Australians are among the many thousands of people fooled by a sophisticated “malvertising” campaign posing as the Commonwealth Bank of Australia (CBA), and Australian journalists.
A developer of antivirus and antimalware software, Bitdefender, describes the scam as a “Meta-powered investment fraud ecosystem” that spanned 25 countries.
Between February and March this year, the company identified and mapped a sprawling network across Europe, North America, South America, Asia, Oceania, and Africa that used “trusted news brands, real personalities, fabricated media narratives, emotional hooks, and advanced evasion techniques” to deceive victims into investing in fraudulent schemes.
Researchers uncovered 310 different but coordinated scam campaigns and documented more than 26,000 ad sightings.
The material was highly localised and appeared in over 15 languages. In effect, the scam had been franchised.
“A shared toolkit and playbook appear to be distributed to region-specific operators, allowing localised deployment while maintaining consistent monetisation funnels,” said Bitdefender. All the campaigns in the global analysis used Facebook paid ads.
Some featured a fake revelation, supposedly broadcast live on a major media outlet, which the ad sometimes claimed was information being suppressed; others featured the revelation of what was supposedly in a dead celebrity’s will; others touted the availability of a new “national investment platform.”
The Australian variants impersonated CBA CEO Matt Comyn and several journalists in an AI-generated video supposedly of a hard-hitting televised interview. This was the most commonly used scam and also ran in Europe, the UK and Canada.
Australia was targeted by around 12 campaigns, with CBA among several well-known large global banks impersonated.
These fake narratives were used as bait, with the real objective being investment fraud through high-risk trading platforms, binary options-type schemes, crypto schemes, and direct deposit funnels.
Bidefender said there appeared to be at least two to three separate threat actor groups using the same scam playbook, as well as a smaller fourth independent sub-campaign.
“Internal campaign metadata and shared buyer identifiers indicate a Russian-speaking affiliate or management layer coordinating parts of the infrastructure,” the company said.
However, there was no evidence that the scammers were state-sponsored.
Facebook’s Response
Facebook’s parent company, Meta, said that it had introduced new tools to protect people from scams. They include Facebook alerts for suspicious friend requests, warnings of WhatsApp device linking, and advanced scam detection in its Messenger communications app.
Meta also announced that it had partnered with the Australian Federal Police, the New Zealand Police, the Federal Bureau of Investigation (FBI) and other law enforcement agencies in a Royal Thai Police Anti Cyber Scam Centre operation named Joint Disruption Week.
“Based on information shared by law enforcement partners, Meta disabled over 150,000 accounts involved in or supporting scam centre networks, and the Royal Thai Police Anti-Cyber Scam Centre arrested 21 individuals for their involvement in scam activity,” the company said.
How the Scams Operated
The company explained that the scam had five distinct stages. First, a victim would see a sponsored Facebook post featuring a scandal clip, an exposé, or a “deleted interview.” The link in the ad would appear to point to a trusted site—sometimes this was real, and sometimes a convincing duplicate.
The victim would then be silently transferred from the safe-looking preview to a suspicious destination.
A fake news article or dramatic narrative would be used to secure the person’s interest, and then push them to “register,” “unlock access,” or “start earning.”
To do this, the victim would have to provide details such as their name, phone number, email address, and sometimes additional information. As soon as that information was received, it would be passed to a call centre.
The victim would receive a call from someone claiming to be an independent finance broker or to represent a trading platform. They would be pressured to deposit a minimum amount and, within a short time, a fake “dashboard” would show fabricated early profits.
With the supposed success of early trades as “evidence,” the victim is then pressured to increase deposits. If they ask to withdraw their money, they are given various excuses as to why this is impossible.
Additionally, because some ad variants redirected users to cloned websites or fraudulent online shops, this potentially enabled data harvesting, extortion, or other malicious activities.
Bitdefender offers a free online link checker to determine whether links are malicious before clicking on them.
Friends Read Free
Copy
Facebook
Tweet
