OSINT case study: How a single Facebook Marketplace ad helped uncover a network of scam domains

The ad on Facebook Marketplace showed an 18-drawer rolling tool chest from Milwaukee on sale for the suspiciously low price of $129. 

The same item from the tool maker typically retails for close to $1,800, which caused a user to flag the ad to Silent Push, a cyber intelligence company.

Scammers frequently entice people by advertising a high value item at an improbable price. It could be a car, clothing, tools, or electronics. Meta’s platforms are a favorite target for such schemes, according to a recent Wall Street Journal report.

Enticed by low prices, users click on the ads and are directed to online stores where they typically pay for a product that never arrives. In some cases, victims’ credit card information is stolen and resold.

In this case, the dubious Milwaukee tool chest ad provided a window into a large-scale ecommerce scam operation involving over 4,000 domain names and an unknown number of ads placed on Meta’s products and other platforms, according to a new report from Silent Push shared exclusively with Indicator. 

Threat investigator Zach Edwards ultimately connected the original Milwaukee tool chest ad to thousands of other domains that appear to be part of a sprawling ecommerce scam operation. Many of the domains impersonate major retailers like Amazon, L.L. Bean and Wayfair, as well as smaller businesses such as Luke’s Lobster and Ravensburger Puzzles. Other domains identified by Edwards appear to have been randomly generated and have names like wuurkf[.]com and yvnbpm[.]com.

“There's a threat actor out there with over 4,000 domains that is moving rapidly to impersonate not only enterprise businesses but tons and tons of small businesses whose primary sales are via online channels,” Edwards told me. “That's the sort of nightmare scenario, because 99% of these small businesses do not have a security budget and do not have vendors doing brand abuse monitoring, or helping them with takedown requests. This is an expensive problem for them to deal with, and when their customers are defrauded, it becomes a customer support nightmare.”

It’s unclear how much the network spent on ads and how many people may have lost money. I sent Meta a copy of the report as well as a list of just over a dozen Facebook pages connected to the operation.

“Deceitful advertising is against our policies and we are removing the ads, accounts, and Pages included in this report,” said Meta spokesperson Daniel Roberts. “Scammers work across multiple platforms, including through web hosts that allow these scammy websites to exist, and evolve their tactics constantly – that’s why we continue to invest in ways to detect and disrupt them.” 

Edwards’ investigation began with the Milwaukee ad and used technical and content indicators to uncover thousands of domains, as well as Facebook pages that placed  ads promoting the sites. I spoke with Edwards and used information in his report, and the free community edition of Silent’s Push’s threat intelligence platform, to show how an investigator can take a single scam ad and use it to identify a larger network.

This case study covers domain-generated algorithms (DGA), connecting websites via shared URLs, html titles, and favicons, as well as search approaches for Facebook pages and Meta ads.

Upgrade to read the rest.