A sophisticated mobile-only scam network, ERIAKOS, has emerged, leveraging Facebook ads and brand impersonation to deceive users. It has been active since April 17, 2024, and employs over 600 fraudulent websites designed to harvest personal and financial data.
The exclusive use of mobile devices and ad-based distribution likely evades traditional security measures, highlighting the increasing sophistication of cybercrime and the need for advanced detection technologies to combat evolving threats.
A malicious actor or group launched the ERIAKOS scam campaign on April 17, 2024, deploying a network of 608 fraudulent e-commerce websites targeting Facebook users.
The campaign leverages Facebook ads featuring fake user testimonials and unrealistic discounts on popular products to lure victims into providing personal and financial information.
These fraudulent websites are exclusively accessible via mobile devices, making them likely to evade detection by security scanners. The campaign further employs social engineering tactics to build trust with victims, such as creating a sense of urgency through limited-time offers and personalized recommendations.
The ERIAKOS campaign, named after its CDN, leveraged brand impersonation and malvertising to steal financial and personal data via mobile-only scam sites. By exclusively using ad lures and targeting mobile devices, the threat actors circumvented automated detection systems, marking a novel tactic in this type of attack.
A sophisticated mobile-exclusive scam campaign leveraged Facebook ad lures to evade automated detection. By directing traffic exclusively to mobile devices, the threat actors minimized exposure to traditional scanning tools.
ad lure — provided the browser’s user agent
The fraudsters processed stolen funds through merchant accounts linked to the scam sites, utilizing both major card networks and Chinese payment service providers, thereby complicating fraud investigations.
Recorded Future identifies suspicious merchant accounts linked to financial fraud, including chargebacks and unrecoverable losses. Impersonated businesses face reputational damage among defrauded victims.
To mitigate these risks, it has been recommended to blacklist identified merchant accounts and implement transaction monitoring for fraud indicators, which includes monitoring for patterns of suspicious activity, such as high-value transactions, unusual purchase volumes, and transactions from multiple devices or IP addresses.
They linked 608 domains to the ERIAKOS campaign using the content delivery network, domain registrar, IP address, and domain misconfiguration analysis.
Leveraging merchant account data, the full scam network was mapped, while the use of Chinese payment service providers complicated detection and takedown efforts.
The ERIAKOS campaign’s evasion of detection through advanced screening techniques foreshadows a potential shift in the threat landscape.
Proliferation of such methods jeopardizes the efficacy of existing detection technologies, extending scam lifecycles and amplifying victim exposure, which necessitates the development of robust countermeasures to address the evolving tactics employed by malicious actors.
