A disinformation-for-profit network uses trusted news brands, real personalities, fabricated media narratives, emotional hooks, and advanced evasion techniques to drive victims – all users of Meta platforms – into investment fraud funnels, researchers say.

Bitdefender Labs analyzed as many as 310 malvertising campaigns distributed through paid advertising on Meta platforms and says it’s a sprawling global scam infrastructure spanning at least 25 countries worldwide.

“The narratives vary, but the financial objective is consistent: drive users into deposit-based investment fraud funnels,” say the researchers.

They describe the campaigns as “three distinct but structurally identical scam sub-campaigns operated by what appears to be at least two to three separate threat actor groups using the same scam playbook, combined with a smaller fourth independent sub-campaign.”

Unsurprisingly, most of the narratives – whether it’s a fake broadcast scandal, a celebrity will revelation, or a “national investment platform” – ultimately pivot to investment scams. The crooks behind these campaigns attempt to harvest user data for fraudulent purposes.

“These fake narratives are used as bait. The real objective is investment fraud, through high-risk trading platforms, binary options type schemes, crypto schemes, and direct deposit funnels,” Bitdefender Labs explained in a blog post.

“The end destination is consistent: lead-generation pages that collect details for follow-on contact and pressure tactics typical of investment fraud funnels.”

Here’s how it usually works. Users see a sponsored post on Facebook that appears to point to a trusted site.

In the United Kingdom, the campaigns most often impersonate the BBC or the Bank of England. In Spain, Banco Santander and BBVA are targeted.

After they click on the post, a redirect chain silently moves them from that “safe” preview to a suspicious destination. Users are then greeted with a fake news article or dramatic narrative before being pushed to “register,” “unlock access,” or “start earning.”

Once the unfortunate victim submits details such as name, phone, email, and more, they “typically become a lead in a call-center-driven investment scam.”

In the next stage, a “broker” calls claiming to represent a trading platform and encourages the victim to deposit a minimum amount. They’re later shown a fake dashboard and pressured to increase deposits. Withdrawal is, of course, virtually impossible.

“Each narrative is localizable, reusable, and emotionally compelling – precisely what makes them effective on social platforms,” says Bitdefender Labs.

According to the researchers, a large part of the malvertising campaigns have observable signals of a Russian-speaking operator. Bitdefender Labs isolated every instance where direct, observable signals of a Russian-speaking operator appeared in raw ad metadata on Meta.

However, there’s no actual evidence of state sponsorship or intelligence agency involvement. The ongoing hypothesis is that the campaigns are part of financially motivated criminal activity.

Besides, the mixture of Russian and Ukrainian Cyrillic across scam campaigns suggests a multi-national Slavic-speaking operator team, rather than a strictly Russian-language actor.

---

Unlock more exclusive Cybernews content on YouTube.