Wiz's Computer and Website Security Blog

On July 9, 2023, I published a blog article about a Facebook ad violation scam I received in my email inbox. After I reported the scam to SpamCop, the scam stopped for me, but not for another person I know. Evidently, my break is over and the scam arrived afresh in my inbox, on August 16, 2023.

Apparently, scammers are following me and other people who maintain Facebook business pages. When they or their ad detection script detects that I've boosted a post, or created a new ad, they create an email-borne phishing scam targeting my page by its name. In the most recent scam email, the subject was: "Your ad account is currently inactive." The From field contained the words: "Meta for Business". The body text contained dire warnings, including the following:

We regret to inform you that your Advertising account was used to create one or more Ads that do not comply with our Advertising Policies or Community standards.
...
Your account will be permanently deleted in the next 24 hours.

This was followed by a call to action:

To request a review, if you believe your account follows our Community Standards, please use the form below:

SUBMIT NOW

Now that I've stated the visible basics, let's take a look behind the scenes and see just what the Hell is going on!

First of all, if you are reading this because you also received one of these suspicious email warnings from Meta for Business,claiming that your ad account is inactive, or that it violates their community standards, take a deep breath and read the rest of this article.

In all of the emails I have received with this scam, the actual email domain is not on Facebook.com. The email I got on this day had @hotmail.com in the From field. Many email clients hide the actual email address if a "friendly name" is present. All of these particular scams contain the friendly name: Meta for Business.

If you want to learn more about the routing of the scam, read my previous article. Suffice it to say that they are sent through mail servers belonging to Salesforce.com.

I decided to investigate the URL in SUBMIT NOW. It lead to a domain named web.app, hosted on Fastly.com and using Google name servers.

The first step I took was to view the destination using Wget. I determined that there was no forced download present. Then I followed the actual link in a browser tab protected by Malwarebytes' Browser Guard. The link was to a document hosted on a domain named web.app. I discovered that it was a plain text page containing stolen Meta logos and wording. The bottom footer contained all manner of words that are normally links on a real Facebook page. But, not one of the words, categories, or the top logo had any hyperlinks! They were simply words in plain text. The entire page was created via a Javascript include named main.dart.js.

There is a form on the page containing input fields for your personally identifiable information, including Facebook login email address, your name, your phone number, a text field for you to type your "appeal," a "Do you agree to the Terms" checkbox, and a Submit button that becomes active if you check that box. If your inputs passes basic validation, you will open another form field asking for your Facebook password, to verify you are who you say you are. This is how they Phish you to steal your Facebook login details.

What to watch for

The simplest way to find out if your ad, or boosted post violates Facebook rules is to log into your Meta Business account, or the Facebook "Page" and look for notifications from Facebook. In most instances, once Facebook approves your ad, or boost, it remains active until your preset budget or ending date is reached. The scammers behind these emails are counting on panicking recipients into clicking on the Submit Now button to appeal the fake block on your ads.

If you know how to reveal the email headers, look for the postmaster field. If it says salesforce.com, or anything other than facebook.com, or facebookmail.com, it is a scam. All of these particular scams contain many references to salesforce.com in the headers. If you need to learn about revealing the hidden headers, read this article I published in 2006 about how to display email headers for reporting spam and scams.

Follow-up: As I already knew, this was a scam and my Facebook ads were still alive and well. My reports were acted upon the same day and the page in now blocked by a red warning page from Google Safe Browsing, warning about a deceptive page ahead.

Posted by Wiz at 8:12 PM | Permalink

back to top ^

Back in 2016, I wrote a blog article detailing how I got Logitech SetPoint to startup with Windows. Until I found the fix, SetPoint installed and I could open and manage it, but it simply wouldn't auto-launch when I logged into Windows or install its icon in the "System Tray." Fast forward 7 years and a new problem popped up with SetPoint not working right on a newly acquired Windows 10 laptop computer.

This new problem is that even though I was able to install SetPoint on my new to me Dell Latitude laptop, I was unable to launch/open the program to manage it. The installer completed and there was a shortcut on the Start Menu. But, clicking on the icon and shortcut did absolutely nothing. When I opened the folder containing the program's executable, Setpoint.exe, and clicked on it, I got a popup error message from Windows complaining that "the side by side configuration is incorrect."

Before I stumbled onto the actual fix, I tried all kinds of suggestions I found on various troubleshooting forums. I downloaded old versions of Microsoft Visual C++ packages in the hopes that the program was looking for long outdated missing components. I even tried a suggestion to run the program in Windows 7 Compatibility mode. Nope, none of this worked. ;-( So, I began following my own hunches based upon decades of experience operating and upgrading Windows computers.

I've always operated under the theory that if something is going wrong, but the culprit isn't in plain view, follow the breadcrumbs. Troubleshooting software problems often requires detective work. I'm not a programmer, but I've been around long enough to know that when a program doesn't work from the get-go, something is wrong with the installer, or the computer. So, my first order of business was to vet the computer itself to ensure that the operating system was sound. If you're reading this because you have the same problem with SetPoint, or any other program, follow the same process.

Verify the operating system's integrity.

1. First, make sure you can see the Windows Search box on the Windows Taskbar, by the Start Menu button, or orb. If you don't have a search box visible, it's been set to hidden. Right click on an empty area on the taskbar to open a Taskbar settings menu. Hover your pointer over the word "Search" near the top of the menu, then move the pointer to the pop-out right options panel and left click/press on Show search box
2. Type: CMD in the search box.
3. A search suggestions window will pop up over the left edge of the monitor. You should see the words Command Prompt App in bold letters on the left, with several options showing on the right side..Choose the option to Run as Administrator. Accept the Administrator challenge popup. If asked, type in your computer administrator password to continue.
4. When the Command Window opens, you will see the command line: "C:\WINDOWS\System32>" in the upper left, with a blinking underline cursor next to the bracket symbol. If you don't see the blinking cursor, click anywhere on or in the Command Window.
5. Type, or copy and paste this command: sfc /scannow, then press Enter. This launches the Windows System File Checker. It takes a little while to complete the scan.
6. When the SFC finishes, if it finds errors, I also run the next command in the Command Window: DISM /Online /Cleanup-Image /RestoreHealth and press Enter. After the operation has completed, I recommend closing all open programs and rebooting the computer.

If no errors were found, or if you've rebooted after fixing system errors, open your web browser and go to the Logitech SetPoint downloads page. If you don't see your operating system already displayed, look for the small down facing arrow on the left side of the word and mouse icon for SetPoint. Click on the down arrow to open a menu for your operating system. I chose Windows 10. In Firefox I actually had to click on the apparently grayed out words to open the SetPoint downloads for Windows 10..Here's where the mistakes are usually made and fixed.

THE FIX

When you select your operating system on the SetPoint downloads page, the only option you'll normally see is the current version for your system, with Software Type: Smart Installer in the description. DON'T USE THE "SMART" INSTALLER if you know whether your computer is 32 bit or 64 bit architecture. Instead, click on Show all downloads. Scroll down until you find the correct version of SetPoint for your computer, as either 32 bit or 64 bit and download that installer (using the Download Now button). In my case, for my 9 year old, upgraded Dell Latitude, I chose Software Version: 6.90.66 - 64 bit.- 80.5 MB.

Aside: If you don't know whether your computer is 32 or 64 bit, click on Start button/orb > Settings > System > About. The bitness will be listed under System type.

Before you run the new installer, uninstall the previous (smart) installation that didn't work. It must be gone for the new installer to work right. After I installed the 64 bit installer, SetPoint launched and opened on its own. The icon was in the System Tray, like it is on my other computers. Clicking on the icon opens SetPoint and I was able to set the middle wheel button to do a Double Click.

I hope this helps somebody else to get SetPoint installed and working. Logitech support was of no help. All the other search results involved downloading Microsoft files. This solution simply required searching for the download for my OS and Bitness!

Posted by Wiz at 6:50 PM | Permalink

back to top ^