies targeted.
Luckily, we were able to catch the hack and put a stop to it before any harm was caused to us or our clients, but it was a serious reminder of the sophisticated approaches that scammers now employ and the immense importance of strong cybersecurity. So, in the interest of transparency, we thought we’d share the details of what happened so that you can avoid falling victim to this or any similar scam.
So, What Happened?
On Friday, May 5, at approximately 9:20 am AEST, a Facebook profile in our Facebook Business Manager account was hacked. The hackers managed to break through a 16-character password and two-factor authentication.
They then changed the password for that Facebook profile and removed the associated email address.
Once inside the hacked account, the hackers proceeded to duplicate existing ad campaigns across a number of our clients (1 per client), changed the Pixel ID and ad creative associated with these campaigns, and upped the daily ad spend to between $45,000 and $65,000.
And they did all this in the rules area of the business manager:
This hack aimed to launch scam ads for their products, paid for by the credit cards on our ad accounts. Below is a screenshot of the ads the launched.
The site where the ads were sending traffic to has been identified as a scam by ScamAdviser https://www.scamadviser.com/check-website/othershoppp.com
The fraud campaigns began to be pushed live at approximately 3pm AEST.
The hackers cleverly copied the naming conventions of our ad campaigns to conceal the presence of their fraudulent campaigns. Fortunately for us, one of our vigilant Facebook Ads Specialists discovered the duplicates of fraudulent campaigns before they managed to eat into those massive daily spends. Most we caught before they incurred any spend and combined across the impacted ad accounts only around $1,500 was charged before the campaigns were deactivated.
Although we were able to remove the compromised Facebook profiles’s access to our Business Manager, the hackers attached three Pixel IDs to each of the ad accounts.
These Pixel IDs have no actual access to the ad accounts and are not receiving any data from them, and so far, Meta has been unable to remove them.
We can, however, see data from them, and they are still active, hacking other Facebook ad accounts.
Who’s Behind the Hack?
At this stage, we don’t know who exactly, but we do know that we aren’t the only agency to be affected – in fact, variations of this same hack seem to have targeted digital marketing agencies around the world in recent months, as commenters on this Reddit post have reported.
After reading about the experiences of other agencies, we realised we were more fortunate than we first thought. While we caught and stopped the fraudulent campaigns soon after they launched, others were billed upwards of $100k before they noticed and are still waiting for refunds from Meta. Things could have been a lot worse.
The aim of the hack was simple: to direct traffic and sales to an e-commerce website without the hackers having to pay for the advertising themselves. In our case, the product they were promoting was a slipper.
Although this scam seems to have struck many agencies in just the last few months, it has been running far longer than that, albeit with slightly different approaches and methods. This 2021 article from Mashable reports that digital marketer Loni Mayse fell victim to the same hack two years ago, with hackers gaining access to her account through a piece of malware after reaching out through Facebook Messenger pretending to be a prospective client.
In the Reddit post linked above, several commenters reported that their accounts were hacked by email addresses associated with bugfoo.com, a domain considered high-risk and frequently used by fraudsters to create disposable email accounts, as you can see below.
According to the aforementioned Mashable article, this particular hack is commonly run out of Vietnam – and what do you know, one of the creators that attached the fraudulent Pixel IDs to our ad accounts has a Vietnamese name; Hài Đăng.
What Have We Done in Response to the Breach?
As mentioned above, our team quickly identified and prevented the hack from escalating. We contacted Facebook support and removed all fraudulent activity from the accounts. We removed the compromised Facebook profile and suspended the associated email address. Additionally, we have consulted with a cyber-security specialist who has been reviewing our policies and procedures, and we have begun implementing their recommendations.
We have also recorded the attack with https://www.cyber.gov.au/report-and-recover/report
At the time of writing, we are waiting for Facebook to conduct their review.