Harvesting User Information Through Facebook Ads

I wrote this blog to show how scammers can retrieve user information via Facebook ads. I am unsure how Facebook addresses this, which is for another conversation.

What we’ll specifically look at is an exciting ad for Aer. Aer is a company in San Francisco, California that sells functional bags. While browsing my feed, I saw an advertisement that Aer is opening a store in the Philippines! That sounds great at the same time, suspicious.

I own an Aer bag and I had it shipped from the US. There is no way, at least soon, I would imagine, that they will operate a store here in the Philippines. Additionally, the advertisement priced the backpack to be only “₱110”, around $2, which is insane.

Aer advertisement

As of this writing, the page has around 2.4k likes.

Aer Facebook page

Based on the image below, where the price is presented, a few things already stand out. The image is badly edited.

Pricing promotion

Also, if they are only opening a store in the Philippines, how come they have a display of bags with peso pricing?

Comments section

Checking the comments section, a few people claim that they have received the bag, making the ad more believable that the promo is indeed valid.

Comments in the post

Observed anything with the number of reactions? Each comment has a reaction count in a certain range (10–15).

Interaction in comment section

Clicking on one of the reaction counts, I have observed that those who reacted.. are not even Filipinos? This makes the advertisement more suspicious.

Reactions information

I won’t completely describe my observations checking each of these Facebook accounts, but most of them have posts with NO reactions. Don’t they have friends in FB?

Getting a little more technical

The following is a much more technical information of what happens when we navigate to the URL in the post: https://tinurl[.]com/aer-store

Visiting the page tells us that the it has “Moved Permanently” to the domain “https://dpcstreet[.]com”. The HTTP response is shown below.

HTTP/2 301 Moved Permanently
Location: https://dpcstreet.com/best-travel-backpack?utm_campaign=UzThjJRtSz&utm_medium=group&utm_content=placement&utm_term=keyword
X-Tinyurl-Redirect: eyJ[...TRIMMED...]Q==
Server: cloudflare

<!DOCTYPE html>
<html>
    <head>
        <meta charset="UTF-8" />
        <meta http-equiv="refresh" content="0;url='https://dpcstreet.com/best-travel-backpack?utm_campaign=UzThjJRtSz&amp;utm_medium=group&amp;utm_content=placement&amp;utm_term=keyword'" />

        **<title>Redirecting to https://dpcstreet.com/best-travel-backpack?utm_campaign=UzThjJRtSz&amp;utm_medium=group&amp;utm_content=placement&amp;utm_term=keyword</title>**
    </head>
    <body>
        Redirecting to <a href="https://dpcstreet.com/best-travel-backpack?utm_campaign=UzThjJRtSz&amp;utm_medium=group&amp;utm_content=placement&amp;utm_term=keyword">https://dpcstreet.com/best-travel-backpack?utm_campaign=UzThjJRtSz&amp;utm_medium=group&amp;utm_content=placement&amp;utm_term=keyword</a>.
    </body>
</html>
```

I tried to retrieve information on dpcstreet[.]com using whois and host. For the non-technical folks here, think of this as “contact information” of someone who manages the web site.

$ whois dpcstreet.com

Domain Name: DPCSTREET.COM
[...TRIMMED...]
Updated Date: 2023-02-12T06:43:02Z
Creation Date: 2022-07-29T19:18:27Z
[...TRIMMED...]
Name Server: NS1.DIGITALOCEAN.COM
Name Server: NS2.DIGITALOCEAN.COM
Name Server: NS3.DIGITALOCEAN.COM
[...TRIMMED...]
Registrant Organization: Privacy service provided by Withheld for Privacy ehf
Registrant Street: Kalkofnsvegur 2 
Registrant City: Reykjavik
Registrant State/Province: Capital Region
Registrant Postal Code: 101
Registrant Country: IS
Registrant Phone: +354.4212434


$ host dpcstreet.com                                                                                   130 ⨯
dpcstreet.com has address 139.59.79.60

Based on the output, we can identify that:

• The domain was only registered July 07 2022 (“Creation Date”), less than a year as of this writing. If a company will offer promos, they will partner with a reputable company, who most likely have a domain registered years back.
• The Registrant information (Street, City, State, etc.) when checked with Google, has hits that it is used by scammers.
• The Registrant information also appeared in one malware report by CISA. CISA is a cybersecurity government agency in the US: https://www.cisa.gov/sites/default/files/publications/MAR-10337802-1.v1.WHITE.pdf
• The domain uses Digital Ocean name servers, suggesting the server is hosted via Digital Ocean (IP information also confirms that 139.59.79.60 is Digital Ocean IP).

Visiting “dpcstreet[.]com” leads to the following page.

Landing page

It has 3 questions found on the bottom of the page.

Questions in the landing page

During and after answering the questions, I have observed the following:

• All processing is done only on client-side, no data submitted to server as of now. This may indicate that it will be sent later on or this is just a scam.
• Only request generated was to Facebook (might be ad related information), but nothing to the domain “dpcstreet[.]com”.

Minimal HTTP requests generated while answering the questsions

After submitting the three questions, it will show that it is, as if, verifying your answers.

Fake verification

You will then have 3 attempts to get a bag. Alright! Wish me luck!

Fake “verified” message

Clicking ok sends a POST request to Facebook[.]com. I removed most of the content of the POST request, but the request most likely is generated by clicking OK.

POST /tr/ HTTP/2
Host: www.facebook.com
[...TRIMMED...]

-----------------------------305864878532440374502239556377
Content-Disposition: form-data; name="id"

[...TRIMMED...]
-----------------------------305864878532440374502239556377
Content-Disposition: form-data; name="rl"

https://l.facebook.com/
-----------------------------305864878532440374502239556377
Content-Disposition: form-data; name="if"

false
-----------------------------305864878532440374502239556377
Content-Disposition: form-data; name="ts"

1678770417953
-----------------------------305864878532440374502239556377
Content-Disposition: form-data; name="cd[buttonFeatures]"

{"classList":"p_modal_button","destination":"","id":"p_modal_button1","imageUrl":"","innerText":"OK","numChildButtons":0,"tag":"div","type":null}
-----------------------------305864878532440374502239556377
**Content-Disposition: form-data; name="cd[buttonText]"**

**OK**
-----------------------------305864878532440374502239556377
Content-Disposition: form-data; name="cd[formFeatures]"

[]
[...TRIMMED...]

Selecting gifts doesn’t generate any HTTP request. However, after joining numerous times, I have observed that you will always win a bag at the 3rd attempt.

Gift selection

Here goes my first attempt…..

First attempt

:( Here goes the second one!

Second attempt

One the third attempt, I won!

Congratulatory message

Nice. It will ask you to fill a form and pay for order to receive the bag. Clicking “OK” leads to multiple redirections, all pointing to the domain “servicetools[.]net”, where it asks for user information, such as:

• First name
• Last name
• Address
• Zip or Postcode
• City
• Phone Number
• Email

Harvesting information from user

This is where scammers are able to retrieve user information and potentially use it to send targeted scam messages to people. It may not happen very soon, but one of these days, it will. They can sell this information as well to other scammers.

Filled out information field

Clicking “Continue” generates a POST request to servicetools[.]net, with the following content:

POST /l/CPmFzgix0ZRKXtZaQDzz/register?_luuid=59c[...TRIMMED...]39a HTTP/2
Host: servicetools.net
Origin: https://servicetools.net
Referer: https://servicetools.net/l/CPmFzgix0ZRKXtZaQDzz?offer_id=7089&s1=[...TRIMMED...]
[...TRIMMED...]

_token=[...TRIMMED...]&landing=150666&tracking=ho&aff_id=1157&req_id=10278705bd0eed1b167c607d1b1647&sub_id=&newsletter=on&product_name=%E2%82%B115+GIFT+CARD&product_image_path=%2Fstorage%2Ffd3ddcba-7c97-42eb-a7f4-94803b95e93b%2FGift-Card-mini-apple.jpg%3Fv%3D53beac7a7bf0bbedb6b16d9b2afe265b86674d39&product_color=One+color&product_size=One+size&**first_name=test**&**last_name=test**&line_1=test&zip_or_postcode=1234&city=Test&country_code=PH&intl-**phone=%2B639191113244&phone=9191113244&email=test%40test.com**&terms=on

It contains the information provided by the victim on the page.

newsletter=on&
product_name=%E2%82%B115+GIFT+CARD&product_image_path=%2Fstorage%2Ffd3ddcba-7c97-42eb-a7f4-94803b95e93b%2FGift-Card-mini-apple.jpg%3Fv%3D53beac7a7bf0bbedb6b16d9b2afe265b86674d39&
product_color=One+color&
product_size=One+size&
**first_name=test**&
**last_name=test**&
line_1=test&
zip_or_postcode=1234&
city=Test&
country_code=PH&
intl-**phone=%2B639191113244&
phone=9191113244&
email=test%40test.com**&
terms=on

Then, a message will be shown saying that the offer is currently unavailable.

Now the victim’s data is now with the scammer, and the victim will not have his/her bag.

We have seen people in the FB comments mentioning they got their bags. How? I’ll let it be an exercise for you to figure out why they are commenting that they got the bag.

Most accounts who commented have no likes or reactions to their posts on their profile page. They upload pictures, but even those posts from 2021 don’t have any responses. It’s either:

• They have no Facebook friends.
• They are accounts made to support this scam campaign.

It’s not that difficult to put things together at this point.

Lastly, the Travel Pack 3 is $249, so ₱110 (around $2) is impossible to happen. Check out their products here: https://www.aersf.com/

Takeaways

• That doesn’t mean there is a Facebook ad for it; it is LEGIT
• No business would give out items with that huge of a discount (usually).
• If it’s too good to be true, it is not true at all
• Think about it twice, thrice, or multiple times before you provide your information