
I lost €4k in a Facebook scam - babuskov
https://github.com/Niek/Niek/blob/master/facebook-scam/README.md
======
danielhua
As someone who's fairly involved with the e-commerce/digital marketing space,
let me just say I'm amazed by how brazenly _nasty_ this scam is.

The TikTok promotional program is actually a real thing that does give around
that amount of ad credit, and they have been promoting it very aggressively on
Facebook with for a long while now, so it makes sense that OP would've not had
any mental red flags triggered by the designs and creatives used by the
scammers. The real killer is that PayPal is actually well within their rights
to process this transaction (as part of the billing agreement generated when
you link PayPal to Facebook Ads Manager: there actually was real ad spend in a
real Facebook ad auction), so it's down to Facebook itself to refund the ad
spend. (As an aside, I'm actually impressed that OP managed to reach Facebook
support at all, and that they acknowledged or even understood what the problem
was. I have had worse experiences in the past with FB...). What's really
amazing to me is that the scammers managed to get on Google Play with
thousands of obviously fake reviews, and get through Facebook ad review at
all.

The scammer silently removing OP as an admin from their own ad account,
preventing them from noticing or stopping the fraudulent ad campaign is just
icing.

I suppose the real lesson to be learned is to simply avoid installing native
applications when you can help it. OP didn't screenshot the login screen in
app, so I can only assume it was a real Facebook oauth flow, but honestly at
that point it's already too late. If anything OP should be grateful that the
native app running on what was presumably his personal device didn't do
anything worse.

~~~
beefield
> I suppose the real lesson to be learned is to

...never, ever buy or even take anything from anyone who approaches you
without you being the original initiator of the communication. Simple rule
that applies to both online and real world and makes your life simpler and
safer.

~~~
stallmanite
This is my strategy as well. If I want something I initiate a search. Incoming
sales attempts do not exist in my universe.

~~~
forgotmypw17
Be careful which search result you click:

[https://wp.josh.com/2019/05/06/breaking-news-google-
adwords-...](https://wp.josh.com/2019/05/06/breaking-news-google-adwords-
exploit-seen-in-the-wild-yikes/)

~~~
coronadisaster
If you want to see where Google search results really point to, you can right
click it and then hover over it to get the real destination... it's been like
this for 15+ years (google changes the destination on-click).

~~~
forgotmypw17
Thanks, I'll be sure to explain this to all my friends and family, right after
I teach them what onclick, "real destination", "hover", etc. mean.

~~~
coronadisaster
I think that it is pretty screwed up that browsers allow this "feature"...

------
muststopmyths
>Sure, the developer name "Develop App" sounds strange and should I have
looked better, the developgameonline@gmail.com developer email and
com.acazira.tforbusiness package name would have definitely raised some
concerns.

Come on, dude.

I will say that even the most experienced techies among us sometimes become
complacent and let our guard down. It's exhausting having to constantly
second-guess every application you want to run.

(Not interested in starting another platform flame war, but this is the main
reason I don't use Android. I deal with enough paranoia running Windows daily.
Maybe I'm misinformed, but I'm also probably not unique in this respect)

I'm curious if this fake TikTok app would probably have been blocked at the
outset in the Apple App Store review process because it's trying to masquerade
as another business ?

~~~
mrtksn
>I'm curious if this fake TikTok app would probably have been blocked at the
outset in the Apple App Store review process because it's trying to masquerade
as another business ?

I bet that it is possible to slip through the review process however there's
also a safeguard on the developer account creation. Apple wouldn't let you
create a developer account using vouchers, PayPal or prepaid cards, at least
not from countries where scams are commonplace. Also you would be asked to
provide documentation of company registration to have an account named
“Develop App”.

It is a common theme on HN to trash Apple on its "draconian restrictions" but
the reality is that Apple AppStore is a safe place to be. You don't have to
study the App before downloading it, you first download then decide if you
want to keep it and security is never a concern. The Apple tax is something I
am happy to pay for that luxury.

I am a developer and I have no idea what com.acazira.tforbusiness means. What
keeps it from being com.toktik.forbusiness?

On AppStore this is something that you type it by yourself on the project
configuration screen in XCode and I don't remember reading any restrictions
about it, only recommendation to use reverse domain name notation to prevent
conflicts.

~~~
saagarjha
> I don't remember reading any restrictions about it

You can never change it. This is how you get com.toyopagroup.picaboo
(Snapchat) or com.yourcompany.TestWithCustomTabs (AccuWeather).

~~~
jonplackett
Haha, this possibly explains why the accuweather app is not the best made app
ever.

------
toxicFork
> Initiated a PayPal chargeback process - PayPal responded: "we’ve determined
> there was no unauthorized use"

Just wanted to highlight this. Things like this is why I avoid PayPal as much
as possible. For many years now.

~~~
dilly_li
In my limited times with Paypal with scam-like charges, Paypal never approves
my request.

On the other hand, all my credits card companies, Citi/Chase/etc. approved my
similar requests after a review process.

~~~
mcv
I thought PayPal had a reputation for pro-actively blocking payments for
really bad reasons, and now they won't block payment when it's a clear case of
fraud?

Why does anyone still use PayPal?

~~~
willcipriano
> Why does anyone still use PayPal?

Paypal.com -> Subscriptions -> Unsubscribe

Paypal makes it two or three clicks to unsub from any reoccurring payment. No
dark patterns or "call us" required. I use it whenever I can for subscription
services.

~~~
mcv
If it's that easy, why are there still so many people using PayPal?

By the way, I did this ages ago, deleted my account, closed what I could, and
I still regularly get a mail from PayPal that they changed their terms.

~~~
willcipriano
I'm talking about payments to third parties. When you use PayPal to subscribe
to a service you can easily unsubscribe where sometimes services make it
difficult to do so otherwise.

For example the New York Times forces you to call and speak to a retention
specialist if you want to cancel and you paid by credit card. With PayPal it's
3 clicks.

------
phoe-krk
> The scammer used my Facebook auth token to remove me from the Facebook
> Business entity. Strangely enough this is possible without getting any
> emails from Facebook. I had no way to check my Business entity or Ad account
> on Facebook to see what's going on.

This is an error on the Facebook side. Actions like this should never be
possible without appropriate confirmation or re-requesting the password for
2FA confirmation.

~~~
marcinzm
I can sort of see why this is allowed.

* Employee starts a Facebook business page using their personal Facebook account.

* They add their boss to it.

* Employee is fired.

* Boss removed employee from Facebook business page.

edit: Should still send a notification email but I'm guessing angry "why did
you remove me from X" reactions are why they don't. Not good but there's a
logic behind it.

~~~
envy2
Sure, but then [employee]'s payment methods should be removed along with them.
If they were using the company / boss's card or PayPal, then surely the
company / boss should be able to add it back again without too much undue
trouble.

~~~
marcinzm
Sure although I'd guess having all your advertising campaigns paused (as
there's no billing info anymore) would annoy many people especially if they
didn't notice or weren't aware it happened. It may in aggregate be cheaper for
Facebook to just eat the cost of refunding these things versus providing more
friction to their users.

------
tobyhinloopen
I think the trick here was to prompt the user with a fake oauth screen. Many
legit apps show the oauth screen using a web frame inside that app. It is
absolutely stupid that it is still a common occurrence.

If you need to enter your credentials when using sign-in-using-xxx, be VERY
cautious. Even if you have 2FA enabled, the fake oauth screen can just ask you
for the 2FA code. You have no way of knowing whether the login page is
keylogged or hijacked.

~~~
JangoSteve
This was pretty much an exact question I had about OAuth 10 months ago:

Something I still don't understand about the OAuth flow is how it's _not_
training users to be more easily phished for actual usernames and passwords.
The very first step is "If you are not logged into the third-party, display a
login-form from the third-party."

The thing is, you never really know off-hand if you're logged into the third-
party (provider) or not without opening a second tab and going directly to the
third-party's site, since you're always getting logged out after various
timeouts, cookie-clearing, browser-closing, and computer-restarting events.

What prevents an OAuth client application from displaying an OAuth process
that shows a fake login form, which looks identical to the provider's login
form, to get the user to enter their provider username and password before
they realize the URL is off? It seems like it trains users that it's normal
for websites to launch a Gmail login form and this is perfectly safe.

[https://news.ycombinator.com/item?id=21357370](https://news.ycombinator.com/item?id=21357370)

~~~
donmcronald
I think you're right. Users are being trained to enter their passwords and 2FA
tokens everywhere with the false promise that 2FA makes it secure. Even U2F
using a signed challenge seems iffy to me.

This [1] says "In fact, the spec requires that browsers only expose the API in
secure contexts", so if that's correct it's better, but still not good enough.

This [2] looks like it does U2F by grabbing the challenges via browser plugin
and relaying them to a phone app for signing.

Trusting the browser to "expose the API in secure contexts" seems like a
failure because it's assuming nothing else can collect the credentials or send
a challenge to a security key. Is that true? Could I write an app that would
phish a user into signing a challenge with their security key?

1\.
[https://security.stackexchange.com/a/206549/134291](https://security.stackexchange.com/a/206549/134291)

2\. [https://krypt.co](https://krypt.co)

~~~
tialaramex
> Could I write an app that would phish a user into signing a challenge with
> their security key?

What sort of app? A full-blown Windows/ OS X/ Linux desktop application? Yes.

You definitely should not install software that asks you to interact with your
FIDO authenticator in this way unless you _really_ trust it. I trust the
Operating System vendor installed OpenSSH packages, I would not trust some
random github project.

The two big phone ecosystems won't let you talk directly to a third party
authenticator or to their built-in platform authenticator. The authenticator
talks to them, and they talk to you. So while it _would_ be possible to make a
Windows EXE program that says "Touch authenticator to stroke your 3D pet" or
whatever and actually steals your Facebook login credential this way, it
should _not_ be possible to put something on Google Play or Apple's iPhone
store that does the same thing.

Edited to add: For Android at least there is a concept of "Privileged" apps
that get to do stuff that is otherwise impossible to ask a user for permission
to do. The ability to fill out WebAuthn-style rpId values (for WebAuthn these
are Internet FQDNs) is locked behind such a privilege. So, Chrome has
privilege, release builds of Firefox have privilege, and so on, but yet
another fly-by-night app developer who uploads Flappy Bird clones to the Play
Store can't use this feature.

Without this privilege when you talk to the authenticator (either a platform
authenticator or a 3rd party one) the OS will insist on picking an rpId with a
platform specific prefix. So e.g. maybe your app can ask for rpId
android-584fac03:google.com but there's no way (without privilege) to get just
google.com, which is a problem because that's the value you'd need in order to
get working Google credentials.

If you want your app to talk to your own web site, you can build a bunch of
extra goops (in Android at least) to enable that, but part of what will happen
is your web site's backend code needs to explicitly go "OK, I should allow
android-584fac03:my-private-app even though that's nowhere close to my actual
FQDN" so that seems safe enough.

------
londons_explore
Your mistake is using "Log in with Facebook" on a mobile device.

Since neither iOS nor Android have any kind of trusted UI, there is no way you
can be sure if you are logging into Facebook on an app, or just giving that
app your credentials for them to do as they please.

Until iOS or Android get trusted UI for these usecases, I suggest using
browsers on windows/Mac/Linux where you can see the in the address bar which
company you are giving credentials to, and can't as easily be faked.

If you must use a mobile device to log into Facebook via a third party app, I
suggest using a new Facebook account each time.

~~~
xaitv
> If you must use a mobile device to log into Facebook via a third party app,
> I suggest using a new Facebook account each time.

I might be wrong about this as I've not used Facebook for many years now, but
doesn't Facebook require a phone number for new accounts nowadays, and
requires you to use your real name as well?

~~~
wolco
No I have an older relative who creates a new account every other week for
whatever reason.

Think of how many accounts are created for games reasons. Some games require
friends taking action to progress. Some allow friends to send prizes like
lives/money/resource.

~~~
Sohcahtoa82
> No I have an older relative who creates a new account every other week for
> whatever reason.

Could be like my grandma who would occasionally manually log out of the app,
but then the next time she loaded the app, rather than actually logging in
again, she'd create a new account because that's what she did the first time
she loaded the app and thought she had to do that every time.

------
nojvek
There's many things that stand out

1) Google Playstore allowing someone to impede on the TikTok brand.

2) The app getting 10k+ fake reviews. At this point can you trust the review
system if it can be so easily manipulated?

3) "Strangely enough this is possible without getting any emails from
Facebook." Facebook security is weak here. You shouldn't be able to change
ownership without explicit 2fa verification. oauth tokens can be easily
phished. password + 2fa device is much much harder.

In general the trend I see is that Facebook and Google are driven to making ad
purchasing as frictionless as possible. Having scammers, click-farms, fake
reviews on their platform is good for them, it helps them make more money.
They'll happily tradeoff human oversight/support and security for automated
algorithms that optimize $$$ growth.

Apple AppStore is polarizing. Some feel it has too much control, but on the
other hand I find a lot less scammy apps in Apple AppStore than Google
Playstore.

------
disillusioned
I lost $2k in a Facebook scam that I'm really not proud of. A company spoofed
BitMain's FB page and ran ads for their newest AntMiner models saying they had
a batch that was ready to ship in limited supply. The BitMain FB account
looked legit. The website itself obviously had an SSL cert (and was a pixel
for pixel clone of their real site, except the product was in stock), but what
I didn't notice was the microscopically small presence of a dot over one of
the characters. It was an IDN homograph attack, and looking at the website and
not noticing the unicode character, everything else looked right.

The fact that they took BTC as payment didn't raise any red flags either,
because, you know, BitMain does.

I'm mostly infuriated at Facebook for not validating the company name or doing
anything resembling protecting their audience. I lent them too much
credibility because it looked like they were ads from the real company's page,
and so I let down my guard elsewhere.

I've never otherwise been hacked or scammed, and I know allllll of the basics
to look out for, but this one still infuriates me for making a fool of myself.

~~~
tha0x4
And this is why BitCoin will never fully take off.

If you made this transaction with your credit card, you could call up your
bank two weeks later and get your $2k back that day.

BitCoin? Kiss that virtual fool's gold goodbye.

~~~
reportgunner
BIT-Coin is not a replacement for credit card so it's like comparing apples to
oranges.

Think of it more like cash. If you give someone 2k in cash nobody is going to
find that person and refund you.

~~~
tha0x5
>BIT-Coin is not a replacement for credit card so it's like comparing apples
to oranges.

Except it's being used almost exactly like credit cards, so it is an apples to
apples comparison.

>Think of it more like cash. If you give someone 2k in cash nobody is going to
find that person and refund you.

Wrong. Tons of cash and debit card transactions can be undone, and banks can
and will give you money back from fraudulent transactions.

------
marcinzm
Facebook ads seem to be an ocean of scams. If I click the comments of half the
ads I see there's nothing but complaints about products not shipping, fake
closeout sales, cloning another store and then not shipping, etc, etc. I'm
guessing they delete the bad comments so you can only imagine how many people
must be upset to not be able to handle the flood of bad comments. At this
point I just assume any Facebook ad is a scam of some kind.

~~~
behringer
I reported one such scam business and it's still operating months later. Best
to just block all facebook ads and ignore any that slip through.

~~~
moneywoes
I have Unlock origin and still get Facebook ads, any idea?

~~~
behringer
F.B. Purity should do the trick.

------
dvcrn
Most ads I see these days on Instagram are scam. They usually lead to sites
that have been built with a quick template and always offer 50-80% discount on
little things I want, for example lamps.

They all offer PayPal so I took the bait once. The scam was clever: they ship
something that isn’t what you ordered. Like a jump rope for $1 instead of the
$30 lamp (discounted from $200) or drone. To get a 60% refund, you have to
send it back on your own cost.

Now it gets more tricky: the parcel might not even be delivered to your
address. Mine never arrived but got delivered to a zip code close to mine, but
not mine. There are lots of reports of people that receive things without
ordering anything and people who never get their stuff. There is also no
guarantee what you ship back arrives back at them. If it doesn’t, the company
doesn’t refund anything.

I quickly realized this is an obvious scam and asked them to cancel, and
opened a PayPal claim before anything got shipped. The company said they are
processing my refund and it will take 3 days for my money to be back (which is
not how PayPal works). Guess what? In the 3 days, they just shipped something
which threw the PayPal claim off because now they have to wait until the
shipment arrived and gets sent back (info from PayPal cs).

It’s been over a month and I am still trying to get my money from PayPal back.
It’s difficult because I haven’t received anything but the shipping number
says it arrived. The site no longer exists and the email I previously used to
reach out is gone too.

It’s crazy to me that PayPal enables all of these scammers. They clearly know
how to play PayPal to get around the buyer protection.

These days I can’t trust any ads because of this unless I do a lot of research
on the site. It’s very likely all scam. I saw similar sites on google shopping
(the price comparison product), so it’s not just Facebook.

~~~
wishinghand
I've had a similar experience- something sold for a deep discount (MIDI
controller), received something else entirely (cheap bluetooth speaker), and
was told to keep it instead of sending it back and sell it to recoup my costs
while they refund 15%. I recognized it as a scam at that point and saw that
the email I paid to was different than their support, and when I replied
asking for 100% it was yet another email.

Luckily for me, taking it up with PayPal got me my 100% refund, but I was
nervous while they went through the motions of asking the seller to settle up
with me, which I had to approve or reject, and then PayPal would review
further. Screenshots of everything, showing the weird random email addresses,
and the fact that their website didn't exist anymore landed in my favor.

~~~
dvcrn
I am confident that I will get my money back too, it will just take some time.
PayPal even called me on my phone to ask details about the case, so it's
definitely in progress.

But there is a thread on the PayPal forums and a lot of people don't have the
luck I have - [https://www.paypal-community.com/t5/Disputes-and-
Limitations...](https://www.paypal-community.com/t5/Disputes-and-
Limitations/eleenonlinetrade/td-p/2284897)

It's hard to believe that this seller is able to play PayPal like this though.
There must be dozens over dozens of claims against the same vendor at this
point.

------
fabbari
It seems odd that the Facebook authentication token would allow that kind of
access - admin on the business pages - by default. Were you asked for
particular permissions? Or did they fake the Facebook login completely?

~~~
jlund-molfese
I'm assuming the app impersonated a real login with Facebook prompt. When I
use a real Facebook login in another app, it tells me which permission I want
to grant to another site, and lets me edit them.

But I wouldn't think twice if I was asked to enter my credentials (which
happens if you don't have the Facebook app installed) and didn't receive that
permissions prompt.

------
tinus_hn
The moral of the story: if you use your Facebook account for anything
concerning money, do not enter its credentials into any app or site that asks
for it.

~~~
coldcode
Or don't use Facebook at all for anything. Facebook makes money off of selling
real people's information to anyone who pays; if some of them are fake, or the
purchaser is fake, it's still money to Facebook. If the Facebook data customer
is getting ripped off, what incentive does Facebook have to police the
situation as long as they still get their cut?

~~~
tinus_hn
You can’t stop Facebook from collecting information about you by just not
having an account.

------
zenexer
Perhaps the most interesting part is the final line of the document:

> Initiated a PayPal chargeback process - PayPal responded: "we’ve determined
> there was no unauthorized use"

While I get the impression that the user had authorized Facebook to charge via
PayPal in the past, I find this conclusion rather silly. If I give my credit
card number to Amazon, and someone hacks my Amazon account and starts making
random purchases, chances are I'd have no trouble filing a chargeback.

~~~
donmcronald
Yep. Authentication is being used as an excuse to blame the user. It's because
Facebook's a big company. If it was a small website where a user got phished
PayPal would have charged it back IMO.

------
fokinsean
The app reviews are your first dead give away

> Tik Tok ads business is best application. It's very awesome application.

And every other review is similar

------
sjroot
As someone who also takes all the right account security precautions, I too
have been fooled by a scam Facebook ad. It seems like this is an increasingly-
common attack vector that FB needs to address.

Specifically, I think it would help for them to verify ads, as they do people
/ pages.

~~~
Avamander
Yet another scenario where we're collectively being bitten in the ass because
most of the world is still lacking a proper digital identity system.

If you're thinking that sending pictures of identity documents or bills is
going to fix it no, it's clown-tier identity verification and will just
postpone the issue a tiny bit with massive human resource cost and false
negatives.

~~~
donmcronald
> it's clown-tier identity verification

I remember learning this when I got my first code signing certificate. I had
to jump through a TON of hoops including sending notarized copies of my ID to
Comodo. After all that, they asked ME to send them a list of notaries for my
jurisdiction. They also wanted a direct line to call the notary I used which
is basically impossible to provide.

The verification is outsourced to the cheapest English speaking 3rd world
country they can find and there's ZERO localized knowledge. I don't think you
could build a system that's worse if you tried. The whole think is just a
process of checking boxes which is very similar to most of the 2FA systems in
existence.

------
jrockway
I read things like this and keep thinking about the "web of trust" from the
90s. There is no way to visit some random app store, or read an email or
website, and trust that it's actually officially what it says it is. The
author of this article relies on some heuristics; good spelling, reasonable-
sounding developer email, reasonable Java package name, etc. but these things
can go either way. It is possible for a scammer to be good at spelling, and it
is possible for a big company to contract out some app they don't care about
to the lowest bidder and be perfectly running their ads program through the
"FooCorp Develop App; ru.definitelynotascam.dumbcodename". It has historically
been an okay data point, but in the future scammers are going to be good at
English -- it's only a matter of time.

Where I'm going with this is that there needs to be some sort of mandatory
linkage between something you trust and this random app you see on the app
store. You trust Google. You trust TikTok. So why doesn't Google generate some
sort of code that TikTok can stick in their DNS (or website) to create a
linkage? By default, an app on the store could say "not trusted by any
company", but then TikTok could add that record on their website and it would
say "Trusted by TikTok" or something.

There are some problems with this, of course. Anyone could claim any app, and
then you'd see incorrect information. DNS and web servers can be hacked, TLS
roots of trust aren't trustworthy, etc. But there has to be some way to create
this linkage safely, so that people aren't misled again and again and again in
the same way.

~~~
GoblinSlayer
Just go to tiktok site and download whatever you want there. But if you go to
app store, you can barely tell what is what in this grey faceless pile of
garbage.

------
jacquesm
Red flag missed: all reviews are of the same date. (Sept. 1st).

------
jariel
Can someone explain what happened here?

1) His FB credentials were hacked?

2) All to force 'spend' on some odd Vietnamese add? How does that benefit the
scammer?

3) If the money went to FB for clearly scummy purposes, how on earth does FB
not simply refund the ad spend? There's not cost of goods sold here for them,
usually they should be pretty easy on giving you the money - or at very least
giving you credits?

~~~
alphager
1) Yes, they either outright stole the credentials or stole an oauth-token.

2) The scammer either actually has a vietnamese metallurgy business ore (more
likely) sold ad space on facebook to a vietnamese metallurgy business.

3) yes

------
dmix
The misspelling of Voucher as Vocher on the big FB call to action (to connect
your business FB account) was the biggest red flag to me.

------
noisy_boy
Not sure if Facebook allow some sort of max-spend cap that can only be
increased with a 2FA together with an alert from the Facebook app itself. That
should atleast alert someone in the sense that "why am I getting a
confirmation message to debit for a voucher credit" and worse case scenario
even if they don't realize it, should limit the damage.

------
WrtCdEvrydy
> the scammer used my Facebook auth token to remove me from the Facebook
> Business entity

If you are able to use the account to purchase something in my name, I would
expect the security to at least include a 2FA prompt. I'm not really big into
the Facebook ecosystem but this sounds terrible.

------
gm
I was scammed through PayPal, PayPal did the same thing to me, basically gave
me a "Looks good to us, case closed, go fuck yourself." The negation of my
case was automated, too. I received the "resolution" a few seconds after
submitting the case.

Thankfully, I had paid with a credit card as the PayPal funding source for
that transaction, and I disputed the charge with my CC company, which found in
my favor, and did a chargeback to PayPal.

After that, I immediately unlinked all of my funding sources from PayPal and
closed my decade+ account. Never again. Not as a buyer, and certainly not as a
seller.

------
ed25519FUUU
> _the app asked me to log in with Facebook to get the credits._

These places (facebook, google, etc) really need to separate the "login with
____" button with a "authorized ___" button. Several times I've tried to login
using google only be greeted with a permission request, such as READING ALL OF
MY EMAILS. Even Dropbox requires you to give them permission to your contacts
if you want to login with google.

When you're not paying attention it's really easy to miss this kind of thing.
So much so that now I prefer creating an account traditionally using a
generated password.

------
spzb
So this basically amounts to “sign in with Facebook and the app gets a token
with which it can control your whole account”?

------
TekMol
This sounds like the author typed their facebook and paypal credentials into
the app.

~~~
matsemann
Thousands of apps have "Login with Facebook" (and others), and it's often
impossible to know if it's a real oauth flow or just a fake login page.

~~~
JimDabell
On iOS, if you have the Facebook application installed, the Facebook Login
user journey opens the actual Facebook application. If you don’t have it
installed, it will open the Facebook website in Safari. In both cases,
assuming you are an active user of Facebook, you will already be logged in.

If it’s a fake OAuth screen? The first tip-off, assuming you use the
application, is that it didn’t open the application. The second tip-off, in
either case, is that it’s prompting you to log in. You can verify that you are
logging directly into Facebook by going back to the home screen (which is not
something an application can intercept), and re-opening Safari or the native
application. If you were really in Safari / the Facebook application
beforehand, it will come back to the same screen. Then you can check the URL
to ensure you are on Facebook if you are in Safari.

As far as I am aware, it’s never "impossible to know". However it may be
difficult for the average user to know how to determine this. For the average
user, the rule of thumb "never log in to Facebook if a different application
opened the Facebook login screen; only log in to Facebook if you opened the
native application yourself or typed the website address yourself" is
adequate.

It’s also worth mentioning that most password managers will pay attention to
the domain, and there’s also a mechanism for this for native applications on
iOS. So the password manager not auto-filling is another red flag.

~~~
vezycash
>On iOS, if you have the Facebook application installed, the Facebook Login
user journey opens the actual Facebook application. If you don’t have it
installed, it will open the Facebook website in Safari.

Can someone else confirm this?

Those authentication screens are scary.

With a web browser, I can at least scrutinize the URL.

~~~
JimDabell
If you have any doubt as to whether you are in the legitimate Facebook
application or not, return to the home screen and open Facebook from the icon
on your home screen.

Bu really, the tip-off is the login prompt. Unless it’s the first time using
the Facebook application on this device, you would normally be already logged
in and it shouldn’t be prompting you to log in to Facebook.

~~~
vezycash
I was looking for an android app to make my phone contacts on Outlook
available on my phone.

The official app screws up with my share menu. I'd see one set of share
targets and just before I hit my choice, outlook will place two contacts at
the top. And this causes the remaining to rearrange.

Got pissed and uninstalled it. And I don't want to copy my contacts over to
gmail.

I tried two contact apps and they both open a login screen - typing my
password both times raised alarms in my head. Neither app worked. And couldn't
risk trying more apps. Gave up and reinstalled the official outlook.

------
commoner
PayPal is not very dependable when it comes to handling disputes. If you paid
with a credit card through PayPal, file a chargeback via the card itself and
your financial institution should be able to help. But if you paid with your
PayPal balance, you're most likely at Facebook's mercy at this point. Dutch
laws might offer additional consumer protections.

------
atum47
I'm getting tired of flagging false ADs on Facebook platform (in my case
Instagram).

[[https://imgur.com/a/1MUuST4](https://imgur.com/a/1MUuST4)]

The image above is a confirmation that they removed a false AD I flagged and
thaking me for it. Yeah, ok, but as I said, I'm getting tired of flagging this
kind of ads.

I sent an email to Instagram not so long ago, complaining that is hard to know
a official AD from a fake one in Instagram, cause they use that ridiculous
thing of opening a webpage inside their own browser (?!) hiding the address.

I'm sorry that this happened to you. I usually deal with low effort scams (but
they usually get my parent's attention) but maybe it's time for Facebook to be
held accountable for this kind of stuff.

Did you bought a TV from an AD you saw on Instagram and turned out to be a
scam?! Well, let's have Facebook accountable. Maybe they'll improve their ADs
platform.

------
homero
Wow I saw that same ad for the tiktok ads a couple of days ago, I almost
clicked it but something seemed off with the colors

------
crispyporkbites
You didn’t lose 4k- Facebook have the money, it’s in their account.

They sold virtual space at an almost infinite margin to a hacked account. The
account was hacked on their system, the ad that facilitated the attack was ran
on their platform and they allowed the whole thing to perpetuate.

If this was in meatspace, Facebook would be an accessory to fraud.

------
IAmNotAFix
I don't understand the step where the author is logging in with Facebook.

Was that a legit OAuth 2.0/OpenID Connect log in? (In this case this must have
been OAuth 2.0 with a scope giving the application write access to business
stuff.)

Or was it a phishing page in which the author gave his facebook password?

~~~
admn2
I believe it was actually OAuth or else FB would have likely blocked the login
from another country or at the bare minimum sent OP a suspicious login email.

------
s_dev
Scams like this are why walled gardens like the App Store exist.

Theres no way a scam app like Tik Tok Business would be able to stay on the
App Store for a sustained period of time.

Even still the Dev admits himself he could have been more on guard with an
Android Developer name like "Develop App".

~~~
behringer
The Google App store is a walled garden. How come this scam app operated long
enough to get so many high reviews?

~~~
s_dev
Play Store is much more flexible than the App Store regarding what it will
allow published -- also how much attention it places on its gatekeeping
activity.

It is a walled garden but the walls simply aren't as high.

------
0xbkt
I can't stress this enough.

Please always check for the correct spelling, punctuation and stylizations of
words/brands in a suspected ad. It's written as "TikTok" everywhere, not
"Tiktok". I almost always see this kind of stylization errors in fraud ads.

~~~
bluedino
They spelled 'voucher' two different ways (vocher), and the poor grammar
should be a sign of trouble.

~~~
pbhjpbhj
On the other hand, I spot errors in major brands copy pretty regularly.

Verification of origin is something companies need to put more effort into in
general.

------
VonGuard
I'm completely unsurprised. I cannot be the only sucker in here who bought
something off of a Facebook ad, and got a token piece of China-shipped junk
instead. Mine was a video of a steel light saber being disassembled and put
together, with all working parts. I was stupid, I paid $30 for it, and a month
later, a box from China shows up with a $1 plastic sword.

After that, I started commenting on every Facebook scam ad I saw, and guess
what? That just got me into the queue for MORE scam ads! Facebook sees me
commenting "SCAM" on ads about cheap Legos, and it says "Hey, this guy likes
cheap Lego scam ads!"

Plus, these ads go to different sites, have different company names, and
different images every time, but they are the EXACT same scam, guaranteed.
It's like Facebook is incapable of having a legitimate and ethical advertising
business at some genetic level, and all the money from these obvious scam ads
is just too good.

This shit is so prevalent and so brazen, I've considered setting up my own
scam ad, maybe sell a Qanon book that's blank and say "Fuck you, idiot"
inside... I mean, why not? It seems like people are getting rich by fucking
over Facebook users, and Facebook LOVES it!

They have such utter contempt for their users. And here I am still using it
because it's the only platform I can see pictures of my family members on, as
they are non-technical users. Am I supposed to run some kind of internal
family campaign to get them all to move to some non-existent alternative? I
hate this so much. I feel trapped by Zuck's heartless machine.

~~~
Nextgrid
> That just got me into the queue for MORE scam ads!

I once created a Facebook account to test something and for some reason it
decided I was some sort of gambling addict (that e-mail was registered on a
legitimate gambling website and I guess they leaked it) and the "people you
may know" was full of fake accounts all related to some kind of scummy mobile
casino game (I guess the game requires login with FB or maybe gives new people
free tokens so they just register tons of fake accounts?).

I've spent a good 20 minutes reporting every single one of them (up to
actually hitting the rate limit on the report endpoint) and not only did the
algorithm not take the hint that maybe it wasn't a good idea to recommend me
more accounts out of that category but their support didn't deem the majority
of them as violating the community guidelines despite them being obviously
fake (and I couldn't notice any difference between those that were deemed as
violating their guidelines and those that don't).

~~~
fencepost
It may be that there were cultural clues that cued you into them being fake
but that would be completely meaningless for someone being paid pennies to
review those reports in another country.

~~~
Nextgrid
Yes but it is that person's job is to spot those things. If I as a user can do
a better job than them then something is very wrong with the
resources/training they are provided. They should be _better_ than I am, not
worse.

~~~
VonGuard
I reported every single ad for Legos I saw for a week. I ended up with more
ads for Lego scams, too.

------
jakub_g
Is it just me, or the screenshots just scream "scam"?

1\. Inconsistent spelling TikTok vs Tiktok, business vs Business in app names
and logos

2\. Inconsistent font in Tiktok logo (Times New Roman like font in Android
app, wut)

3\. Typos and clumsiness: "vocher" instead of "voucher"; space between $ and
3000 on confirmation screen.

4\. As mentioned, the app developer not being TikTok

I'd not be surprised for random person to fall for this, but an experienced
techie should have seen many red signs.

(Having said that, as some other comment said, logging with FB on mobile is
inherently unsafe because you can't really tell if it's FB or impostor site.
Plus the way the ads markets work, which is just built for scams like this.
Modern web sucks).

~~~
josefresco
Aren't those small mistakes on purpose? To ensnare users who miss obvious
signs of fraud? I know that's a proven tactic for phishing/email scams.

------
ACow_Adonis
A lot of comments, and I gave them all a quick browse, but I can't see anyone
say it, but it's so obvious it has to be said:

What tech-savvy person is not only SEEING ads, but would actually deliberately
click on one? I feel like I'm taking crazy pills.

You don't click on ads! Why would you click on an ad! What's wrong with you
people!?

As user beefield points out, another good rule of thumbs is to just never buy
or take anything from anyone who approaches you or communicates to you if you
are not the originator of that communication/request. Just don't do it, and
you save yourself a lot of pain (and don't worry, you're not missing out on
anything).

------
rdiddly
HN loves to downvote any comment about grammar & spelling, but now we see it
in its proper context as a cybersecurity measure. If I'd seen "vocher" (i.e.
voucher) on a big blue button I would've applied the brakes on my clicking
finger. Whether one of these little mistakes is unintentional (indicating
incomplete mastery of English and perhaps foreign scammery), or intentional
(indicating a purposeful screening device to make sure only rushed,
inattentive and stupid people respond), take advantage of the warnings they
leave for you.

------
catchmeifyoucan
Voucher was spelled as "Vocher" in multiple places. At first I thought it was
localization, but then I realized that the author was spells it as "Voucher".
That was the red-flag for me.

------
tuankiet65
It might look like aluminium but the description says it's just tape.

------
lxe
> Sure, the developer name "Develop App" sounds strange and should I have
> looked better, the developgameonline@gmail.com developer email and
> com.acazira.tforbusiness package name would have definitely raised some
> concerns.

Sorry that you have to deal with this, and well done on actually flagging all
these things as suspicious. I also sometime make these tradeoffs, when
something sounds 'not quite right' I would still sometimes make a judgement to
ignore it.

------
StillBored
Wow, I guess people really do random app installs on their phones. I've never
installed an app after being redirected to the app store... never. I've always
considered that the equivalent of .exe's in emails. Just don't do it!

The fact that just about every damn site (reddit, etc) all desperately try and
force the issue makes me think that if apple/google had ones best interests at
heart they would disable the functionality.

------
drchiu
I’d say that the prevalence of marketing hacks out there have made people let
their guard down. We assume businesses will lose money on purpose to gain
traction to the degree that when we see deals like these, we jump at it
without a second thought. No doubt there’s technical engineering that went
into this scam, but the social engineering and manipulation of the target’s
psychology is the real secret sauce.

------
efoto
I'm surprised that OP didn't notice misspelled _vocher_ prominently visible on
multiple screenshots.

------
tnolet
I’m clueless about mobile stores and reviews. How does such an app get so many
positive (obviously fake) reviews?

~~~
squeaky-clean
It's really easy to find services like this just by googling the right thing.
I've never used one, but just from a quick search $630 can get you 200 five-
star reviews. I don't know if the site I found will let you repeatedly
purchase for even more reviews, but several of these sites came up when I
googled so it would also be pretty easy to just use 5 different fake review
sites to get up to 1000 fake reviews.

If the price is consistent across them, that means 1000 reviews costs about
$3.1k. Expensive, but it apparently only takes 1 tricked user to become a
profitable scam.

Not saying a similar scam would not have fooled me, as I'm looking at the
screenshot in the article with the knowledge that it's a scam, so it's an
unfair comparison. However the first thing that immediately stands out to me
is there are no 2,3,4 star reviews on this app. The reviewer comments are also
very generic and have many grammatical errors in each featured one in the
screenshot, and the featured reviews are all from Sept 1.

------
Tade0
Wasn't PSD2[0] created for the purpose of preventing such scams?

[0] [https://eur-lex.europa.eu/legal-
content/EN/TXT/HTML/?uri=CEL...](https://eur-lex.europa.eu/legal-
content/EN/TXT/HTML/?uri=CELEX:32018R0389)

------
newsbinator
> Contacting Facebook about such scams/hacks is a challenge on its own: there
> is a support page but in all my attempts I was unable to click the "email"
> icon. The "chat" icon always says "chat unavailable"

This is both incredibly frustrating and incredibly unsurprising.

------
msravi
How exactly did they get around the 2FA? I'm guessing the app he installed
stole his password when he entered it, but he does say that he had 2FA
enabled. How did they get around this and log in to his account? Or did the
app somehow siphon off the 2FA code also?

------
bjarneh
So _someone_ payed €8,235.82 for 2,126 clicks? Clicks are getting expensive
these days...

~~~
zurfer
well, someone payed 8k to show an ad to 2.6 million people it was just not a
good ad

~~~
9HZZRfNlpR
They probably want to run the budget as fast as possible because sooner or
later you get caught and care little how effective it is or how much to
optimize it.

------
mikorym
I don't know whether this is relevant for fact checking, but the add logo in
the first image with the bullseye image uses an image (the bullseye itself
with the arrow) that is available as a logo/icon on MS Office exactly as is.

------
jrochkind1
If I understand right, the scam was a phishing attempt, that succesfully got
their facebook credentials (or an Oauth token? they might not be sure?) and
used them to buy ads on facebook in that amount?

------
junon
> Initiated a PayPal chargeback process - PayPal responded: "we’ve determined
> there was no unauthorized use"

Yep. This is why I avoid PayPal like the plague. I've never heard good things
about them.

------
bluedino
Most fraud starts with people thinking they are getting something for free.

~~~
sukilot
It's hard to con an honest person unless they are mentally impaired.

~~~
pbhjpbhj
I think it's relatively easy to con honest people because they tend to think
other people have similar moral standards.

'we're inspecting your home on behalf of the government' [steal your jewelry]

'we're calling from your bank as there's been a problem with your account; we
need you to read an access code from your phone' (steals savings)

'we're calling from your pension advisor as you appear to have been missold
payment protection' (steals pension)

They're doesn't appear to be any need for dishonesty on the part of the
conned.

It's possibly easier to con a greedy person?

------
chatmasta
> Unfortunately I don't have a screenshot of the ad in question

FYI I believe there is a way you can see the ads you've clicked on in the last
3 months from within Facebook settings somewhere.

------
bo1024
I think single-sign-on stuff and "Sign In with X" are a cancer. They encourage
you to type in your sensitive credentials all over the place and hope it's
safe.

------
sova
Astonishing that people with such creativity would resort to theft and
deception -- you cannot steal as much as you could earn legally, making
something useful for everyone!

~~~
bserge
If only it were true

~~~
sova
[https://opengovasia.com/vietnamese-it-sector-posted-six-
mont...](https://opengovasia.com/vietnamese-it-sector-posted-six-month-
revenue-of-over-43-billion/)

------
Exuma
How does simply connecting/logging in with an app give the FB application to
spend on your business manager ad account...?

------
justmyname
Thank you, Niek, for sharing that story. Such cases should be maximally open
and transparent for people to learn the real risks.

------
heavyset_go
And people chastise those who use ad blockers when ad networks refuse to
police their own content for malicious ads and code.

------
tluyben2
Browsers / webviews must have a special visual state for OAUTH requests. As it
is very easy to mimic.

------
PerilousD
sorry for your loss - but you are STILL using Facebook? Any future problems
look and hard in a mirror.

------
canes123456
You can make paypal charges with a Facebook oauth token? Or they keyboard log
his facebook password

~~~
danielhua
He had a Facebook ads account with PayPal linked, and the hacker used his
login info to run their own (apparently Vietnamese aluminum product) ad
campaign and spend using his account.

~~~
drcongo
Why would anyone link those two things? That just seems insane to me.

------
vezycash
One more reason why adblockers are a must install for everyone especially non
technical people.

------
z3t4
How could Facebook charge the Paypal account without authorization nor second
factor??

~~~
commoner
If you accept a billing agreement with a merchant on your PayPal account, that
merchant becomes able to charge your PayPal account without confirmation.

[https://www.paypal.com/uk/smarthelp/article/what-is-a-
billin...](https://www.paypal.com/uk/smarthelp/article/what-is-a-billing-
agreement-and-how-does-it-work-faq1848)

To cancel the billing agreement, follow these instructions:

[https://www.paypal.com/us/smarthelp/article/how-do-i-
cancel-...](https://www.paypal.com/us/smarthelp/article/how-do-i-cancel-a-
billing-agreement,-automatic-recurring-payment-or-subscription-on-paypal-
faq2254)

Some merchants encourage or force a billing agreement before the customer can
make a purchase. The PayPal UI does not make a strong distinction between
entering into a billing agreement and making a standard purchase. For users
who are not familiar with the PayPal checkout process, the billing agreement
UI looks just like a normal step in the process.

~~~
koyote
I actually happened to be going through the Paypal settings yesterday as I
couldn't get it to make a purchase on ebay and thought something might be
wrong there.

I had around a dozen merchants who were listed in the automatic billing
payment list and only one of them was a subscription I remember setting up.
(the others were all legit and large businesses and none of them have charged
me, but they could have!). I have since 'deactivated' all of them.

I really do hate Paypal but I often choose them when I buy something from a
smaller web shop as I do not trust the web shop to keep my card details
safe...

------
cbluth
here is the apk, if anyone is interested:

[https://apkpure.com/tiktok-ads-
business/com.acazira.tforbusi...](https://apkpure.com/tiktok-ads-
business/com.acazira.tforbusiness)

------
gbraad
Red flags everywhere and missed? And why would TikTok use Facebook to login?

------
Androsec
here is a technical that explain exactly what happened

[https://news.ycombinator.com/item?id=24483028](https://news.ycombinator.com/item?id=24483028)

------
fortran77
If Facebook ran that ad, you should at least try to hold them accountable.

------
thrownaway954
just saying... As much as everyone hates on Apple cause of their review
process, you have to admit that an app like this would have been caught.

------
JAlexoid
Facebook Ads are the worst ones. Full of scams!

Never click on them

------
negamax
Android has become a serious security risk

------
tehlike
Initiate a charge back through the bank

------
tscolari
Very shitty attitude from Paypal.

------
aurelien
You lost your life with facebook and that do not disturb you ... so thanks for
the 4K ;-)

------
saos
Wow all that an OP still won’t delete Facebook business account.

------
rbrtl
I shortened the TLDR:

TL;DR: don't click ads

------
rvnx
TL;DR: guy clicked on a link promising him 3000 usd out of thin air if he
gives access to his account linked to PayPal. Malicious user used his account
to buy digital items (ads).

------
redleggedfrog
"...and I'm generally very cautious with account security." "Two days ago, I
spotted an ad while browsing Facebook..."

Those two statements are mutually exclusive.

~~~
TillE
I'm constantly baffled by the number of tech-literate people who don't use ad
blockers. I don't know how they can stand it.

~~~
Avamander
You're acting like Facebook isn't __hostile __to adblockers, Facebook is
making it very difficult to block their ads continuously.

~~~
drcongo
It's easy, I have every single Facebook owned domain blocked at the network
level and I never see a Facebook ad. Or Facebook.

------
except
The app looks poorly made and there are clear spelling mistakes plus the fact
that it was not offered by TikTok which should have made you suspicious. It
sucks this happened but maybe you should have done some research and checked
if this app actually did belong to TikTok. I assume the app also asked you to
login to Facebook directly rather than OAuth which should also made you
suspicious.

~~~
klmadfejno
I've often heard the argument that scams add spelling mistakes to only catch
the idiots that have a high conversion rate for the scam. That doesn't feel
like it makes sense on something like this which is highly sophisticated. Is
it just bad quality?

~~~
except
My point was that official applications rarely ever include them, not that it
was intentionally placed there.

------
stiray
(My moral compass is still up and running while some call disabling it
"running bussiness")

I wonder why something like this never happens to me?

\- I am not paying a dime for advertising as it is completely inappropriate to
spam more users with ads (Zillions of ads and you are one of them? And this
works? Really? Not for my users and my reputation.)

\- I dont use facebook as I have real friends to go to a beer with

\- I dont open any ads (but ad nauseum [1] does)

\- I dont use TikTok and I dont see anything positive in it so even if I would
be advertising I surely wouldn't spam kids with ads

\-- ...

(I could call this whole event a "poetic justice")

[1] [https://adnauseam.io/](https://adnauseam.io/)

(edit: fixed wrong wording as suggested - anyway I dont attack op - in same
manner I dont attack drug dealers. I am just explaining why I dont do that. Or
sell drugs. Someone might learn something from it.)

~~~
elwell
> unappropriate

"inappropriate", as in: "Your attack on OP is inappropriate."

