~/Crypto currency ads on Facebook in 2020
25 June 2020Lately, every 4th post or so on Facebook I see is an Ad for something cryptocurrency related - kudos for getting my interests right, but Facebook definitely need to have stricter review policies on ads, especially because;
- Some of the ads are using link-masking using legitimate domains - Facebook does not unfurl these properly, so the ads look more legitimate by showing the trusted domain in the ad space
- Some of these are straight-up scams that you can tell just from the type of language and promises they use
Currently on Facebook (and Instagram), there is a massive ad campaign pushing bogus articles explaining how young people are making a lot of money on these Bitcoin trading platforms and Forex Telegram groups.
The websites are “boring” because it is the same rehashed stuff over and over again asking for a small deposit. However, there are also a wave of Telegram links beig pushed via Facebook ads that are very interesting (to me atleast) because they include a lot of messages and users (some over 100k, though most likely botted as they don’t have the same talk traffic as what you would expect from 100k users) but also because they post a lot of video proof of people “vouching” for their services. For this writeup we will be focusing on the bogus articles being pushed and the type of websites users land on.
Here’s a dump of some of the posts that are being promoted by Facebook Ads.
Let’s take a look at the websites
This advert looks exciting because it leaves the reader on a 'cliffhanger' to find out more - it is actually brilliantly done. I can imagine a lot of people clicking on this to see the full story.
I should start by saying these ads, at least the majority of them, do have some logic in the landing webpage to see if the user clicked from Facebook instead of finding the webpage organically via a search engine or copy and paste the link. If they detect that you did not come from Facebook, the webpage will show completely different content - this makes them harder to track.
When a user clicks on the ad from Facebook, it opens up a webpage with a big catchy headline and an image of a newsdesk with some public figures and logos of some news networks.
I'll dump the content of the article in numerous screenshots - but take note that most cryptocurrency ads that lead to the same webpage (structurally wise, they are all different domains) at the end have the same or similar copy, at least the same narrative of "making lots of money with this [weird] Bitcoin trick". It's a long list of images, so if you're not interested in reading the entire article then scroll down past the image dump.
It's a compelling article... I mean who doesn't like a crazy tale of making money with a method that even the celebrities endorse?! It's got to be true because all I hear about Bitcoin is is "Bitcoin $$ MOOOON" and I can participate in "TO THE MOOON" with a small £200 investment! And even better, it's _all automated_.
After someone has read the article, they see the big orange button to get access to this "amazing" platform to generate mega wealth. When their browser does a couple of redirects through various domains, they are landed on a site that looks the same as below (there are multiple domains running this with small reskinning techniques).
All of these sites have this edited video to make Bitcoin look like a mega-profit-maker. Here's is a mirror: bitcoin.mp4. A glorified video of Bitcoin from various news casts and other broadcasts. This video coupled with the (fake) news article from an ad within Facebook that demonstrates how much of a "cash cow" Bitcoin really is.
But ofcourse, nobody has heard of "Package Adventure" or this unbranded news so why should we trust them? Well, the same path of a fake news article to land users on the same page from a Facebook Ad occurs with ads taking advantage of Facebooks unfurling engine to enforce the "this is legitimate" feelings from a reader... because everybody has heard of "Forbes", "The Mirror", "Google", and "BBC News".
"You'd be a sucker to not invest in this!" especially with old headlines like 'Everyone Is Getting Hilariously Rich and You're Not' from 2018 (the time of the biggest value bubble bursts in cryptocurrency where Bitcoin went from ~$10,000 to ~$20,000 in 16 days then crashed to $14,000 in 8 days).
So... Let's sign up (under a VPN and give fake data)...
Once you are signed up, they generate you a password and prompt you to make a deposit. What is interesting is they refer you to an entity called QuantomCapital to make your deposit of £250. Let's also skip over the line "Most brokers require a minimum deposit of £100. But with QuantomCapital, you can get started for as little as £250.00."... I mean, math and sanity tests check out!
This domain is particular seems to be in its infancy/untested because to make a deposit on it they iframe QuantomCaptial, however because of settings on modern browsers, third-party cookies are disabled so the integration is not working and a user is shown an empty screen. Also the domain `trade.quantom-capitals.com` cannot be resolved.
Uncaught DOMException: Failed to read the 'sessionStorage' property from 'Window': Access is denied for this document.
at d (https://trade.quantom-capitals.com/vendor.80a7e3d24450d301abdb.js:1:256763)
at Object.60XN (https://trade.quantom-capitals.com/vendor.80a7e3d24450d301abdb.js:1:257424)
at c (https://trade.quantom-capitals.com/runtime.8ce93afac8967a47bc2a.js:1:507)
at Object.21+v (https://trade.quantom-capitals.com/main.0638e202631c8aab3396.js:1:312)
at c (https://trade.quantom-capitals.com/runtime.8ce93afac8967a47bc2a.js:1:507)
at Object.nRe+ (https://trade.quantom-capitals.com/main.0638e202631c8aab3396.js:1:68916)
at c (https://trade.quantom-capitals.com/runtime.8ce93afac8967a47bc2a.js:1:507)
at Object.Rg9G (https://trade.quantom-capitals.com/main.0638e202631c8aab3396.js:1:50803)
at c (https://trade.quantom-capitals.com/runtime.8ce93afac8967a47bc2a.js:1:507)
at Object.o/AL (https://trade.quantom-capitals.com/main.0638e202631c8aab3396.js:1:74098)
However, these ads are so frequent on Facebook that we can find one that is working — btc-era.com. The same design as before except it's using a different "broker" to take the deposit of £250 (this one has fixed copy of "Most brokers require a minimum deposit of £1000. But with TradingTeck, you can get started for as little as £250.00.").
I am not going to make an deposit, but instead let's collect some data about what the site is doing, what other sites there are, and checkout the infrastructure.
If we choose a payment method and fill out the form, our details are sent to another third-party called praxispay.com which seems legitimate?
Whilst I don't have concrete evidence of this being a scam - as I am not completing the £250.00 deposit - it is very suspicious that a lot of Facebook ads are being pushed to convince users of their trading platform being able to guarantee profit in the thousands for every user with a lot of different domains hosting the platforms and pretending to be legitimate sites with branding and making use of unfurling engines for ads (ofc this could be some sort of guerrilla marketing but I very much doubt that). There have also been submissions to app.any.run that show the redirects the user goes through are potentially malicious in nature, dropping encrypted hidden payloads to the client.
Some of these domains are using their own configured nameservers, specifically ns1.dedicated-server-03.com, ns2.dedicated-server-03.com. This is interesting because (and I'm not saying they're the same actors behind this) but I've only ever come across 1 other phishing scam domain (that I can remember and was targetting cryptocurrency users) which was written about in Dissecting some of the latest cryptocurrency exchange phishkits about a domain using ns*.hosstinger.info.
My guess at the end-goal of these campaigns is that they are money laundering.
- Create a fake Bitcoin trading platform
- Create a fake article that promotes a fake automated-always-win Bitcoin trading platform
- Purchase Facebook Ads for the fake article
- Get users to sign up to your fake Bitcoin trading platform
- Funnel users through a fake payment/broker service (that uses a legitimate payment processor)
- Users deposit small amount of fiat money to them via the fake trading platform > fake broker > legitimate payment processor
- Bad actors recieve the cash and send illicit/tainted Bitcoin to users (at a loss for the bad actors)
- Bad actors now have clean fiat and are offloading their tainted Bitcoin
Below is a bunch of domains and URLs relating to this mentioned in this writeup. Whilst not all of them were found from Facebook ads, there was a good amount from Facebook ads. I did find a lot via PassiveDNS and pivoting on infrastructure. This is by far not a complete list of domains (for example, on 51.83.134.7 there is over 400 domains serving similar content)
1k-daily-profitz.com
1kin1daysoftapp.com
30kin30daysapp.com
30kincomeapp.com
50kaweekapp.com
bigmoneyrushapp.com
bitcoin-aussiesystem.com
bitcoin-champion.com
bitcoin-millionaires-pro.com
bitcoin-optimizer.com
bitcoin-revolution-apps.com
bitcoin-trend-app.com
bitcoin-trendapp.com
bitcoinaussiesystemsoft.com
bitcoinbankbreakerweb.com
bitcoinbankcodeapp.com
bitcoinboostapps.com
bitcoincircuitsoft.com
bitcoincode-app.com
bitcoincode.live
bitcoincodeappsoft.com
bitcoincodedesoftapp.com
bitcoincodesoftapp.com
bitcoindecoderweb.com
bitcoinera.bestoffers.to
bitcoinerawebsoft.com
bitcoinevolutionsoft.com
bitcoinfreedomsoftapp.com
bitcoinfuturewebsoft.com
bitcoinheroapp.com
bitcoinkiwisystemapp.com
bitcoinlifestyle.io
bitcoinlifestyleapp.com
bitcoinloophole2web.com
bitcoinloophole.io
bitcoinloophole.software
bitcoinloopholesoft.com
bitcoinmalaysystemsoftware.com
bitcoinmillionaireproapp.com
bitcoinrevivalapp.com
bitcoinrevolution.software
bitcoinrevolutionofficial.com
bitcoinrevolutionsoft.com
bitcoinrush.net
bitcoinrushnow.com
bitcoinscircuit.com
bitcoinsecretsgtapp.com
bitcoinseraapp.com
bitcoinserawebapp.com
bitcoinsuperstarsoft.com
bitcoinsystemapp.com
bitcoinsystemsoft.com
bitcoinsystemwebapp.com
bitcointrader.software
blazingtrader2018app.com
btc-era.com
btcprofit.com
btcprofitnowsoftwareapp.com
btcsystemapp.com
btcwealthapp.com
btcsystem-web-app.com
btradeautomated.com
c-nation.fxplatform.pro
c-nation.fxprovider.pro
cannabisblueprintapp.com
cannabisfortuneapp.com
cannabisinvestmentapp.com
cannabisstocktradesapp.com
cannabiswealthapp.com
cashcapitalapp.com
cmtradingapp.com
compoundtradersoftware.com
coronamillionaireapp.com
crypto-cash.co
crypto-hopper.com
crypto-trader-app.com
cryptoblueprintapp.com
cryptocode.software
cryptocontractsapp.com
cryptodominationapp.com
cryptoedgesystemapp.com
cryptogoldapp.com
cryptogoldsoft.com
cryptonation.brokerselection.pro
cryptonationprosoft.com
cryptoprofitapp.com
cryptotraderpro.securedoffer.to
debitcoinbillion.info
deltatechapp.com
detectormillionapp.com
earntoday.vip
ethcode2app.com
financialpeakapp.com
fortunetonight.com
freebitcoinmachine.blogspot.com
freshvantion.com
getimmediateedgesapp.com
globalmarketsecretapp.com
greengoldapp.com
house-article.space
investmentopportunitiesapp.com
investorscenterweb.com
kryptonexsoft.com
libramethodapps.com
mirrortradersoftapp.com
mti24.com
mubasherpro10gtapp.com
myprofitbtc.com
neo2app.com
opticalsignaltraderapp.com
orioncodeapp.com
orioncodesoft.com
profitbitcoinapp.com
profitrevolutionapp.com
promo.365profx.com
real-btc-era.com
securebitgain.com
secureriches.com
securestwealth.com
securlygains.com
securlyriches.com
specialinvite.co
stocksinvestment2020.com
telegram10app.com
tesler3app.com
tesler3soft.com
tesler-team.com
teslerappsoft.com
teslersoftwareapp2.com
teslersoftwareapp3.com
teslersoftwareappwh.com
testfunnelsoftware.com
the-bitcoincompass.com
the-bitcoinscodes.com
the-ethereumcodes.com
thebitcoin-wealth.net
thebitcoincircuit.com
thebitcoincode.com.au
thebitcoinevolution.live
thebitcoinloophole.co
thebitcoinstorm.com
thecannabismillionairesoft.com
thecannabisrevolutionweb.com
thecrypto-genius.net
thecryptosoftwaresoft.com
thenewsspyapp.com
thenewsspyappwh.com
theprofitmaximizer.net
tntprofitsapp.com
tomorrowcrypto.vip
trustablecrypto.info
sites.google.com/view/uyuop
...
---
getbestprofit6.com
---
quantom-capitals.com
tradingteck.com
praxispay.com
As mentioned earlier, all of these website domains have the same rehashed promotional video. Below is a couple of examples...