Return of the Facebook Ad Violation Scam
On July 9, 2023, I published a blog article about a Facebook ad violation scam I received in my email inbox. After I reported the scam to SpamCop, the scam stopped for me, but not for another person I know. Evidently, my break is over and the scam arrived afresh in my inbox, on August 16, 2023.
Apparently, scammers are following me and other people who maintain Facebook business pages. When they or their ad detection script detects that I've boosted a post, or created a new ad, they create an email-borne phishing scam targeting my page by its name. In the most recent scam email, the subject was: "Your ad account is currently inactive." The From field contained the words: "Meta for Business". The body text contained dire warnings, including the following:
We regret to inform you that your Advertising account was used to create one or more Ads that do not comply with our Advertising Policies or Community standards.
...
Your account will be permanently deleted in the next 24 hours.
This was followed by a call to action:
To request a review, if you believe your account follows our Community Standards, please use the form below:
SUBMIT NOW
Now that I've stated the visible basics, let's take a look behind the scenes and see just what the Hell is going on!
First of all, if you are reading this because you also received one of these suspicious email warnings from Meta for Business,claiming that your ad account is inactive, or that it violates their community standards, take a deep breath and read the rest of this article.
In all of the emails I have received with this scam, the actual email domain is not on Facebook.com. The email I got on this day had @hotmail.com in the From field. Many email clients hide the actual email address if a "friendly name" is present. All of these particular scams contain the friendly name: Meta for Business.
If you want to learn more about the routing of the scam, read my previous article. Suffice it to say that they are sent through mail servers belonging to Salesforce.com.
I decided to investigate the URL in SUBMIT NOW. It lead to a domain named web.app, hosted on Fastly.com and using Google name servers.
The first step I took was to view the destination using Wget. I determined that there was no forced download present. Then I followed the actual link in a browser tab protected by Malwarebytes' Browser Guard. The link was to a document hosted on a domain named web.app. I discovered that it was a plain text page containing stolen Meta logos and wording. The bottom footer contained all manner of words that are normally links on a real Facebook page. But, not one of the words, categories, or the top logo had any hyperlinks! They were simply words in plain text. The entire page was created via a Javascript include named main.dart.js.
There is a form on the page containing input fields for your personally identifiable information, including Facebook login email address, your name, your phone number, a text field for you to type your "appeal," a "Do you agree to the Terms" checkbox, and a Submit button that becomes active if you check that box. If your inputs passes basic validation, you will open another form field asking for your Facebook password, to verify you are who you say you are. This is how they Phish you to steal your Facebook login details.
What to watch for
The simplest way to find out if your ad, or boosted post violates Facebook rules is to log into your Meta Business account, or the Facebook "Page" and look for notifications from Facebook. In most instances, once Facebook approves your ad, or boost, it remains active until your preset budget or ending date is reached. The scammers behind these emails are counting on panicking recipients into clicking on the Submit Now button to appeal the fake block on your ads.
If you know how to reveal the email headers, look for the postmaster field. If it says salesforce.com, or anything other than facebook.com, or facebookmail.com, it is a scam. All of these particular scams contain many references to salesforce.com in the headers. If you need to learn about revealing the hidden headers, read this article I published in 2006 about how to display email headers for reporting spam and scams.
Follow-up: As I already knew, this was a scam and my Facebook ads were still alive and well. My reports were acted upon the same day and the page in now blocked by a red warning page from Google Safe Browsing, warning about a deceptive page ahead.