[HN Gopher] I lost EUR4k in a Facebook scam
___________________________________________________________________
I lost EUR4k in a Facebook scam
Author : babuskov
Score : 533 points
Date : 2020-09-14 13:35 UTC (9 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| cbluth wrote:
| here is the apk, if anyone is interested:
|
| https://apkpure.com/tiktok-ads-business/com.acazira.tforbusi...
| drchiu wrote:
| I'd say that the prevalence of marketing hacks out there have
| made people let their guard down. We assume businesses will lose
| money on purpose to gain traction to the degree that when we see
| deals like these, we jump at it without a second thought. No
| doubt there's technical engineering that went into this scam, but
| the social engineering and manipulation of the target's
| psychology is the real secret sauce.
| thrownaway954 wrote:
| just saying... As much as everyone hates on Apple cause of their
| review process, you have to admit that an app like this would
| have been caught.
| jakub_g wrote:
| Is it just me, or the screenshots just scream "scam"?
|
| 1. Inconsistent spelling TikTok vs Tiktok, business vs Business
| in app names and logos
|
| 2. Inconsistent font in Tiktok logo (Times New Roman like font in
| Android app, wut)
|
| 3. Typos and clumsiness: "vocher" instead of "voucher"; space
| between $ and 3000 on confirmation screen.
|
| 4. As mentioned, the app developer not being TikTok
|
| I'd not be surprised for random person to fall for this, but an
| experienced techie should have seen many red signs.
|
| (Having said that, as some other comment said, logging with FB on
| mobile is inherently unsafe because you can't really tell if it's
| FB or impostor site. Plus the way the ads markets work, which is
| just built for scams like this. Modern web sucks).
| josefresco wrote:
| Aren't those small mistakes on purpose? To ensnare users who
| miss obvious signs of fraud? I know that's a proven tactic for
| phishing/email scams.
| tuankiet65 wrote:
| It might look like aluminium but the description says it's just
| tape.
| z3t4 wrote:
| How could Facebook charge the Paypal account without
| authorization nor second factor??
| commoner wrote:
| If you accept a billing agreement with a merchant on your
| PayPal account, that merchant becomes able to charge your
| PayPal account without confirmation.
|
| https://www.paypal.com/uk/smarthelp/article/what-is-a-billin...
|
| To cancel the billing agreement, follow these instructions:
|
| https://www.paypal.com/us/smarthelp/article/how-do-i-cancel-...
|
| Some merchants encourage or force a billing agreement before
| the customer can make a purchase. The PayPal UI does not make a
| strong distinction between entering into a billing agreement
| and making a standard purchase. For users who are not familiar
| with the PayPal checkout process, the billing agreement UI
| looks just like a normal step in the process.
| koyote wrote:
| I actually happened to be going through the Paypal settings
| yesterday as I couldn't get it to make a purchase on ebay and
| thought something might be wrong there.
|
| I had around a dozen merchants who were listed in the
| automatic billing payment list and only one of them was a
| subscription I remember setting up. (the others were all
| legit and large businesses and none of them have charged me,
| but they could have!). I have since 'deactivated' all of
| them.
|
| I really do hate Paypal but I often choose them when I buy
| something from a smaller web shop as I do not trust the web
| shop to keep my card details safe...
| GoblinSlayer wrote:
| American convenience "shut up and take my money".
| muststopmyths wrote:
| >Sure, the developer name "Develop App" sounds strange and should
| I have looked better, the developgameonline@gmail.com developer
| email and com.acazira.tforbusiness package name would have
| definitely raised some concerns.
|
| Come on, dude.
|
| I will say that even the most experienced techies among us
| sometimes become complacent and let our guard down. It's
| exhausting having to constantly second-guess every application
| you want to run.
|
| (Not interested in starting another platform flame war, but this
| is the main reason I don't use Android. I deal with enough
| paranoia running Windows daily. Maybe I'm misinformed, but I'm
| also probably not unique in this respect)
|
| I'm curious if this fake TikTok app would probably have been
| blocked at the outset in the Apple App Store review process
| because it's trying to masquerade as another business ?
| jrochkind1 wrote:
| I believe they are saying they didn't NOTICE the
| "developgameonline@gmail.com developer email and
| com.acazira.tforbusiness package"; if they had, that would have
| raised alarm bells. I don't think these are visible on the page
| without clicking. "the developer name 'Develop App'" is
| visible, although I don't know how many pay attention to it.
| They are retrospectively thinking they probably should have
| thought that wasn't right, and motivated them to look further.
| ggggtez wrote:
| >It's exhausting having to constantly second-guess every
| application you want to run.
|
| Maybe try to have a sip of coffee before jumping for that
| $3000. Let's not pretend that this is just ToS fatigue. The
| only reason they installed this app is for the free money.
|
| So yes, maybe if someone is offering you thousands of dollars,
| you should consider _that_ to be the time to second-guess what
| 's happening.
| JAlexoid wrote:
| So.... False sense of security is OK, just because "Apple".
| Give me a break...
| fencepost wrote:
| The gmail address as a red flag yes, but the package name? Nah.
|
| Given that a lot of companies outsource app development to
| third-party companies that in many cases mostly reskin and
| extend an existing app that they sell to many clients, a
| package name that could be from a development shop likely
| wouldn't cause concern.
|
| Sure Tik-Tok has a significant in-house development staff, but
| they're focused on the backend and client apps and Sales and
| Marketing may not have much access to them. It may be much
| easier for those departments to fully outsource that
| development to a vertical-market vendor, particularly if it's
| SaaS and the resulting app(s) aren't integrating with internal
| systems except via downloaded CSV files.
| bentcorner wrote:
| And literally nothing stops someone from creating a
| tiktokforbusiness domain and fixing the developer name.
| flavmartins wrote:
| Any free app I always look at the developer name. Generic name
| that looks like it could be trying to mislead? Always a bad
| sign.
|
| Who gets together and says, "I have the perfect name for a new
| dev shop: Develop Apps".
| varispeed wrote:
| It's the problem of Facebook and PayPal that they have
| inadequate protections and blame the users for that. I think
| the issue is of allowing a payment to go through without
| triggering any security checks. Probably some basic checks
| should also be done whether a company publishing an app
| actually exist.
| luckylion wrote:
| I wouldn't blame PayPal as much, this is on Facebook in my
| opinion. Recurring payments are a good thing, we don't want
| constant re-authorization when the relationship has been
| established.
|
| Facebook on the other hand should have handled it
| differently. I don't know how their permission screen for app
| authorization looks, but I guess it should have a huge red
| warning sign if it includes a permission to allow the app to
| spend your money.
| brian_herman__ wrote:
| I don't know looking at the other parts the app looks legit,
| however TikTok asking for facebook login? That is where I would
| stop and think for a little bit.
| donmcronald wrote:
| "Sign up for TikTok", "Continue with Facebook". It's
| literally the first screen you see from the official app, so
| it's not unbelievable. Social sign in is pervasive.
| actionowl wrote:
| Not being an android user and not being familiar with the Play
| story I might have glanced over "Develop App" having internally
| misread it as "Developer App" and thinking it was a category,
| not the developer's name.
| reaperducer wrote:
| _I might have glanced over "Develop App" having internally
| misread it as "Developer App"_
|
| I bet many thousands of people on HN would have done the same
| thing.
|
| I think it's an issue with reading comprehension. In general,
| comprehension seems to have plummeted in the last five to ten
| years. I send people e-mails asking two questions, and only
| get the first one answered. People read a headline and think
| it means something other than what it says. Flamewars erupt
| online over something that nobody actually wrote, but someone
| thinks they saw.
|
| It seems to be rooted in the fact that these days people skim
| text, rather than read what is written. I don't know if it's
| because of general information overload, or a lack of
| attention to detail, or if the mindless scrolling of phone
| apps has trained us that visual impressions of words are good
| enough.
|
| Or, if I can put on my old man hat, maybe it's just that
| people aren't as good at reading as they think, and that if
| people looked at a book half as often as they look at their
| telephones, they might get some good reading practice.
| bakuninsbart wrote:
| > It seems to be rooted in the fact that these days people
| skim text, rather than read what is written. I don't know
| if it's because of general information overload, or a lack
| of attention to detail, or if the mindless scrolling of
| phone apps has trained us that visual impressions of words
| are good enough.
|
| I think it is the former. I'm perfectly capable of reading
| a poem or code word-for-word, but as soon as I'm in my
| browser something "clicks" and I'm just skimming text. It
| is usually completely subconscious, but while reading your
| comment for example, I realized I was only reading half of
| each sentence.
| curryst wrote:
| > It seems to be rooted in the fact that these days people
| skim text, rather than read what is written. I don't know
| if it's because of general information overload, or a lack
| of attention to detail, or if the mindless scrolling of
| phone apps has trained us that visual impressions of words
| are good enough.
|
| One aspect is that it's a parasitic efficiency increase.
| The 80/20 rule applies here; you can answer 80% of the
| emails by skimming. If you just don't handle, or poorly
| handle, the 20% of the emails that take 80% of the time,
| you get a bunch of time back.
|
| I also think that the overload comes from notifications,
| not general information. We get a crazy number of
| notifications from our personal devices (and many/most
| people check them), and during the work day that's
| compounded with all the systems at work that send
| notifications. I think that we've subconsciously taught
| people to work between the notifications. It can feel like
| if you don't respond to them in real time then you might
| end up with an insurmountable backlog of notifications to
| handle, so people have acclimated to handling them in real
| time. Each time someone responds to an IM, a mental timer
| starts, counting down how long it is until it thinks the
| next notification might come. Or, conversely, you're in a
| notification lull, and you start thinking this is your only
| time to get anything done towards the sprint, so you smash
| out fast responses to the notifications you do get, trying
| not to break your train of thought.
|
| Others may have different experiences, but I get
| notifications from so many systems and people that it can
| be overwhelming. And the tools we are offered to manage it
| suck. Slack's notification settings are better than what I
| had before with Lync, but they're still lackluster. Email
| has the best filtering record so far, but it is also by far
| the most abused by tools.
|
| Some things I would love to see in a chat system: * Chat
| and notification filters based on whether the user is a bot
| or not * A sane "handle this later" queue or some kind of
| integration with a task manager to let me click to create a
| ticket * A way to communicate busy-ness through my status.
| Either a level I can manually set, or a system that can
| guesstimate it (i.e. "curryst has 8 active private chats
| right now") so we can all gauge whether what we need is
| that important right now * Customizable options to batch
| notifications. I would love it if I could have Slack batch
| my notifications and just send me one notification per
| minute that says "3 new messages"
|
| My holy grail is if they would let me write my own
| functions to determine whether to notify for an event,
| batch it into the next batched notification, or to not
| alert at all. Most of these desktop clients are in Electron
| anyways, just let me pass it a path to a Javascript file
| that exports functions to filter notifications.
| insomniacity wrote:
| > I send people e-mails asking two questions, and only get
| the first one answered.
|
| This has been bugging me for at least 10 years, and also
| extends to IM. If it's IM, I ask one at a time.
|
| If it's email, I either have to ask one at a time, form the
| two questions into one, or turn it into a sandwich -
| question 1, question 2, rephrase question 1.
|
| What I really want to do is grab them by the shoulders and
| shake them, shouting "You saw the second question -
| yes?!?!"
| [deleted]
| StavrosK wrote:
| It is also the case that people aren't as good at writing
| as they think. I've seen people write pages and pages of
| text to say a few simple things, don't separate the
| important from the unimportant, etc, and then wonder why
| others don't take 15 minutes out of their busy day to read
| the incessant, flavorless text until they find the actual
| point.
|
| A good way to write text where you're going to ask people
| for stuff is to write it in a top-down manner, where first
| of all you mention "I want X", then you quickly summarize
| what exactly you want and why, and then write a more
| detailed paragraph on the various nuances, always making
| sure to cut everything down to its absolute essentials.
| akdas wrote:
| I really like that style. It's related to the Inverted
| Pyramid style in journalism, meaning others have thought
| a lot about how to get important information up to the
| front of a piece of writing.
|
| https://en.wikipedia.org/wiki/Inverted_pyramid_(journalis
| m)
| Osiris wrote:
| I learned about this in journalism class in high school
| over 20 years ago and it's still one of the most valuable
| lessons I remember from high school. As someone with
| ADHD, I _really_ appreciate when people follow this
| style.
|
| Blog articles, especially medium, are really bad about
| this. I've clicked on headlines about an interesting
| topic only to find the article no even mention the topic
| from the headline until 2/3 of the way into the article.
| StavrosK wrote:
| I didn't know it had a name, thanks!
| Sohcahtoa82 wrote:
| > I've seen people write pages and pages of text to say a
| few simple things
|
| Heh...reminds me of a couple anecdotes from my days in
| school.
|
| Sometimes as we were being handed back tests/quizzes that
| had some questions that required a couple sentences to
| answer, there'd be times where I did exactly that. I
| wrote only a couple sentences. Meanwhile, I glance at the
| person next to me to discover that they had wrote two
| entire _paragraphs_. I got marked as having a correct
| answer with only two sentences, so what the hell were
| they writing about?
|
| Then I had a teacher who, before the final exam, said
| that every question is able to be answered in four
| sentences or less. If you write several paragraphs, you
| would lose points for wasting his time, even if your
| answer was correct.
| Osiris wrote:
| > In general, comprehension seems to have plummeted in the
| last five to ten years. I send people e-mails asking two
| questions, and only get the first one answered.
|
| OMG, this happens to be all the time, and I don't even use
| email as a primary communication mechanism. It's so
| frustrating. I think the case is that people are reading
| and responding to emails on the go on their phone and so
| don't have/take the time to write a full response.
|
| In the "old days" it was appropriate to answer emails by
| leaving a partial quote in place and responding below that
| for each answer. Something changed (I blame Outlook) and
| now that never happens.
| NiekvdMaas wrote:
| Exactly this, it doesn't really stand out. Obviously I
| wouldn't have installed the app if I would have noticed.
| donmcronald wrote:
| I didn't notice it the first time I looked either :-(
|
| Bad spelling and grammar used to be a great indicator of
| something being amiss, but the volume of it in legit
| business these days has made me so desensitized that I
| didn't even blink at this one.
| muststopmyths wrote:
| I wasn't trying to excoriate you for your mistake, so I
| apologize if that's how it comes across.
|
| I did try to modulate the harshness of "Come on, dude" with
| the rest of my comment. Like I said, sometimes we let our
| guard down. So it's understandable if you got fooled.
|
| In hindsight there are more red flags in just that
| screenshot ("More by Develop App", obviously fake reviews
| to point out just two), but God knows I've clicked through
| installs for shit apps on iOS many times.
| NiekvdMaas wrote:
| No worries, no offense taken.
|
| I still can't believe myself I fell for this, as said I
| have 2FA on all accounts and I'm normally very cautious.
| I guess it's a combination of all the factors here at
| play: Facebook allowing a fake TikTok Ads advertiser, the
| ad looking very legit (referring to an existing ad credit
| program), Google allowing a fake TikTok Ads app with fake
| reviews, and not getting any notifications until the
| amount was charged from my PayPal account.
| ShroudedNight wrote:
| FWIW, Given the surrounding context, I interpreted "Come
| on, dude" as an exhortation for the author to cut
| themselves some slack. I agree that 100% correct 100% of
| the time is an exhausting bar to maintain, and one that
| we should be working very hard to ease this requirement.
|
| I think it's worth pointing out that the difficulty /
| impossibility of achieving that bar (at least in the
| general case) is one of, if not the central tenet of
| Christianity, ostensibly the dominant religion of the
| West for something like 1500 years. Regardless of one's
| metaphysical beliefs, it's worth remembering that
| arguments for the necessity of grace and slack in
| positive interactions have a long historical precedent,
| and I find we ignore them at our peril.
| StavrosK wrote:
| Being an Android user, I looked for the developer's name, saw
| "Develop App" and thought it was a category and I was just
| mistaken about where on the page the developer's name was
| supposed to be. This was all instinctive, I didn't sit down
| to think about it, though.
|
| It doesn't help that the developer name and category have the
| exact same visual style, I guess.
| kn0where wrote:
| The big red flag I saw was that "Tik Tok" is in the wrong
| font in every screenshot.
| solinent wrote:
| I've actually stopped using google's spam filter and starting
| looking into the spam occasionally.
|
| With no data, if one slips through it shouldn't be up to the
| spam filter if I can be scammed!
|
| edit: that was a particularly bad typo to make. I mean scammed,
| not spammed :)
| mrtksn wrote:
| >I'm curious if this fake TikTok app would probably have been
| blocked at the outset in the Apple App Store review process
| because it's trying to masquerade as another business ?
|
| I bet that it is possible to slip through the review process
| however there's also a safeguard on the developer account
| creation. Apple wouldn't let you create a developer account
| using vouchers, PayPal or prepaid cards, at least not from
| countries where scams are commonplace. Also you would be asked
| to provide documentation of company registration to have an
| account named "Develop App".
|
| It is a common theme on HN to trash Apple on its "draconian
| restrictions" but the reality is that Apple AppStore is a safe
| place to be. You don't have to study the App before downloading
| it, you first download then decide if you want to keep it and
| security is never a concern. The Apple tax is something I am
| happy to pay for that luxury.
|
| I am a developer and I have no idea what
| com.acazira.tforbusiness means. What keeps it from being
| com.toktik.forbusiness?
|
| On AppStore this is something that you type it by yourself on
| the project configuration screen in XCode and I don't remember
| reading any restrictions about it, only recommendation to use
| reverse domain name notation to prevent conflicts.
| saagarjha wrote:
| > I don't remember reading any restrictions about it
|
| You can never change it. This is how you get
| com.toyopagroup.picaboo (Snapchat) or
| com.yourcompany.TestWithCustomTabs (AccuWeather).
| Dragonai wrote:
| This is too funny. Thanks for sharing!
| freeqaz wrote:
| Thank you for sharing. This is hilarious!
| jonplackett wrote:
| Haha, this possibly explains why the accuweather app is not
| the best made app ever.
| danlugo92 wrote:
| False dichotomy.
|
| Google could up its Play Store review process + not
| installing from outside the store would result in the exact
| same security advantages you're talking about, while still
| letting you install from third party sources if you're a
| power user.
| CapriciousCptl wrote:
| Google probably could implement similar security. But the
| problem is as of today, 2020, they don't.
| shawnz wrote:
| Yes, but it's not because Android allows sideloading that
| the Google Play store is poor quality. Apple could allow
| sideloading and still have a better quality app store.
| hevelvarik wrote:
| But until they do the dichotomy isn't false
| brundolf wrote:
| This doesn't preclude there being competing app-stores on the
| platform, though. I'm glad Apple's is the way it is
| (overall). And if alternatives popped up I would probably
| mostly stick with the first-party one. But having an
| alternate channel means you _can_ circumvent Apple 's review
| process when they're being especially unreasonable, and the
| competition would probably force them to improve their own
| offering as well. Everybody wins (except maybe Apple).
| ConcernedCoder wrote:
| I will second this "security as a tax is well worth it"
| mindset, I'm a programmer, and like to think I'm security
| savvy, but I CANNOT babysit my non-tech-savvy wife 24/7 and
| having her on iphone / macbook is a weight off my shoulders
| as far as appstore security, as married assets are shared
| assets and the "weakest link" plays in the security arena...
| _fullpint wrote:
| I'm a programmer and having taken graduate classes in
| Security Analytics and have a hard time convincing myself
| that I'm security savvy.
|
| It's such a cat and mouse game that has massive jumps in
| acceleration when it comes to 'novel' ways attackers create
| new exploits.
|
| Having Apple taking it seriously even for people like me is
| a huge win.
| blackflame7000 wrote:
| No matter how much you learn, you will still never know
| what you don't know. A zero day is by definition
| something you don't know and therefore we recognize that
| there is some futility in trying to defend against
| everything that ever was and all that ever will be
| junon wrote:
| Apple takes it more seriously than the Windows teams do,
| sure.
|
| That's not to say Apple is perfect. Their "root"/"" login
| bypass zero-day was absolutely unacceptable, even
| compared with Microsoft's problems.
|
| Other than that, I'd trust an Apple device over a windows
| device any day of the week.
| ufmace wrote:
| That's a key part of the security landscape that many techie
| users just don't seem to get. Maybe you'd like to be able to
| run your own code natively without jumping through a bunch of
| hoops, and distribute code you wrote without it having to be
| blessed by some megacorp that might not care too much about
| you. And maybe you're doing nothing but good and useful
| things when you use those abilities.
|
| But there are a ton of bad actors out there who will also use
| those abilities to scam and steal. You can stereotype it as
| only clueless users falling for that, and there's even a
| little truth to it, but 1. Some are quite good and nobody is
| perfect, you can still get scammed yourself, and 2. It seems
| not cool to just write off everybody who isn't a tech expert,
| throw them to the wolves, blame them for falling for any
| scams.
| orangecat wrote:
| _That 's a key part of the security landscape that many
| techie users just don't seem to get._
|
| I get it. And I don't think the threat justifies handing
| complete control of our computing environments to a single
| corporation.
|
| _But there are a ton of bad actors out there who will also
| use those abilities to scam and steal._
|
| Bad actors often set up fake websites. Should computers and
| phones have mandatory browser filters so you can only go to
| approved sites?
| ufmace wrote:
| _Bad actors often set up fake websites. Should computers
| and phones have mandatory browser filters so you can only
| go to approved sites?_
|
| Well they don't, but browsers do spend an inordinate
| amount of effort trying to make sure that bad websites
| can't do anything other than show you things. I'm pretty
| sure that all of the browser vendors will pay 5-6 figure
| sums for any exploit chains that would allow a website to
| do things like read files without permission or execute
| code on the OS. And people regularly complain about the
| ever-tightening restrictions on what websites are allowed
| to do.
| tgsovlerkhgsel wrote:
| That's also the case for apps though, at least on iOS
| apps are sandboxed almost as well as web sites to my
| knowledge.
| mekoka wrote:
| It's not necessary nor useful to create a false dichotomy.
| The safety of the AppStore may be a reason to have a strict
| review policy, but it should not become an excuse to abuse of
| that policy. The price tag of safety is certainly some amount
| of freedom, but it's worrisome that people are learning to
| accept this without also distinguishing when this
| relationship is being usurped for other means.
| noizejoy wrote:
| If something simply doesn't exist, how reasonable is it to
| assume that it could exist? How am I supposed to
| differentiate the statement that something could exist from
| fairytales?
| tehlike wrote:
| Initiate a charge back through the bank
| disillusioned wrote:
| I lost $2k in a Facebook scam that I'm really not proud of. A
| company spoofed BitMain's FB page and ran ads for their newest
| AntMiner models saying they had a batch that was ready to ship in
| limited supply. The BitMain FB account looked legit. The website
| itself obviously had an SSL cert (and was a pixel for pixel clone
| of their real site, except the product was in stock), but what I
| didn't notice was the microscopically small presence of a dot
| over one of the characters. It was an IDN homograph attack, and
| looking at the website and not noticing the unicode character,
| everything else looked right.
|
| The fact that they took BTC as payment didn't raise any red flags
| either, because, you know, BitMain does.
|
| I'm mostly infuriated at Facebook for not validating the company
| name or doing anything resembling protecting their audience. I
| lent them too much credibility because it looked like they were
| ads from the real company's page, and so I let down my guard
| elsewhere.
|
| I've never otherwise been hacked or scammed, and I know allllll
| of the basics to look out for, but this one still infuriates me
| for making a fool of myself.
| tha0x4 wrote:
| And this is why BitCoin will never fully take off.
|
| If you made this transaction with your credit card, you could
| call up your bank two weeks later and get your $2k back that
| day.
|
| BitCoin? Kiss that virtual fool's gold goodbye.
| Dahoon wrote:
| 6 months by law in the EU.
| jankeymeulen wrote:
| What browser are you using that is displaying IDN unaltered?
| colejohnson66 wrote:
| Not blaming you at all, but a good tip is to look at the number
| of "likes" a page has and see if it sounds reasonable.
| Definitely not foolproof though.
| searchableguy wrote:
| Nope. Easily faked. There are centres where people get paid
| $5-10/day to like, follow, comment, etc here. They use bots
| too.
|
| You can purchase an official ID under $10. Many Indian
| marketing firms use them.
| colejohnson66 wrote:
| Oh absolutely. I admit it's not foolproof, but if a page
| named "Amazon" only had 100,000 likes, I'd be a bit
| suspicious. For comparison, the actual Amazon FB page has
| _19 million_ likes IIRC.
| searchableguy wrote:
| I have been scammed only once by a company so far. It was
| oyo (another gem run by softbank). They sold all my
| information, made me paid twice and left with such a poor
| service. Few of their actual employees were the scammers
| along with the hotel manager (likely) so I wasn't
| suspicious... because ya know, you are supposed to trust
| official communication portals.
|
| It opened my eyes to how far scam can go. A billion
| dollar valuation or millions of likes says nothing.
|
| I filed a complaint but have yet to follow up due to
| covid. It was a visit due to medical reasons so we didn't
| focus too much on it.
| foobarian wrote:
| Every now and then I catch myself not doing this but by and
| large I always type out URLs for ads/emailed links by hand. It
| takes out a lot of the attack surface for me, and it looks like
| in this case it would have worked.
| [deleted]
| JAlexoid wrote:
| Facebook Ads are the worst ones. Full of scams!
|
| Never click on them
| jacquesm wrote:
| Red flag missed: all reviews are of the same date. (Sept. 1st).
| fortran77 wrote:
| If Facebook ran that ad, you should at least try to hold them
| accountable.
| chatmasta wrote:
| > Unfortunately I don't have a screenshot of the ad in question
|
| FYI I believe there is a way you can see the ads you've clicked
| on in the last 3 months from within Facebook settings somewhere.
| crispyporkbites wrote:
| You didn't lose 4k- Facebook have the money, it's in their
| account.
|
| They sold virtual space at an almost infinite margin to a hacked
| account. The account was hacked on their system, the ad that
| facilitated the attack was ran on their platform and they allowed
| the whole thing to perpetuate.
|
| If this was in meatspace, Facebook would be an accessory to
| fraud.
| rbrtl wrote:
| I shortened the TLDR:
|
| TL;DR: don't click ads
| dvcrn wrote:
| Most ads I see these days on Instagram are scam. They usually
| lead to sites that have been built with a quick template and
| always offer 50-80% discount on little things I want, for example
| lamps.
|
| They all offer PayPal so I took the bait once. The scam was
| clever: they ship something that isn't what you ordered. Like a
| jump rope for $1 instead of the $30 lamp (discounted from $200)
| or drone. To get a 60% refund, you have to send it back on your
| own cost.
|
| Now it gets more tricky: the parcel might not even be delivered
| to your address. Mine never arrived but got delivered to a zip
| code close to mine, but not mine. There are lots of reports of
| people that receive things without ordering anything and people
| who never get their stuff. There is also no guarantee what you
| ship back arrives back at them. If it doesn't, the company
| doesn't refund anything.
|
| I quickly realized this is an obvious scam and asked them to
| cancel, and opened a PayPal claim before anything got shipped.
| The company said they are processing my refund and it will take 3
| days for my money to be back (which is not how PayPal works).
| Guess what? In the 3 days, they just shipped something which
| threw the PayPal claim off because now they have to wait until
| the shipment arrived and gets sent back (info from PayPal cs).
|
| It's been over a month and I am still trying to get my money from
| PayPal back. It's difficult because I haven't received anything
| but the shipping number says it arrived. The site no longer
| exists and the email I previously used to reach out is gone too.
|
| It's crazy to me that PayPal enables all of these scammers. They
| clearly know how to play PayPal to get around the buyer
| protection.
|
| These days I can't trust any ads because of this unless I do a
| lot of research on the site. It's very likely all scam. I saw
| similar sites on google shopping (the price comparison product),
| so it's not just Facebook.
| babaganoosh89 wrote:
| It's better to use credit cards when you can, chargebacks are
| way easier than that.
| vezycash wrote:
| One more reason why adblockers are a must install for everyone
| especially non technical people.
| tluyben2 wrote:
| Browsers / webviews must have a special visual state for OAUTH
| requests. As it is very easy to mimic.
| negamax wrote:
| Android has become a serious security risk
| lxe wrote:
| > Sure, the developer name "Develop App" sounds strange and
| should I have looked better, the developgameonline@gmail.com
| developer email and com.acazira.tforbusiness package name would
| have definitely raised some concerns.
|
| Sorry that you have to deal with this, and well done on actually
| flagging all these things as suspicious. I also sometime make
| these tradeoffs, when something sounds 'not quite right' I would
| still sometimes make a judgement to ignore it.
| rdiddly wrote:
| HN loves to downvote any comment about grammar & spelling, but
| now we see it in its proper context as a cybersecurity measure.
| If I'd seen "vocher" (i.e. voucher) on a big blue button I
| would've applied the brakes on my clicking finger. Whether it's
| unintentional (indicating incomplete mastery of English and
| perhaps foreign scammery), or intentional (indicating a
| purposeful screening device to make sure only rushed, inattentive
| and stupid people respond), take advantage of the warnings they
| leave for you.
| VonGuard wrote:
| I'm completely unsurprised. I cannot be the only sucker in here
| who bought something off of a Facebook ad, and got a token piece
| of China-shipped junk instead. Mine was a video of a steel light
| saber being disassembled and put together, with all working
| parts. I was stupid, I paid $30 for it, and a month later, a box
| from China shows up with a $1 plastic sword.
|
| After that, I started commenting on every Facebook scam ad I saw,
| and guess what? That just got me into the queue for MORE scam
| ads! Facebook sees me commenting "SCAM" on ads about cheap Legos,
| and it says "Hey, this guy likes cheap Lego scam ads!"
|
| Plus, these ads go to different sites, have different company
| names, and different images every time, but they are the EXACT
| same scam, guaranteed. It's like Facebook is incapable of having
| a legitimate and ethical advertising business at some genetic
| level, and all the money from these obvious scam ads is just too
| good.
|
| This shit is so prevalent and so brazen, I've considered setting
| up my own scam ad, maybe sell a Qanon book that's blank and say
| "Fuck you, idiot" inside... I mean, why not? It seems like people
| are getting rich by fucking over Facebook users, and Facebook
| LOVES it!
|
| They have such utter contempt for their users. And here I am
| still using it because it's the only platform I can see pictures
| of my family members on, as they are non-technical users. Am I
| supposed to run some kind of internal family campaign to get them
| all to move to some non-existent alternative? I hate this so
| much. I feel trapped by Zuck's heartless machine.
| Nextgrid wrote:
| > That just got me into the queue for MORE scam ads!
|
| I once created a Facebook account to test something and for
| some reason it decided I was some sort of gambling addict (that
| e-mail was registered on a legitimate gambling website and I
| guess they leaked it) and the "people you may know" was full of
| fake accounts all related to some kind of scummy mobile casino
| game (I guess the game requires login with FB or maybe gives
| new people free tokens so they just register tons of fake
| accounts?).
|
| I've spent a good 20 minutes reporting every single one of them
| (up to actually hitting the rate limit on the report endpoint)
| and not only did the algorithm not take the hint that maybe it
| wasn't a good idea to recommend me more accounts out of that
| category but their support didn't deem the majority of them as
| violating the community guidelines despite them being obviously
| fake (and I couldn't notice any difference between those that
| were deemed as violating their guidelines and those that
| don't).
| fencepost wrote:
| It may be that there were cultural clues that cued you into
| them being fake but that would be completely meaningless for
| someone being paid pennies to review those reports in another
| country.
| Nextgrid wrote:
| Yes but it is that person's job is to spot those things. If
| I as a user can do a better job than them then something is
| very wrong with the resources/training they are provided.
| They should be _better_ than I am, not worse.
| VonGuard wrote:
| I reported every single ad for Legos I saw for a week. I
| ended up with more ads for Lego scams, too.
| sova wrote:
| Astonishing that people with such creativity would resort to
| theft and deception -- you cannot steal as much as you could earn
| legally, making something useful for everyone!
| crispyporkbites wrote:
| Not in Vietnam
| londons_explore wrote:
| Your mistake is using "Log in with Facebook" on a mobile device.
|
| Since neither iOS nor Android have any kind of trusted UI, there
| is no way you can be sure if you are logging into Facebook on an
| app, or just giving that app your credentials for them to do as
| they please.
|
| Until iOS or Android get trusted UI for these usecases, I suggest
| using browsers on windows/Mac/Linux where you can see the in the
| address bar which company you are giving credentials to, and
| can't as easily be faked.
|
| If you must use a mobile device to log into Facebook via a third
| party app, I suggest using a new Facebook account each time.
| gridlockd wrote:
| It's possible to do "trusted UI" on iOS/Android by opening a
| browser window that shows you're actually logging into
| facebook-dot-com. That still wouldn't prevent these scams from
| working because users don't necessarily know how to tell the
| difference between "trusted UI" and "scam UI".
| londons_explore wrote:
| Except it isn't... Because the app can just show a UI that
| looks like a browser window, and there's no way for the user
| to know.
| gridlockd wrote:
| If you open a browser window, there is going to be some
| things that can't be faked 100% accurately, e.g. on iOS
| there will be a link back to the app at the top left, there
| is going to be an animation, and so on.
|
| It could be faked 95% accurately, but that's moot, because
| like I said, the user hasn't necessarily learned what
| "trusted UI" is in the first place.
| danielhua wrote:
| https://news.ycombinator.com/item?id=24470530
|
| Looks like it was a real Facebook login webview.
| gridlockd wrote:
| ...which is different from a browser window, running
| inside the actual system browser.
|
| The difference may of course be subtle, but even
| obviously fake logins can work on the untrained eye.
| donmcronald wrote:
| Like this old trick.
|
| https://news.ycombinator.com/item?id=4629906
| ramses0 wrote:
| iOS has trusted UI via "double-tap-side-hardware-power-button".
| So it's a trusted trigger, and a presumably native UI.
|
| I've been very impressed by eBay/PayPal providing "very good"
| almost native-feeling payment integration (swipe-to-pay, UI
| coming up from the bottom of the screen), so it may not last
| forever, but interesting to hear of the depth of scamming
| possible on phone UI's (and probably desktop UI's too).
| babuskov wrote:
| > _Your_ mistake is...
|
| Not mine. I just posted what Niek van der Maas wrote on his
| GitHub. I don't think he's even reading this HN thread.
| NiekvdMaas wrote:
| Actually I am ;)
| babuskov wrote:
| Cool :)
| NiekvdMaas wrote:
| (OP here)
|
| While you are absolutely right, I want to highlight that this
| was done in a quite sophisticated way. It's actually the real
| login page of Facebook in a webview. I have 2FA on all my
| accounts including FB, so it looked very legit. Once you have
| logged in, they seem to grep the token and close the webview.
| GoblinSlayer wrote:
| You mean they extracted your primary full access token, not
| the generated restricted oauth token?
| londons_explore wrote:
| If your app has a webview in it, on both iOS and Android,
| you have full access to run script inside that webview and
| take/set cookies for any domain. You can easily take the
| auth cookie.
|
| Some Google auth cookies can only be used _on the same tls
| session that created them_ [1]. That means the TLS session
| resumption information (which can be tied to hardware
| platform features like the TPM) is required to make use of
| a stolen auth cookie. Unfortunately while that approach has
| big security benefits, it's pretty anti-user-privacy.
|
| [1]: https://nakedsecurity.sophos.com/2018/10/25/could-tls-
| sessio...
| NiekvdMaas wrote:
| Yes, pretty sure. It wasn't an oauth screen but the actual
| FB login screen.
| canes123456 wrote:
| iOS will redirect you to your Facebook app
| beervirus wrote:
| Delete the app. There's no reason to install it.
| taftster wrote:
| I don't feel comfortable tying any two logins together for any
| site, regardless of mobile vs. desktop. Choosing to log into
| any site using facebook, google, etc. is setting up for
| trouble. I much prefer a strong password manager and separate
| logins for everything.
| xaitv wrote:
| > If you must use a mobile device to log into Facebook via a
| third party app, I suggest using a new Facebook account each
| time.
|
| I might be wrong about this as I've not used Facebook for many
| years now, but doesn't Facebook require a phone number for new
| accounts nowadays, and requires you to use your real name as
| well?
| danielhua wrote:
| It's actually even nastier than that. If you fail their
| automated checks for fake accounts, they'll lock your account
| and require you to submit a photo of your face and ID card.
| wolco wrote:
| No I have an older relative who creates a new account every
| other week for whatever reason.
|
| Think of how many accounts are created for games reasons.
| Some games require friends taking action to progress. Some
| allow friends to send prizes like lives/money/resource.
| Sohcahtoa82 wrote:
| > No I have an older relative who creates a new account
| every other week for whatever reason.
|
| Could be like my grandma who would occasionally manually
| log out of the app, but then the next time she loaded the
| app, rather than actually logging in again, she'd create a
| new account because that's what she did the first time she
| loaded the app and thought she had to do that every time.
| commoner wrote:
| PayPal is not very dependable when it comes to handling disputes.
| If you paid with a credit card through PayPal, file a chargeback
| via the card itself and your financial institution should be able
| to help. But if you paid with your PayPal balance, you're most
| likely at Facebook's mercy at this point. Dutch laws might offer
| additional consumer protections.
| bluedino wrote:
| Most fraud starts with people thinking they are getting something
| for free.
| sukilot wrote:
| It's hard to con an honest person unless they are mentally
| impaired.
| pbhjpbhj wrote:
| I think it's relatively easy to con honest people because
| they tend to think other people have similar moral standards.
|
| 'we're inspecting your home on behalf of the government'
| [steal your jewelry]
|
| 'we're calling from your bank as there's been a problem with
| your account; we need you to read an access code from your
| phone' (steals savings)
|
| 'we're calling from your pension advisor as you appear to
| have been missold payment protection' (steals pension)
|
| They're doesn't appear to be any need for dishonesty on the
| part of the conned.
|
| It's possibly easier to con a greedy person?
| newsbinator wrote:
| > Contacting Facebook about such scams/hacks is a challenge on
| its own: there is a support page but in all my attempts I was
| unable to click the "email" icon. The "chat" icon always says
| "chat unavailable"
|
| This is both incredibly frustrating and incredibly unsurprising.
| phoe-krk wrote:
| > The scammer used my Facebook auth token to remove me from the
| Facebook Business entity. Strangely enough this is possible
| without getting any emails from Facebook. I had no way to check
| my Business entity or Ad account on Facebook to see what's going
| on.
|
| This is an error on the Facebook side. Actions like this should
| never be possible without appropriate confirmation or re-
| requesting the password for 2FA confirmation.
| marcinzm wrote:
| I can sort of see why this is allowed.
|
| * Employee starts a Facebook business page using their personal
| Facebook account.
|
| * They add their boss to it.
|
| * Employee is fired.
|
| * Boss removed employee from Facebook business page.
|
| edit: Should still send a notification email but I'm guessing
| angry "why did you remove me from X" reactions are why they
| don't. Not good but there's a logic behind it.
| envy2 wrote:
| Sure, but then [employee]'s payment methods should be removed
| along with them. If they were using the company / boss's card
| or PayPal, then surely the company / boss should be able to
| add it back again without too much undue trouble.
| marcinzm wrote:
| Sure although I'd guess having all your advertising
| campaigns paused (as there's no billing info anymore) would
| annoy many people especially if they didn't notice or
| weren't aware it happened. It may in aggregate be cheaper
| for Facebook to just eat the cost of refunding these things
| versus providing more friction to their users.
| bkor wrote:
| The additional confirmation is not from the user being
| removed, it's from the user doing the removal. In this
| example the API/oauth was enough to do this. There really
| should be an additional confirmation certain times. Like how
| Google sometimes requires you to put in your password/2fa
| again, despite previously authenticating or saying something
| like "don't ask me again".
| marcinzm wrote:
| I presume the scammer added a new account, made it an admin
| and then used that to take over. So it's not the removal
| that's the issue but adding a new admin on the account. Of
| course if you allow this type of activity through oauth I
| don't think there's a good way to re-authenticate.
| jackson1442 wrote:
| In that case, adding a new admin should require re-
| authentication.
| fabbari wrote:
| It seems odd that the Facebook authentication token would allow
| that kind of access - admin on the business pages - by default.
| Were you asked for particular permissions? Or did they fake the
| Facebook login completely?
| NiekvdMaas wrote:
| It's actually the real login page of Facebook in a webview. I
| have 2FA on all my accounts including FB, so it looked very
| legit. Once you have logged in, they seem to grep the token and
| close the webview.
| jlund-molfese wrote:
| I'm assuming the app impersonated a real login with Facebook
| prompt. When I use a real Facebook login in another app, it
| tells me which permission I want to grant to another site, and
| lets me edit them.
|
| But I wouldn't think twice if I was asked to enter my
| credentials (which happens if you don't have the Facebook app
| installed) and didn't receive that permissions prompt.
| IAmNotAFix wrote:
| I don't understand the step where the author is logging in with
| Facebook.
|
| Was that a legit OAuth 2.0/OpenID Connect log in? (In this case
| this must have been OAuth 2.0 with a scope giving the application
| write access to business stuff.)
|
| Or was it a phishing page in which the author gave his facebook
| password?
| admn2 wrote:
| I believe it was actually OAuth or else FB would have likely
| blocked the login from another country or at the bare minimum
| sent OP a suspicious login email.
| TekMol wrote:
| This sounds like the author typed their facebook and paypal
| credentials into the app.
| matsemann wrote:
| Thousands of apps have "Login with Facebook" (and others), and
| it's often impossible to know if it's a real oauth flow or just
| a fake login page.
| JimDabell wrote:
| On iOS, if you have the Facebook application installed, the
| Facebook Login user journey opens the actual Facebook
| application. If you don't have it installed, it will open the
| Facebook website in Safari. In both cases, assuming you are
| an active user of Facebook, you will already be logged in.
|
| If it's a fake OAuth screen? The first tip-off, assuming you
| use the application, is that it didn't open the application.
| The second tip-off, in either case, is that it's prompting
| you to log in. You can verify that you are logging directly
| into Facebook by going back to the home screen (which is not
| something an application can intercept), and re-opening
| Safari or the native application. If you were really in
| Safari / the Facebook application beforehand, it will come
| back to the same screen. Then you can check the URL to ensure
| you are on Facebook if you are in Safari.
|
| As far as I am aware, it's never "impossible to know".
| However it may be difficult for the average user to know how
| to determine this. For the average user, the rule of thumb
| "never log in to Facebook if a different application opened
| the Facebook login screen; only log in to Facebook if you
| opened the native application yourself or typed the website
| address yourself" is adequate.
|
| It's also worth mentioning that most password managers will
| pay attention to the domain, and there's also a mechanism for
| this for native applications on iOS. So the password manager
| not auto-filling is another red flag.
| vezycash wrote:
| >On iOS, if you have the Facebook application installed,
| the Facebook Login user journey opens the actual Facebook
| application. If you don't have it installed, it will open
| the Facebook website in Safari.
|
| Can someone else confirm this?
|
| Those authentication screens are scary.
|
| With a web browser, I can at least scrutinize the URL.
| JimDabell wrote:
| If you have any doubt as to whether you are in the
| legitimate Facebook application or not, return to the
| home screen and open Facebook from the icon on your home
| screen.
|
| Bu really, the tip-off is the login prompt. Unless it's
| the first time using the Facebook application on this
| device, you would normally be already logged in and it
| shouldn't be prompting you to log in to Facebook.
| vezycash wrote:
| I was looking for an android app to make my phone
| contacts on Outlook available on my phone.
|
| The official app screws up with my share menu. I'd see
| one set of share targets and just before I hit my choice,
| outlook will place two contacts at the top. And this
| causes the remaining to rearrange.
|
| Got pissed and uninstalled it. And I don't want to copy
| my contacts over to gmail.
|
| I tried two contact apps and they both open a login
| screen - typing my password both times raised alarms in
| my head. Neither app worked. And couldn't risk trying
| more apps. Gave up and reinstalled the official outlook.
| WrtCdEvrydy wrote:
| > the scammer used my Facebook auth token to remove me from the
| Facebook Business entity
|
| If you are able to use the account to purchase something in my
| name, I would expect the security to at least include a 2FA
| prompt. I'm not really big into the Facebook ecosystem but this
| sounds terrible.
| canes123456 wrote:
| You can make paypal charges with a Facebook oauth token? Or they
| keyboard log his facebook password
| danielhua wrote:
| He had a Facebook ads account with PayPal linked, and the
| hacker used his login info to run their own (apparently
| Vietnamese aluminum product) ad campaign and spend using his
| account.
| drcongo wrote:
| Why would anyone link those two things? That just seems
| insane to me.
| dmix wrote:
| The misspelling of Voucher as Vocher on the big FB call to action
| (to connect your business FB account) was the biggest red flag to
| me.
| toxicFork wrote:
| > Initiated a PayPal chargeback process - PayPal responded:
| "we've determined there was no unauthorized use"
|
| Just wanted to highlight this. Things like this is why I avoid
| PayPal as much as possible. For many years now.
| deepstack wrote:
| Trust your bank more. Find a good trust worthy local bank or
| credit union.
| leviathant wrote:
| Back in 2004 or so, I logged into online banking and saw that
| where I had about $3000 the day before, I now had less than
| $100. Mortified, I looked and saw that there were a couple of
| Paypal transactions being processed. I didn't see anything in
| my email, and I logged into Paypal and didn't see anything on
| the summary screen, but when I looked at the fully history, I
| saw two eBay purchases: One for a hacked PS2, one for a
| laptop. I was able to contact both sellers: The guy with the
| PS2 hadn't shipped his yet, and canceled. The laptop seller
| lamented that he had mailed it right away - to the
| Philippines. To this day, I don't know how this guy in the
| Philippines accessed my Paypal account - I did manage to
| reach out to him, but he expected me to pay him to give up
| his secrets, and I'm not playing that game.
|
| Anyhow, I called my bank and explained to them that these
| were fraudulent transactions, and thank goodness you have
| them on hold but haven't processed them, because my rent is
| coming up and could you please release the money.
|
| The bank refused. I'd been a member of the same institution
| for probably a dozen years, had a car loan out through them,
| was on track to get a mortgage through them in a few years,
| and they told me that even though I had caught it that very
| morning, about as soon as I could possibly have caught it,
| that there was nothing they could do.
|
| Paypal, on the other hand, asked me to sign an affidavit, and
| a couple of weeks later, fully refunded my account.
|
| I've held Paypal above banks ever since. In retrospect, eBay
| had acquired Paypal only two years prior, and this
| transaction happening on eBay probably garnered additional
| scrutiny at the time. However, nearly every time I read about
| someone's Paypal account getting locked out, it turns out
| they weren't paying attention to the Terms of Service - which
| are, without a doubt, designed to minimize fraudulent use of
| Paypal as a payment provider. It's why you can't do pre-sales
| on Paypal - it leaves them open to liability.
|
| For better or for worse, the overwhelming narrative becomes
| "Paypal sucks", but as you start to look at the big boy
| payment providers, you'll discover that Paypal is often more
| permissive by comparison, with rates that are comparable to
| or better than the big boys when you're running with such
| small transactional values. And if you end up going to some
| upstart that will let you do things Paypal won't, that
| party's only going to last as long as those providers don't
| get stung by regulatory fees or plain old fraud.
| commoner wrote:
| While it's nice to hear a good story, PayPal is not a bank
| and a PayPal account lacks the consumer protections that
| bank accounts in many countries (including the US) receive
| by law. PayPal takes advantage of this lack of consumer
| protection to freeze accounts and hold funds for up to 180
| days on grounds that aren't necessarily reasonable or
| disclosed.
|
| https://news.ycombinator.com/item?id=13851120
|
| https://news.ycombinator.com/item?id=1678582
|
| https://news.ycombinator.com/item?id=6333203
|
| https://news.ycombinator.com/item?id=7968737
|
| https://news.ycombinator.com/item?id=18783493
|
| https://news.ycombinator.com/item?id=4455520
|
| https://news.ycombinator.com/item?id=6891306
|
| Financial institutions do not have this kind of control
| over bank accounts. All bank accounts inherit a level of
| trustworthiness from consumer protection laws that only
| apply to bank accounts. PayPal does not.
|
| When PayPal freezes/limits an account in a way that a bank
| account could not legally be subject to, the problem is not
| the account holder, but PayPal itself.
| _-___________-_ wrote:
| The amazing thing is that they are equally unpleasant to deal
| with as a merchant. You'd think they just favoured one side,
| but no, they screw both sides.
| readams wrote:
| PayPal fraud protection is mostly about making sure PayPal
| isn't the one holding the bag in the end. Any actual
| prevention of fraud is secondary at best.
| ezconnect wrote:
| They have a recent change that is anti merchant, when
| someone request for a refund they wont give back the
| transaction fee. Seller lose out on the sale and pay paypal
| a transaction fee, buyer get their full money and paypal
| keeps the transaction fee. It used to be returned to the
| merchant.
| encom wrote:
| I'm honestly surprised Paypal is still in business.
| Everybody hates Paypal.
| tgsovlerkhgsel wrote:
| The power of network effect.
|
| You can't afford to not accept PayPal because all the
| buyers have it, and all the buyers have it because you
| can pay with it everywhere.
|
| An alternative network would have a hard time getting
| users to sign up.
| Osiris wrote:
| That's weird. As a merchant, I get requests for refunds and
| even if I provide all the details about the transaction (for me
| that would be a license key and proof the license key was used)
| they always side with the buyer.
|
| Really, the only way to not get PayPal to approve a refund is
| to work with the customer and solve the problem so the customer
| cancels the refund request.
| jonplackett wrote:
| I think it's A) because it's Facebook. and B) because this
| type of scam is very prevalent, and no-one wants to be stuck
| with the numerous bills for it.
| dilly_li wrote:
| In my limited times with Paypal with scam-like charges, Paypal
| never approves my request.
|
| On the other hand, all my credits card companies,
| Citi/Chase/etc. approved my similar requests after a review
| process.
| sokoloff wrote:
| Anecdata here as well. I've had two times where I had to
| contest a Paypal purchase. In both cases, Paypal took a
| reasonably short amount of time to rule in my favor. (Both
| however were for clear-cut cases of "online vendor took an
| order and _didn 't bother to ship anything at all nor reply
| to Paypal inquiries_".)
| badRNG wrote:
| I've been in two different situations where I have had
| obviously fraudulent charges on my PayPal. In both cases,
| PayPal denied my claim.
|
| In both cases, Discover approved charge-backs for the PayPal
| charges to my card.
| droopyEyelids wrote:
| Did PayPal ban you after the Discover charge-back?
| badRNG wrote:
| Nope, still use them for a handful of things (for
| convenience.) The charge-backs were of significant size
| too ($300-$500.) This was around 2012-2013 for one and
| around 2015 for the other.
| ryan-c wrote:
| Oddly, I have actually been told in the past by PayPal to
| file a $1500 dispute with my credit card company (AmEx in
| my case) because for whatever reason they couldn't handle
| it internally. Didn't get banned.
| mcv wrote:
| I thought PayPal had a reputation for pro-actively blocking
| payments for really bad reasons, and now they won't block
| payment when it's a clear case of fraud?
|
| Why does anyone still use PayPal?
| willcipriano wrote:
| > Why does anyone still use PayPal?
|
| Paypal.com -> Subscriptions -> Unsubscribe
|
| Paypal makes it two or three clicks to unsub from any
| reoccurring payment. No dark patterns or "call us"
| required. I use it whenever I can for subscription
| services.
| fireattack wrote:
| Why?
|
| The payment is authorized by the author (i.e. his PP account
| wasn't stolen), the whole thing being a scam is irrelevant and
| PayPal shouldn't be the judge here (if you got scammed and send
| some physical items to the scammer, can you ask the post office
| to take it back?)
|
| I sold digital goods on eBay a few times (like, less than 10
| times) and I've already got 3 (!) people claiming their
| purchase is "unauthorized" after I sent them the goods (redeem
| codes, so I can't really let them "return"). I'm more than glad
| that PayPal took my stance instead of giving them chargeback,
| since they're likely trying to _scam me_.
| nerdponx wrote:
| _The payment is authorized by the author (i.e. his PP account
| wasn 't stolen), the whole thing being a scam is irrelevant
| and PayPal shouldn't be the judge here (if you got scammed
| and send some physical items to the scammer, can you ask the
| post office to take it back?)_
|
| PayPal does have a 6 month purchase protection policy in many
| cases. So... maybe, if you manage to argue that this was a
| purchase that you're entitled to protection for. But that's a
| different channel and probably a different physical
| department at the company.
| Sohcahtoa82 wrote:
| > I sold digital goods on eBay a few times (like, less than
| 10 times) and I've already got 3 (!) people claiming their
| purchase is "unauthorized" after I sent them the goods
| (redeem codes, so I can't really let them "return").
|
| This shit is why I don't sell on eBay anymore.
|
| I have a friend who sells stuff on eBay a lot (or at least,
| used to), and he says about 5% of his sales go to scammers
| who will request refunds claiming they never received an
| item.
|
| Of course, now that I think more on it, I wonder how many of
| those 5% were scammers versus how many of them simply had
| their package stolen from their front door.
| Dahoon wrote:
| A brick and mortar business normally sees more than 5% loss
| so if that is a real number it is _great_.
| megablast wrote:
| Tracking numbers exist. What package delivery does not
| include a tracking number?
| willcipriano wrote:
| The tracking number reports the package as delivered,
| someone came by and picked it up after it was left at the
| front door.
| Sohcahtoa82 wrote:
| Having a tracking number doesn't matter if the scam buyer
| tells PayPal/eBay that you mailed them a brick and not
| the item you actually ordered.
| lalaithion wrote:
| If the author had payed with a credit card, he could have
| gotten a refund, and it would be the responsibility of the
| credit card Issuer to track down the merchant and get a
| refund.
| fireattack wrote:
| And if he has paid with a _debit card_ or wire transfer, he
| would be even more out of luck than PayPal.
|
| Why would we (I'm genuinely asking here) consider PayPal
| more similar to CC than the others? My point being, it
| could be (closer to) either, and both make sense to me. PP
| doesn't necessarily need to operate like CC.
|
| After all, CC as a service charges much more with
| processing fees from merchants and sometimes annual fees
| from the customers. It's meant to provide a
| "better/premium" service.
| megablast wrote:
| Not necessarily.
| time0ut wrote:
| I came here to say this as well. PayPal is garbage and should
| never be used, at least as a consumer. There are much better
| options available. I have never had PayPal side with me in any
| dispute, no matter how one sided it was. I closed my account in
| 2014. Haven't missed it.
| DanBC wrote:
| Just checking you know that many banks would take the same
| stance.
| starfox64_ wrote:
| I doubt many banks would refuse a charge-back considering
| this transaction obviously didn't use 3DSecure since it went
| through PayPal. You'd probably get your PayPal account
| shutdown if it went through though.
| DanBC wrote:
| If the money left your account because you did a thing,
| even if you did the thing because you were defrauded, a
| bunch of banks are going to decline to repay you.
|
| Here's news about a new protection scheme in the UK. But
| this is new (only came in last year), and it doesn't cover
| all banks. https://www.bbc.co.uk/news/business-48385426
|
| > New protection for individuals tricked into transferring
| money to fraudsters has now taken effect - but not all
| banks are signed up to the scheme.
|
| > Some 84,000 bank customers lost money - sometimes tens of
| thousands of pounds - last year after being caught out.
|
| > Only a fraction of the amount lost was refunded by banks.
| Now a new code should mean more will be reimbursed.
|
| > The refund will come from a central pot in cases when
| neither the bank nor the customer are to blame.
|
| See especially this bit:
|
| > Some of the more elaborate frauds see the con-artists
| using social media and other avenues such as data breaches
| to gather information about their victim, making it more
| likely that potential victims believe they are genuine.
|
| > In all these cases, the individual authorises the
| payment. Banks have often refused to refund these frauds as
| a result.
| toomuchtodo wrote:
| American Express has never denied a chargeback I've
| initiated. When you say "many banks", of course don't bank
| with someone who is going to screw you, like Paypal or Wells
| Fargo (and Bank of America or JP Morgan Chase, to a lesser
| extent). This should be common (US centric) knowledge by now.
| tluyben2 wrote:
| Amex doesn't but visa/master/etc depend on the issuing bank
| and they can (and do) refuse. More in other countries vs
| USA as far as I understand.
| toomuchtodo wrote:
| Agreed, but if your time has value, (if you can)
| structure your financial transactions in a way and with
| service providers that derisks you having to spend hours
| chasing down your own money when you shouldn't have to
| (or going through the motions and being told you're SOL).
| And never use Paypal!
| klmadfejno wrote:
| On some services. You would almost certainly be able to
| recoup the money if it was paid for via credit card.
| scott31 wrote:
| Paypal is 100% right in this case though
| 0xFluegel wrote:
| Is it though? It surely is _authenticated_ but is it
| _authorized_? By whom? Certainly not by the user.
| luckylion wrote:
| The user has authorized PayPal to give money to Facebook.
| Facebook wasn't authorized by the user themselves to run
| the ad campaign, but PayPal is doing exactly what it
| should.
| hinkley wrote:
| And if the same charges had been made on a Visa card, we
| wouldn't be having this conversation.
| basch wrote:
| If I have a Visa card saved in the Starbucks app, and
| somebody uses my Starbucks app, I did not authorize Visa
| for that transaction. It would be no different than
| losing the card. If somebody picks up my card and swipes
| it, "Visa is doing exactly what it should" but also it
| wasn't an authorized transaction and should be reversed.
| luckylion wrote:
| I'm not sure. When you give authorization for "all future
| payments to Starbucks until I tell you otherwise" (which
| is what you're doing with recurring payments being set up
| between FB and PP), you're authorizing that payment to
| Starbucks. You're not authorizing Starbucks to take
| whatever they want, but that's between you and them, not
| you and Visa. Visa just happens to be very accommodating
| and will often pressure the vendor.
|
| Losing your card would have been similar to the OP's
| PayPal account being hacked.
| behringer wrote:
| In what world would paypal be right? Facebook allowed a
| scammer to advertise on their platform, and then allowed the
| same scammer to steal 4k. Facebook is as much complicit in
| this crime as the criminal himself. Paypal was charged by
| Facebook. Facebook should not be entitled to the 4k and
| PayPal should take it back.
| commoner wrote:
| A consumer can still file a chargeback through the financial
| institution (of the payment method used in the transaction)
| after PayPal declines the dispute. Hopefully, the author was
| charged on his credit card and not his PayPal balance. Debit
| cards and bank accounts are in a gray area for this case.
| LandR wrote:
| I have a VISA credit card and a VISA debit card.
|
| I was under the assumption that the VISA debit card offers me
| the same protections as the crecit card but I think I was
| wrong...
|
| > Are PayPal purchases covered? You are unlikely to be
| protected under debit card Chargeback schemes for items
| purchased using PayPal. In these cases the act of loading
| money onto your PayPal account counts as the debit card
| transaction so, unless the money fails to be credited, it
| won't be covered. PayPal runs its own purchase protection
| scheme which extends some cover to your purchases, but it is
| in house rather than regulated by law.
| commoner wrote:
| Consumer protections are based on your country's laws, but
| credit cards will generally have stronger protections than
| debit cards and bank accounts. In the US, the consumer's
| liability for unauthorized credit card use is capped at
| $50, while the liability for unauthorized debit card and
| bank account use is capped at $50 (2 days), capped at $500
| (3-60 days), or is unlimited (61+ days) depending on when
| you report it. Most American financial institutions go
| beyond the law to promise $0 liability for unauthorized
| credit card use.
|
| https://www.consumer.ftc.gov/articles/pdf-0075-lost-or-
| stole...
|
| In the US, you don't have to pay the disputed portion of a
| credit card bill while the chargeback investigation is
| ongoing. Most financial institutions will issue a temporary
| credit to make this clear.
|
| https://www.consumer.ftc.gov/articles/0219-disputing-
| credit-...
|
| If anyone here is familiar with Dutch law, the author might
| appreciate your input.
| ma2rten wrote:
| But how would that work in this case? The customer
| authorized paypal to be used for facebook ads, someone
| ran facebook ads using their account. If I give my Amazon
| log in credentials to someone and they order a bunch of
| expensive TVs to their house without my knowledge, can I
| get a chargeback?
| fencepost wrote:
| IIRC the institutions distributing debit cards (banks,
| credit unions, whatever the heck PayPal is, etc) will
| often 'voluntarily' give you effectively the same
| protections as for credit cards _at their discretion_
| because they want you to have and use those cards and the
| benefit they get through transaction fees, etc. outweighs
| the cost of the fraud that happens.
|
| Details are likely spelled out in the multipage 5-pt text
| pamphlet that you received with a new debit card at some
| point.
| scoutt wrote:
| I wonder what would happen if the author shows this article to
| PayPal (if not done already), showing that also Facebook
| confirmed the scam and Google taking down the app.
| novaRom wrote:
| Exactly this. In my recent experience PayPal is also absolutely
| inaccessible for a chargeback resolution. This was the reason I
| left booking.com, now I am considering to get rid of PayPal. In
| my opinion no serious transaction should ever be done on either
| platform.
| tgsovlerkhgsel wrote:
| What issues did you have with Booking.com and what are good
| alternatives?
|
| I absolutely loathe them for their high-pressure sales
| tactics (their site is full of dark patterns and booking
| there is outright stressful; it feels like you're trying to
| browse while a drill sergeant is constantly yelling into your
| ear "BOOK NOW YOU WORTHLESS SCUM, BOOK, BOOK, WHAT ARE YOU
| WAITING FOR YOU IMBECILE, CLICK IT, BOOK, NOW, NOW YOU
| MAGGOT") - however, unfortunately they often do have the best
| price (by far) or are the only place certain accommodations
| are available, and aside from the drill sergeant, their UX is
| absolutely perfect.
|
| I've been burned far too often with sites that let you go
| through the entire flow only to tack on ridiculous fees for
| payment or simply fail to process your credit card.
| except wrote:
| The app looks poorly made and there are clear spelling mistakes
| plus the fact that it was not offered by TikTok which should have
| made you suspicious. It sucks this happened but maybe you should
| have done some research and checked if this app actually did
| belong to TikTok. I assume the app also asked you to login to
| Facebook directly rather than OAuth which should also made you
| suspicious.
| Avamander wrote:
| Very American opinion. You are aware that there's a lot of non-
| native English speakers who can absolutely miss a few typos?
| except wrote:
| My apologies, I missed that possibility. The app still looks
| poorly put together regardless.
| babuskov wrote:
| > _you_ should have done some research
|
| Just to be clear, this didn't happen to me. I just posted what
| Niek van der Maas wrote on his GitHub. I don't think he's even
| reading this HN thread, so no use giving him advice.
| klmadfejno wrote:
| I've often heard the argument that scams add spelling mistakes
| to only catch the idiots that have a high conversion rate for
| the scam. That doesn't feel like it makes sense on something
| like this which is highly sophisticated. Is it just bad
| quality?
| except wrote:
| My point was that official applications rarely ever include
| them, not that it was intentionally placed there.
| aurelien wrote:
| You lost your life with facebook and that do not disturb you ...
| so thanks for the 4K ;-)
| PerilousD wrote:
| sorry for your loss - but you are STILL using Facebook? Any
| future problems look and hard in a mirror.
| sjroot wrote:
| As someone who also takes all the right account security
| precautions, I too have been fooled by a scam Facebook ad. It
| seems like this is an increasingly-common attack vector that FB
| needs to address.
|
| Specifically, I think it would help for them to verify ads, as
| they do people / pages.
| Nextgrid wrote:
| Is there any evidence that the people/pages verification is
| safe? I've seen plenty of fake accounts and the existence of
| misinformation or outright criminal (card fraud, etc) pages
| suggests the opposite.
| Avamander wrote:
| Yet another scenario where we're collectively being bitten in
| the ass because most of the world is still lacking a proper
| digital identity system.
|
| If you're thinking that sending pictures of identity documents
| or bills is going to fix it no, it's clown-tier identity
| verification and will just postpone the issue a tiny bit with
| massive human resource cost and false negatives.
| donmcronald wrote:
| > it's clown-tier identity verification
|
| I remember learning this when I got my first code signing
| certificate. I had to jump through a TON of hoops including
| sending notarized copies of my ID to Comodo. After all that,
| they asked ME to send them a list of notaries for my
| jurisdiction. They also wanted a direct line to call the
| notary I used which is basically impossible to provide.
|
| The verification is outsourced to the cheapest English
| speaking 3rd world country they can find and there's ZERO
| localized knowledge. I don't think you could build a system
| that's worse if you tried. The whole think is just a process
| of checking boxes which is very similar to most of the 2FA
| systems in existence.
| spzb wrote:
| But then they'd lose that sweet revenue
| prox wrote:
| One attack I personally had was when I had an android tablet
| and a client who has business in China asked me to put a
| promotional video on some Chinese version of youtube. So I
| thought I found the app in Play store, but once opened it asked
| me something in chinese, so just thinking this is obligatory
| privacy agreement or something, I click okay. Instead it
| started downloading an update, and rebooted. After my tablet
| was malware ridden and unable to be recovered, because older
| version of Android.
|
| I learned that a lot of apps behave differently if they find a
| different language keyboard. I don't know if this attack is
| still possible in Android, it's been some years now.
| spzb wrote:
| So this basically amounts to "sign in with Facebook and the app
| gets a token with which it can control your whole account"?
| zenexer wrote:
| Perhaps the most interesting part is the final line of the
| document:
|
| > Initiated a PayPal chargeback process - PayPal responded:
| "we've determined there was no unauthorized use"
|
| While I get the impression that the user had authorized Facebook
| to charge via PayPal in the past, I find this conclusion rather
| silly. If I give my credit card number to Amazon, and someone
| hacks my Amazon account and starts making random purchases,
| chances are I'd have no trouble filing a chargeback.
| donmcronald wrote:
| Yep. Authentication is being used as an excuse to blame the
| user. It's because Facebook's a big company. If it was a small
| website where a user got phished PayPal would have charged it
| back IMO.
| tobyhinloopen wrote:
| I think the trick here was to prompt the user with a fake oauth
| screen. Many legit apps show the oauth screen using a web frame
| inside that app. It is absolutely stupid that it is still a
| common occurrence.
|
| If you need to enter your credentials when using sign-in-using-
| xxx, be VERY cautious. Even if you have 2FA enabled, the fake
| oauth screen can just ask you for the 2FA code. You have no way
| of knowing whether the login page is keylogged or hijacked.
| JangoSteve wrote:
| This was pretty much an exact question I had about OAuth 10
| months ago:
|
| Something I still don't understand about the OAuth flow is how
| it's _not_ training users to be more easily phished for actual
| usernames and passwords. The very first step is "If you are not
| logged into the third-party, display a login-form from the
| third-party."
|
| The thing is, you never really know off-hand if you're logged
| into the third-party (provider) or not without opening a second
| tab and going directly to the third-party's site, since you're
| always getting logged out after various timeouts, cookie-
| clearing, browser-closing, and computer-restarting events.
|
| What prevents an OAuth client application from displaying an
| OAuth process that shows a fake login form, which looks
| identical to the provider's login form, to get the user to
| enter their provider username and password before they realize
| the URL is off? It seems like it trains users that it's normal
| for websites to launch a Gmail login form and this is perfectly
| safe.
|
| https://news.ycombinator.com/item?id=21357370
| donmcronald wrote:
| I think you're right. Users are being trained to enter their
| passwords and 2FA tokens everywhere with the false promise
| that 2FA makes it secure. Even U2F using a signed challenge
| seems iffy to me.
|
| This [1] says "In fact, the spec requires that browsers only
| expose the API in secure contexts", so if that's correct it's
| better, but still not good enough.
|
| This [2] looks like it does U2F by grabbing the challenges
| via browser plugin and relaying them to a phone app for
| signing.
|
| Trusting the browser to "expose the API in secure contexts"
| seems like a failure because it's assuming nothing else can
| collect the credentials or send a challenge to a security
| key. Is that true? Could I write an app that would phish a
| user into signing a challenge with their security key?
|
| 1. https://security.stackexchange.com/a/206549/134291
|
| 2. https://krypt.co
| georgiecasey wrote:
| I'd guess it's a fake oauth screen as well. I coded one of the
| first (I think) Tinder auto likers for Android back in 2013,
| and the only way I could do it was get the real facebook
| username and password and log into Tinder on the phone in the
| background. I just put up a fake Oauth HTML page in a webview
| and saved the login, with a disclaimer of course, but nearly
| everybody ignored it. I was surprised how easy it all was.
| dragonwriter wrote:
| > Even if you have 2FA enabled, the fake oauth screen can just
| ask you for the 2FA code.
|
| Not all 2FA is "enter a code"; it's a lot harder for a fake
| oauth screen to send a request to your registered
| authentication device.
|
| EDIT: this doesn't really help, as a reply points out. OTOH,
| separate side channel verification of logon from unexpected
| devices does.
| snazz wrote:
| Is it? Couldn't the backend (or even a human attacker) just
| type the credentials you provide into the real login page,
| giving you the "tap yes" push notification just the same?
| dragonwriter wrote:
| Come to think of it, you're right. I was mentally combining
| that 2FA method with "new device attempted login"
| detection, but the latter is usually separate from 2FA. If
| a login system uses that and provides notice and requires
| confirmation through a side channel, rather than merely
| providing informational notice, it will stop (or at least,
| make it easier to stop; a second user mistake or
| preexisting side-channel compromise is still possible) the
| attack. If it's just notice, it at may limit the impact or
| streamline recovery from the attack.
|
| But now that I think about it, it would make sense to
| combine new device notification with push-notice 2FA for
| exactly that reason, since you've got a push channel that
| takes a confirmation already, flag unexpected devices in
| that channel as well and it becomes much more secure.
| AntonyGarand wrote:
| It absolutely is: https://github.com/kgretzky/evilginx2
| tialaramex wrote:
| Yup. Notice that this can't work on WebAuthn (or its
| predecessor U2F), which is why everything should do
| WebAuthn and you should ignore attempts to downgrade you
| to any other method.
|
| An attacker can play the legitimate WebAuthn request from
| the real site, which will (statistically certain) be
| nonsense if played by their phishing site.
|
| Or they make their own request, which doesn't help them
| because it's not valid on the real site they want to sign
| into so it's pointless.
| GoblinSlayer wrote:
| And even if you find a correct oauth address, you still have
| the risk that you understand what permissions you give and
| facebook implements them correctly.
| twodayslate wrote:
| This wasn't mentioned anywhere in the article sadly
| atum47 wrote:
| I'm getting tired of flagging false ADs on Facebook platform (in
| my case Instagram).
|
| [https://imgur.com/a/1MUuST4]
|
| The image above is a confirmation that they removed a false AD I
| flagged and thaking me for it. Yeah, ok, but as I said, I'm
| getting tired of flagging this kind of ads.
|
| I sent an email to Instagram not so long ago, complaining that is
| hard to know a official AD from a fake one in Instagram, cause
| they use that ridiculous thing of opening a webpage inside their
| own browser (?!) hiding the address.
|
| I'm sorry that this happened to you. I usually deal with low
| effort scams (but they usually get my parent's attention) but
| maybe it's time for Facebook to be held accountable for this kind
| of stuff.
|
| Did you bought a TV from an AD you saw on Instagram and turned
| out to be a scam?! Well, let's have Facebook accountable. Maybe
| they'll improve their ADs platform.
| noisy_boy wrote:
| Not sure if Facebook allow some sort of max-spend cap that can
| only be increased with a 2FA together with an alert from the
| Facebook app itself. That should atleast alert someone in the
| sense that "why am I getting a confirmation message to debit for
| a voucher credit" and worse case scenario even if they don't
| realize it, should limit the damage.
| tnolet wrote:
| I'm clueless about mobile stores and reviews. How does such an
| app get so many positive (obviously fake) reviews?
| squeaky-clean wrote:
| It's really easy to find services like this just by googling
| the right thing. I've never used one, but just from a quick
| search $630 can get you 200 five-star reviews. I don't know if
| the site I found will let you repeatedly purchase for even more
| reviews, but several of these sites came up when I googled so
| it would also be pretty easy to just use 5 different fake
| review sites to get up to 1000 fake reviews.
|
| If the price is consistent across them, that means 1000 reviews
| costs about $3.1k. Expensive, but it apparently only takes 1
| tricked user to become a profitable scam.
|
| Not saying a similar scam would not have fooled me, as I'm
| looking at the screenshot in the article with the knowledge
| that it's a scam, so it's an unfair comparison. However the
| first thing that immediately stands out to me is there are no
| 2,3,4 star reviews on this app. The reviewer comments are also
| very generic and have many grammatical errors in each featured
| one in the screenshot, and the featured reviews are all from
| Sept 1.
| rasz wrote:
| Want a $1? download and like 5 of our apps! works great in
| countries with $1/hr wages.
| mikorym wrote:
| I don't know whether this is relevant for fact checking, but the
| add logo in the first image with the bullseye image uses an image
| (the bullseye itself with the arrow) that is available as a
| logo/icon on MS Office exactly as is.
| jrockway wrote:
| I read things like this and keep thinking about the "web of
| trust" from the 90s. There is no way to visit some random app
| store, or read an email or website, and trust that it's actually
| officially what it says it is. The author of this article relies
| on some heuristics; good spelling, reasonable-sounding developer
| email, reasonable Java package name, etc. but these things can go
| either way. It is possible for a scammer to be good at spelling,
| and it is possible for a big company to contract out some app
| they don't care about to the lowest bidder and be perfectly
| running their ads program through the "FooCorp Develop App;
| ru.definitelynotascam.dumbcodename". It has historically been an
| okay data point, but in the future scammers are going to be good
| at English -- it's only a matter of time.
|
| Where I'm going with this is that there needs to be some sort of
| mandatory linkage between something you trust and this random app
| you see on the app store. You trust Google. You trust TikTok. So
| why doesn't Google generate some sort of code that TikTok can
| stick in their DNS (or website) to create a linkage? By default,
| an app on the store could say "not trusted by any company", but
| then TikTok could add that record on their website and it would
| say "Trusted by TikTok" or something.
|
| There are some problems with this, of course. Anyone could claim
| any app, and then you'd see incorrect information. DNS and web
| servers can be hacked, TLS roots of trust aren't trustworthy,
| etc. But there has to be some way to create this linkage safely,
| so that people aren't misled again and again and again in the
| same way.
| GoblinSlayer wrote:
| Just go to tiktok site and download whatever you want there.
| But if you go to app store, you can barely tell what is what in
| this grey faceless pile of garbage.
| Exuma wrote:
| How does simply connecting/logging in with an app give the FB
| application to spend on your business manager ad account...?
| stiray wrote:
| (My moral compass is still up and running while some call
| disabling it "running bussiness")
|
| I wonder why something like this never happens to me?
|
| - I am not paying a dime for advertising as it is completely
| inappropriate to spam more users with ads (Zillions of ads and
| you are one of them? And this works? Really? Not for my users and
| my reputation.)
|
| - I dont use facebook as I have real friends to go to a beer with
|
| - I dont open any ads (but ad nauseum [1] does)
|
| - I dont use TikTok and I dont see anything positive in it so
| even if I would be advertising I surely wouldn't spam kids with
| ads
|
| -- ...
|
| (I could call this whole event a "poetic justice")
|
| [1] https://adnauseam.io/
|
| (edit: fixed wrong wording as suggested - anyway I dont attack op
| - in same manner I dont attack drug dealers. I am just explaining
| why I dont do that. Or sell drugs. Someone might learn something
| from it.)
| [deleted]
| elwell wrote:
| > unappropriate
|
| "inappropriate", as in: "Your attack on OP is inappropriate."
| jariel wrote:
| Can someone explain what happened here?
|
| 1) His FB credentials were hacked?
|
| 2) All to force 'spend' on some odd Vietnamese add? How does that
| benefit the scammer?
|
| 3) If the money went to FB for clearly scummy purposes, how on
| earth does FB not simply refund the ad spend? There's not cost of
| goods sold here for them, usually they should be pretty easy on
| giving you the money - or at very least giving you credits?
| OJFord wrote:
| 3 - yeah my reaction too, I imagine it will no problem, just
| OP's case hasn't yet reached someone who can refund that
| figure.
| fsaintjacques wrote:
| Let me introduce you to the underworld of affiliate marketing
| https://www.investopedia.com/terms/a/affiliate-fraud.asp
|
| There's always money to be made if you can generate significant
| legitimate traffic to a given destination.
| alphager wrote:
| 1) Yes, they either outright stole the credentials or stole an
| oauth-token.
|
| 2) The scammer either actually has a vietnamese metallurgy
| business ore (more likely) sold ad space on facebook to a
| vietnamese metallurgy business.
|
| 3) yes
| catchmeifyoucan wrote:
| Voucher was spelled as "Vocher" in multiple places. At first I
| thought it was localization, but then I realized that the author
| was spells it as "Voucher". That was the red-flag for me.
| danielhua wrote:
| As someone who's fairly involved with the e-commerce/digital
| marketing space, let me just say I'm amazed by how brazenly
| _nasty_ this scam is.
|
| The TikTok promotional program is actually a real thing that does
| give around that amount of ad credit, and they have been
| promoting it very aggressively on Facebook with for a long while
| now, so it makes sense that OP would've not had any mental red
| flags triggered by the designs and creatives used by the
| scammers. The real killer is that PayPal is actually well within
| their rights to process this transaction (as part of the billing
| agreement generated when you link PayPal to Facebook Ads Manager:
| there actually was real ad spend in a real Facebook ad auction),
| so it's down to Facebook itself to refund the ad spend. (As an
| aside, I'm actually impressed that OP managed to reach Facebook
| support at all, and that they acknowledged or even understood
| what the problem was. I have had worse experiences in the past
| with FB...). What's really amazing to me is that the scammers
| managed to get on Google Play with thousands of obviously fake
| reviews, and get through Facebook ad review at all.
|
| The scammer silently removing OP as an admin from their own ad
| account, preventing them from noticing or stopping the fraudulent
| ad campaign is just icing.
|
| I suppose the real lesson to be learned is to simply avoid
| installing native applications when you can help it. OP didn't
| screenshot the login screen in app, so I can only assume it was a
| real Facebook oauth flow, but honestly at that point it's already
| too late. If anything OP should be grateful that the native app
| running on what was presumably his personal device didn't do
| anything worse.
| gowld wrote:
| Tiktok is giving away $3K in ad credit per customer? And the
| regular price isn't massively overpriced?
| jauntbox wrote:
| Is this something that could have just as easily happened
| through Apple's app store? This sounds like exactly the type of
| thing that those 30% app store cuts should be going towards to
| prevent (regardless of the platform).
| user5994461 wrote:
| > The scammer silently removing OP as an admin from their own
| ad account, preventing them from noticing or stopping the
| fraudulent ad campaign is just icing.
|
| This hints of not having 2 factor authentication anywhere in
| the chain?
|
| Would definitely advise to setup 2 factor authentication on
| anything managing 5 figure sums.
| StavrosK wrote:
| How would that help? They were removed via the API, no
| passwords were stolen.
| danielhua wrote:
| I was surprised too since OP's writeup indicates that he has
| 2FA on everything. You would think that you'd at least get an
| email or push notification if you get removed from an ad
| account/notification settings get changed, so it seems like
| an oversight by FB.
| jandrese wrote:
| Hardly anybody does the "when changing an email address on
| an account send an email to the old address to allow them
| to revert the change and temporarily lock the account". It
| seems like such an obvious thing to do.
| kbenson wrote:
| 2FA is how you protect your credentials from being stolen and
| used. This wasn't a case of credentials being stolen, this is
| a case of someone being tricked into authorizing a separate
| account to take action. They hacker didn't change his
| credentials to lock him out, it literally revoked access from
| him Facebook login to the ad account.
|
| I'm using "login" and "account" specifically here to
| highlight the difference. On systems where there are likely
| to be multiple people that need access, there's a distinction
| between the "service account" and "logins or user accounts"
| that can control it. Generally, when the service account is
| created by a login, that login is added implicitly as a
| controlling user account with full privileges, and other user
| accounts (logins) can be added with varying levels of
| control. This situation appears to have been along the lines
| of the following:
|
| 1. User "real_user" create facebook ads account id 123456,
| and real_user is the admin of the ads account id 123456.
|
| 2. At some point real_user adds "scam_user" to the facebook
| ads account id 123456 with full admin permissions.
|
| 3. scam_user uses the full admin permissions it has for
| facebook ads account 123456 to remove access for real_user.
|
| Note that is is a fully legitimate and common action to take
| in systems like this. If you are a business and pay someone
| to manage your facebook ads, they are likely the admin on the
| account (and you may be too), and if they leave and you hire
| a new person to manage it, you would want to revoke the old
| employee's account access and add access to the new
| employee's account.
|
| This is how you handle it on Google Suite, Zoom's business
| accounts, Active Directory in Windows domains, etc. The real
| problem here is that the scammer got enough permissions to
| revoke the original user, and the original user did not get
| an email notification. I'm not sure if facebook ads allows
| adding accounts with limited permissions so only certain
| actions can be taken and part of the scam was making the
| permissions asked for non-obvious, or if that's a permissions
| distinction facebook ads doesn't support.
| jellevdv wrote:
| Maybe the oauth scope requested edit access to the FB
| business manager? That way the scammer can remove OP from the
| business and add himself via the API
| throwbacktictac wrote:
| I'm curious if the oAuth flow requested a specific scope to
| have permission to remove the user from their Ads account. If
| so, did Facebook make it clear that the permission was be
| requested.
|
| I must say that it was a pretty clever scheme.
| Osiris wrote:
| When you do a login with Facebook, does the popup show you
| what permissions are being requested? I know I've seen that
| before.
| pbronez wrote:
| Permissions scoping is a really under-utilized tool.
|
| I see this most often with extensions, which usually want to
| act on all domains when they should really need an allow list
| of just 1-2 domains. There are also many app integrations
| that use an API token that just straight bypasses login with
| NO security restrictions.
|
| I would use a lot more app integrations if I knew I could
| trust the host platform to keep the apps honest.
|
| I think we're missing a lot of innovation because we lack
| secure and reliable integration points between commodity
| services. Banking and Health are the most obvious issues. It
| should be trivial for me to authorize a third-party app to
| download transaction history from any bank without giving it
| the ability to change anything. I should be able to assemble
| my entire medical history by pulling from any medical office
| I interact with, and push that to any provider I choose to
| use.
|
| There are lots of industry incentives to prevent this though.
| It's just like the Cable Card saga. You need strong, un-
| captured, technically-literate regulators to fix this stuff
| and unleash broader innovation.
| firloop wrote:
| It's possible that the attack didn't happen through the
| regular oauth credential request flow -- if the OP logged in
| to Facebook inside of an app-controlled webview, the app
| could have just exfiltrated the user's login cookie and
| performed the change using "first-party" Facebook APIs.
| jonplackett wrote:
| The problem with many attacks is we've now been trained to
| do dumb things - like putting our password into webviews
| inside 3rd party apps - by reputable companies. So it
| doesn't feel as insane as it should do.
| andybak wrote:
| Yes. A thousand times yes.
|
| oAuth outside a browser is just training people to be
| phished.
| Ayesh wrote:
| This is what I think too. WebView doesn't show the domain
| of the page, and it is not possible to see if you are
| really in Facebook login page, or somewhere the attacker
| controls. Unless the attacker was using Yubikey or some
| sort of hardware token, the victim would have entered the
| TOTP code too, which the attacker can ask and pass to
| authenticate successfully.
| donmcronald wrote:
| How does a YubiKey prevent that kind of relay attack? If
| those keys blindly sign whatever's given to them, there's
| got to be a way to trick a user into signing something
| malicious.
|
| This [1] says that U2F avoids phishing by having the
| browser tell the 2FA device the domain, but that seems a
| bit weak to me. The same site even has an app where the
| info is relayed via a browser plugin, so literally
| relaying the data that's supposed to be trusted. The only
| way I can see that actually working is if the security
| key knew to only sign challenges for a specific domain.
|
| 1. https://krypt.co/blog/posts/prevent-phishing-on-the-
| web-with...
| jrockway wrote:
| The security of the browser implementation is important.
| It provides the origin for the security hardware to sign,
| and the authenticating server ("relying party") verifies
| it. If your browser tells the key it's google.com when
| it's really evil.com, then sure, you can log into
| google.com if the user signs the request.
|
| The WebAuthn spec says: "Direct communication between
| client and authenticator means the client can enforce the
| scope restrictions for credentials. By contrast, if the
| communication between client and authenticator is
| mediated by some third party, then the client has to
| trust the third party to enforce the scope restrictions
| and control access to the authenticator. Failure to do
| either could result in a malicious Relying Party
| receiving authentication assertions valid for other
| Relying Parties, or in a malicious user gaining access to
| authentication assertions for other users."
|
| (https://w3c.github.io/webauthn/#sctn-client-
| authenticator-pr...)
|
| If you click further into the older FIDO spec, they cover
| this more explicitly: "Malicious software on the FIDO
| user device is able to read, tamper with, or spoof the
| endpoint of inter-process communication channels between
| the FIDO Client and browser or Relying Party application.
| Consequences: Adversary is able to subvert [SA-2].
|
| Mitigations: On platforms where [SA-2] is not strong the
| security of the system may depend on preventing malicious
| applications from being loaded onto the FIDO user device.
| Such protections, e.g. app store policing, are outside
| the scope of FIDO."
|
| (https://fidoalliance.org/specs/fido-v2.0-id-20180227/fid
| o-se...)
| donmcronald wrote:
| I learned a lot from that. Thanks!
| searchableguy wrote:
| > I suppose the real lesson to be learned is to simply avoid
| installing native applications when you can help it.
|
| I looked at the playstore page and it immediately raised many
| red flags. The app isn't by Tiktok or Bytedance.
|
| It's like clicking on a similar looking domain link in your
| email.
| tgsovlerkhgsel wrote:
| > OP didn't screenshot the login screen in app, so I can only
| assume it was a real Facebook oauth flow
|
| My guess would be that it was an in-app phishing page. Many
| legitimate login flows result in the official login page
| opening in a web view and asking for a password, which is
| indistinguishable from a phishing page.
|
| > but honestly at that point it's already too late. If anything
| OP should be grateful that the native app running on what was
| presumably his personal device didn't do anything worse.
|
| On phones, sandboxing significantly reduces the risk. Yes, it
| is possible to break out of the sandboxes if you have an
| exploit for that device, but it's a lot harder than on desktop
| where by default anything you install has full control over
| everything and could just steal all the users' passwords.
| tgb wrote:
| > Many legitimate login flows result in the official login
| page opening in a web view and asking for a password, which
| is indistinguishable from a phishing page.
|
| I don't understand how Google/Facebook/etc can allow this to
| happen, let alone encourage it. I'm just baffled.
| coddle-hark wrote:
| How could they prevent it?
| tgb wrote:
| Ban apps that do that.
| gruez wrote:
| And how are they supposed to do that? If it's a fake
| login (aka phishing) page facebook wouldn't even know
| about it. The only _effective_ way is dissuade consumers
| from entering their login credentials in-app, but even
| that 's tricky because if it's a malicious app they could
| "fake" a web browser complete with a fake "address bar".
| andybak wrote:
| This is why "with a password manager" is a crucial part
| of the puzzle.
|
| You have to fail at several steps if you're entering your
| credentials in this scenario.
| tgsovlerkhgsel wrote:
| AFAIK Google doesn't encourage it and made some efforts to
| block it: https://auth0.com/blog/google-blocks-oauth-
| requests-from-emb...
|
| Hasn't been 100% effective unfortunately, and even if it
| was, it's really hard to make users understand that this
| flow is incredibly dangerous.
|
| And while Google on Android can simply go through system
| libraries, Facebook doesn't have the option if the app is
| not installed. They have to open something that will allow
| the user to log in (usually a browser), which is something
| the app can fake (in the case of the browser, just fake the
| whole browser UI, fake address bar included).
| tgb wrote:
| I misunerstood the part I quoted, I thought it was about
| web pages asking you to log in via Google/Facebook. So
| the problem I was thinking of is more generally entering
| Google credentials into logins provided to us by a third
| party. The "don't use the link in your email to log into
| google, go to gmail.com instead" advice has been
| seriously degraded by this. It should always be that if
| you aren't already logged in, you have to go yourself to
| gmail/facebook/etc and log in there.
| bobbyi_settv wrote:
| > avoid installing native applications when you can help it
|
| Why couldn't a web site have stolen his credentials in the same
| way?
| JeanMarcS wrote:
| I guess you'll have a better chance to spot the URL is fake
| than in an app where you won't see it
| andybak wrote:
| And notice that you're logged out which is unusual in many
| cases.
|
| And a bunch of other potential signals that would be
| missing in a native app.
|
| It's not foolproof but it's a step forward.
| Causality1 wrote:
| To me the lesson is the same old basic web security practice:
| don't click links, navigate to pages yourself. When he saw the
| ad that interested him he should have googled the offer instead
| of clicking on the ad.
| rsync wrote:
| "If anything OP should be grateful that the native app running
| on what was presumably his personal device didn't do anything
| worse."
|
| I don't understand why _any_ of these actions would be taken
| with a mobile phone ...
|
| What I mean is, managing advertising campaigns and budgets and
| managing assets and spend, etc., is kind of a complicated
| workflow ... further, it's a fairly critical business process
| involving a lot of money.
|
| I can see ordering some workroom supplies or paying a hosting
| bill with my phone ... but creating and managing ad campaigns ?
| That seems very unwieldy and inefficient. Google adwords,
| through the web based interface, is _very complex_ and there 's
| a lot of functions there. I can't imagine trying to do this on
| a phone.
|
| So what am I missing here ?
| forgotmypw17 wrote:
| It's not that unreasonable. When I am on the road, it can be
| days between sitting at a desktop. If I can do something on
| my mobile, I'll do it, or try.
|
| I don't get involved in ad buys.
| AdrianB1 wrote:
| Laptops exist as a very efficient middle way between a
| desktop and a mobile phone: all the desktop functionality
| and the benefit of mobility. This is not an add :p
| 8ytecoder wrote:
| I fell to a (now) very obvious scam on Instagram. It seems to
| me that it's really easy to bypass their checks. It was a fake
| ad for a real product. They accepted PayPal and it took forever
| to get PayPal to refund me. Worst yet, even after multiple
| escalations PayPal continued to be on the website. Instagram
| continued to show me ads for the exact same product from
| different domains. I realized that PayPal is next to useless if
| you're a victim of fraud. It's much better to use a credit card
| directly (esp Amex or Discover) and challenge fraud than
| PayPal.
| jkoudys wrote:
| Maybe it's because the banks are all pretty good and modern
| in Canada, but I honestly just don't get PayPal. My credit
| cards are all very easy to pay with, fraud detected quickly
| and easy to dispute, and many purchase types insured.
| yawboakye wrote:
| I use PayPal as a front to my bank account via SEPA Direct
| Debit, which has an 8-week no questions asked refund policy.
| If PayPal doesn't cooperate when I raise the issue I can
| easily get my money back through my bank. But I still like to
| dispute just so the business goes on record for fraudulent
| transaction.
| TedDoesntTalk wrote:
| In the US, debit cards do not have the same consumer
| protections that credit cards do. If you've gotten refunds
| from your bank for debit card fraud, you are lucky.
|
| https://www.investopedia.com/articles/personal-
| finance/05021...
|
| " But if the item was bought with a debit card, it cannot
| be reversed unless the merchant is willing to do so. What
| is more, debit card theft victims do not get their refund
| until an investigation has been completed. Credit card
| holders, on the other hand, are not assessed the disputed
| charges; the amount is usually deducted immediately and
| restored only if the dispute is withdrawn or settled in the
| merchant's favor. While some credit and debit card
| providers offer zero-liability protection to their
| customers, the law is much more forgiving for credit card
| holders."
| viraptor wrote:
| Direct debit is not a debit card. It's an authorisation
| to pull funds from your debit account as needed.
| avianlyric wrote:
| You should be careful relying on that. While many Direct
| Debit systems have some sort of quick refund guarantee,
| they don't guarantee that you get to keep the money.
|
| The normal flow will be your bank reimburses you from their
| own pocket. Then goes after the merchant to recover the
| funds, however if the merchant can present evidence that
| the charge is valid then the your bank will attempt to claw
| the money back from you.
|
| Now the important question is here is what is a "valid"
| payment. Normally the direct debit scheme will outline that
| that is, and it probably some very simple like there's
| evidence that you requested the funds are removed from your
| account. With something like PayPal they can probably claim
| that the request was valid, at least the bit between PayPal
| and the bank was, and that the onwards movement of money is
| a separate issue that doesn't fall under the direct debit
| guarantee.
|
| It's worth really digging through the small print on these
| things, they're frequently a lot less helpful than you
| think, and PayPal has managed to exploit these little holes
| to their benefit.
|
| Personally I avoid using PayPal where possible and stick to
| debit/credit card where you have a very simple relationship
| between you, your bank and the merchant. Which makes
| disputes much easier, and places the law very much on your
| side. All this comes from experience dealing with disputes
| from the banks perspective, and trying to get the right
| result for the customer, while dealing with payment
| schemes, and regulatory obligations.
| jrochkind1 wrote:
| I recently made a purchase that turned out to be fraudulent
| on paypal, and somehow had no trouble getting my money back
| relatively promptly. Maybe have taken about a week from when
| I filed "I never got the product, I think the whole website
| was fraud".
| beefield wrote:
| > I suppose the real lesson to be learned is to
|
| ...never, ever buy or even take anything from anyone who
| approaches you without you being the original initiator of the
| communication. Simple rule that applies to both online and real
| world and makes your life simpler and safer.
| stallmanite wrote:
| This is my strategy as well. If I want something I initiate a
| search. Incoming sales attempts do not exist in my universe.
| forgotmypw17 wrote:
| Be careful which search result you click:
|
| https://wp.josh.com/2019/05/06/breaking-news-google-
| adwords-...
| coronadisaster wrote:
| If you want to see where Google search results really
| point to, you can right click it and then hover over it
| to get the real destination... it's been like this for
| 15+ years (google changes the destination on-click).
| toxicFork wrote:
| Also works nicely against advertising too, a good principle
| ;)
| _jahh wrote:
| except he clicked the link, he did initiate the communication
| so your bizarrely overly paranoid guidance doesn't apply. Not
| taking anything from anyone certainly closes you off to the
| generosity that can be found in humans.
| chuckSu wrote:
| Yawn
| zentiggr wrote:
| When I'm curious about something that I might have to click
| through, I DDG it and find source material. It's not overly
| paranoid, it's been good advice for decades.
|
| Telephone charity calls are exactly the same way in my
| world, and started me down that handling path. If I look
| your org up and you look legit, and I'm interested, we'll
| see. You having called me isn't always strike one, but it
| often is.
| jonplackett wrote:
| Yeah, but they SENT the link. That was the initiation.
| TedDoesntTalk wrote:
| This is an old tip my father gave me 40+ years ago that
| applies to banking, mortgages, insurance, investing, credit
| cards, and all personal finance.
| AndrewUnmuted wrote:
| Also a very good rule of thumb for recreational drugs and
| other illicit activities.
| spurdoman77 wrote:
| Really nice guideline for work. Should spread it around.
| mritchie712 wrote:
| meh, he calls out the exact mistake he made. If I see an ad
| and like the product, I go to the domain. If the domain is
| legit (e.g. not developgameonline@gmail.com), you can start
| to feel pretty good about it. We run ads. If you google my
| companies name ("seekwell"), the entire first page is
| properties that we've owned for years. This includes podcasts
| and youtube videos.
|
| It's ok for the initial pull to be an ad, but only buy from
| the source.
| headmelted wrote:
| Not at all fool-proof.
|
| What if they can register a very similar / regional domain
| that you didn't set up already?
|
| Normal rules don't apply when you're a criminal so spoofing
| SSL cert names is something you might as well do too. It's
| just not practical to examine and confirm the cert manually
| of every company you interact with online.
|
| These internets are dangerous, even if you know what you're
| doing.
| tialaramex wrote:
| > Normal rules don't apply when you're a criminal so
| spoofing SSL cert names is something you might as well do
| too
|
| SAN dnsNames in certificates in the Web PKI are verified
| by the issuer - these days using one of the Ten Blessed
| Methods. It would certainly be possible to obtain
| certificates for a name you don't actually own, but it's
| a bit beyond the usual casual crooks that run scams like
| this. We see what appear to be nation state adversaries
| doing it, as part of wider targetted hijack schemes (e.g.
| to intercept IMAP credentials for a foreign government
| agency) but it's definitely not something you see an ad
| scammer doing.
|
| Any vaguely competent modern browser checks the
| certificate is trusted in the Web PKI and that it matches
| the SAN dnsNames to the FQDN in the URL exactly so
| there's no room for any funny business there.
|
| And human readable names in end entity certificates are
| largely irrelevant. Nobody looks at them, who cares?
| jkoudys wrote:
| The people here posting about how clever/careful they
| are, which is why they haven't been scammed, are the ones
| I see as most likely to get scammed (if they haven't been
| already without realizing). You're best protection
| against being tricked is realizing that you can be
| tricked.
| andybak wrote:
| > so I can only assume it was a real Facebook oauth flow,
|
| another reason why we should be training users to only do oAuth
| in a browser with a password manager.
|
| It's one last solid line of defence.
|
| OAuth in a native app is a security risk.
| donmcronald wrote:
| That's not a silver bullet though. If the password manager
| does a poor job of domain matching, the user gets accustomed
| to having to manually search for logins once in a while.
| 0xbkt wrote:
| I can't stress this enough.
|
| Please always check for the correct spelling, punctuation and
| stylizations of words/brands in a suspected ad. It's written as
| "TikTok" everywhere, not "Tiktok". I almost always see this kind
| of stylization errors in fraud ads.
| segfaultbuserr wrote:
| Good advice, and I'm generally pay attention to correct brand
| stylizations, but I do have to acknowledge that the large
| "TikTop" icon in the ad and the app description was attractive
| enough for me to let my guard down (I'm not the author), I
| didn't notice the incorrect "Tiktok" text in the app screen
| until I saw your comment.
| bluedino wrote:
| They spelled 'voucher' two different ways (vocher), and the
| poor grammar should be a sign of trouble.
| pbhjpbhj wrote:
| On the other hand, I spot errors in major brands copy pretty
| regularly.
|
| Verification of origin is something companies need to put
| more effort into in general.
| redleggedfrog wrote:
| "...and I'm generally very cautious with account security." "Two
| days ago, I spotted an ad while browsing Facebook..."
|
| Those two statements are mutually exclusive.
| TillE wrote:
| I'm constantly baffled by the number of tech-literate people
| who don't use ad blockers. I don't know how they can stand it.
| zerr wrote:
| fwiw Facebook has a dedicated team for adblocker
| circumvention.
| Avamander wrote:
| You're acting like Facebook isn't __hostile __to adblockers,
| Facebook is making it very difficult to block their ads
| continuously.
| drcongo wrote:
| It's easy, I have every single Facebook owned domain
| blocked at the network level and I never see a Facebook ad.
| Or Facebook.
| GoblinSlayer wrote:
| He literally buys ads and fell for this scam because it
| proposed ad credit. Oh, wait, he got what he deserved.
| jlarocco wrote:
| I wouldn't go quite that far, but the sense of
| schadenfreude on reading the article was through the roof.
|
| Spam and web advertising have always been underhanded, and
| if a person with "15+ years in adtech" can't avoid an ad
| scam, what does that mean for everybody else?
| jacquesm wrote:
| Unless you're in ad-tech there is no reason why you would.
| akersten wrote:
| Maybe not "spotted" an ad while browsing Facebook (since even
| with uBlock Origin, FB is ruthless at shoving Sponsored posts
| into the feed), but certainly _clicking_ on an ad disqualifies
| one from being able to claim "I am cautious with account
| security."
|
| That was like, the #1 rule I learned in the 90's: don't click
| on banner ads unless you want to get a virus or get scammed,
| what the heck.
| tscolari wrote:
| Very shitty attitude from Paypal.
| bjarneh wrote:
| So _someone_ payed EUR8,235.82 for 2,126 clicks? Clicks are
| getting expensive these days...
| zurfer wrote:
| well, someone payed 8k to show an ad to 2.6 million people it
| was just not a good ad
| 9HZZRfNlpR wrote:
| They probably want to run the budget as fast as possible
| because sooner or later you get caught and care little how
| effective it is or how much to optimize it.
| bjarneh wrote:
| I wonder what the average is, i.e, how many people have to
| see an ad to click it. Only time I seem to click those ads
| seem by mistake
| s_dev wrote:
| Scams like this are why walled gardens like the App Store exist.
|
| Theres no way a scam app like Tik Tok Business would be able to
| stay on the App Store for a sustained period of time.
|
| Even still the Dev admits himself he could have been more on
| guard with an Android Developer name like "Develop App".
| behringer wrote:
| The Google App store is a walled garden. How come this scam app
| operated long enough to get so many high reviews?
| moneywoes wrote:
| It's possible they bought the reviews
| s_dev wrote:
| Play Store is much more flexible than the App Store regarding
| what it will allow published -- also how much attention it
| places on its gatekeeping activity.
|
| It is a walled garden but the walls simply aren't as high.
| vezycash wrote:
| You can buy reviews. Same would be possible in any other
| store.
| kzrdude wrote:
| And why we have adblockers - because it's an as-if-unmoderated
| stream of invasive and untrustworthy links.
| thrownaway954 wrote:
| i don't get how an adblocker would have help in this case.
| the victim could easily be conned into downloading this app
| through a marketing email or some other way. the real issue
| is that an app like this is even allowed on the play store at
| all.
| bo1024 wrote:
| I think single-sign-on stuff and "Sign In with X" are a cancer.
| They encourage you to type in your sensitive credentials all over
| the place and hope it's safe.
| junon wrote:
| > Initiated a PayPal chargeback process - PayPal responded:
| "we've determined there was no unauthorized use"
|
| Yep. This is why I avoid PayPal like the plague. I've never heard
| good things about them.
| marcinzm wrote:
| Facebook ads seem to be an ocean of scams. If I click the
| comments of half the ads I see there's nothing but complaints
| about products not shipping, fake closeout sales, cloning another
| store and then not shipping, etc, etc. I'm guessing they delete
| the bad comments so you can only imagine how many people must be
| upset to not be able to handle the flood of bad comments. At this
| point I just assume any Facebook ad is a scam of some kind.
| behringer wrote:
| I reported one such scam business and it's still operating
| months later. Best to just block all facebook ads and ignore
| any that slip through.
| pbhjpbhj wrote:
| Perhaps a 'truth in forums' regulation should require all
| comments to be accessible, with the reason for their removal
| from standard view being indicated? That way removal of all
| negative comments could be monitored and consumers would have
| sufficient information to moderate their trust in companies
| advertising.
|
| I reported one of the 'miracle showerheads' to UK Trading
| Standards [it was possibly ASA?] as it clearly gave false
| (physically impossible) claims. I was seeing lots of their
| ads on FB and people were clearly falling for it.
|
| They reported back that it was a foreign company and so they
| couldn't do anything. Which is weird because they're allowed
| to advertise to me, so they should have to follow the rules.
| Also, they had a UK Trademark, which seems a major flaw -
| protect the trade of scammers but don't hold them to account.
| moneywoes wrote:
| I have Unlock origin and still get Facebook ads, any idea?
| [deleted]
| [deleted]
| behringer wrote:
| F.B. Purity should do the trick.
| giarc wrote:
| Ad account manager can actually delete comments from the ad.
| marcinzm wrote:
| Which is why I assume everything is a scam since the ones I
| notice from comments are simply the ones that they either
| didn't bother to delete comments on or had too many negative
| comments to delete.
| adrr wrote:
| Ad providers should be liable for the content they distribute.
| This would be so beneficial for society and prevent
| malware/adware.
| fokinsean wrote:
| The app reviews are your first dead give away
|
| > Tik Tok ads business is best application. It's very awesome
| application.
|
| And every other review is similar
| ed25519FUUU wrote:
| > _the app asked me to log in with Facebook to get the credits._
|
| These places (facebook, google, etc) really need to separate the
| "login with ____" button with a "authorized ___" button. Several
| times I've tried to login using google only be greeted with a
| permission request, such as READING ALL OF MY EMAILS. Even
| Dropbox requires you to give them permission to your contacts if
| you want to login with google.
|
| When you're not paying attention it's really easy to miss this
| kind of thing. So much so that now I prefer creating an account
| traditionally using a generated password.
| homero wrote:
| Wow I saw that same ad for the tiktok ads a couple of days ago, I
| almost clicked it but something seemed off with the colors
| justmyname wrote:
| Thank you, Niek, for sharing that story. Such cases should be
| maximally open and transparent for people to learn the real
| risks.
| saos wrote:
| Wow all that an OP still won't delete Facebook business account.
| gm wrote:
| I was scammed through PayPal, PayPal did the same thing to me,
| basically gave me a "Looks good to us, case closed, go fuck
| yourself." The negation of my case was automated, too. I received
| the "resolution" a few seconds after submitting the case.
|
| Thankfully, I had paid with a credit card as the PayPal funding
| source for that transaction, and I disputed the charge with my CC
| company, which found in my favor, and did a chargeback to PayPal.
|
| After that, I immediately unlinked all of my funding sources from
| PayPal and closed my decade+ account. Never again. Not as a
| buyer, and certainly not as a seller.
| tinus_hn wrote:
| The moral of the story: if you use your Facebook account for
| anything concerning money, do not enter its credentials into any
| app or site that asks for it.
| coldcode wrote:
| Or don't use Facebook at all for anything. Facebook makes money
| off of selling real people's information to anyone who pays; if
| some of them are fake, or the purchaser is fake, it's still
| money to Facebook. If the Facebook data customer is getting
| ripped off, what incentive does Facebook have to police the
| situation as long as they still get their cut?
| tinus_hn wrote:
| You can't stop Facebook from collecting information about you
| by just not having an account.
| nojvek wrote:
| There's many things that stand out
|
| 1) Google Playstore allowing someone to impede on the TikTok
| brand.
|
| 2) The app getting 10k+ fake reviews. At this point can you trust
| the review system if it can be so easily manipulated?
|
| 3) "Strangely enough this is possible without getting any emails
| from Facebook." Facebook security is weak here. You shouldn't be
| able to change ownership without explicit 2fa verification. oauth
| tokens can be easily phished. password + 2fa device is much much
| harder.
|
| In general the trend I see is that Facebook and Google are driven
| to making ad purchasing as frictionless as possible. Having
| scammers, click-farms, fake reviews on their platform is good for
| them, it helps them make more money. They'll happily tradeoff
| human oversight/support and security for automated algorithms
| that optimize $$$ growth.
|
| Apple AppStore is polarizing. Some feel it has too much control,
| but on the other hand I find a lot less scammy apps in Apple
| AppStore than Google Playstore.
| jrochkind1 wrote:
| If I understand right, the scam was a phishing attempt, that
| succesfully got their facebook credentials (or an Oauth token?
| they might not be sure?) and used them to buy ads on facebook in
| that amount?
| Tade0 wrote:
| Wasn't PSD2[0] created for the purpose of preventing such scams?
|
| [0] https://eur-lex.europa.eu/legal-
| content/EN/TXT/HTML/?uri=CEL...
| rvnx wrote:
| TL;DR: guy clicked on a link promising him 3000 usd out of thin
| air if he gives access to his account linked to PayPal. Malicious
| user used his account to buy digital items (ads).
| heavyset_go wrote:
| And people chastise those who use ad blockers when ad networks
| refuse to police their own content for malicious ads and code.
___________________________________________________________________
(page generated 2020-09-14 23:00 UTC)