As someone who's fairly involved with the e-commerce/digital marketing space, let me just say I'm amazed by how brazenly nasty this scam is.
The TikTok promotional program is actually a real thing that does give around that amount of ad credit, and they have been promoting it very aggressively on Facebook with for a long while now, so it makes sense that OP would've not had any mental red flags triggered by the designs and creatives used by the scammers. The real killer is that PayPal is actually well within their rights to process this transaction (as part of the billing agreement generated when you link PayPal to Facebook Ads Manager: there actually was real ad spend in a real Facebook ad auction), so it's down to Facebook itself to refund the ad spend. (As an aside, I'm actually impressed that OP managed to reach Facebook support at all, and that they acknowledged or even understood what the problem was. I have had worse experiences in the past with FB...). What's really amazing to me is that the scammers managed to get on Google Play with thousands of obviously fake reviews, and get through Facebook ad review at all.
The scammer silently removing OP as an admin from their own ad account, preventing them from noticing or stopping the fraudulent ad campaign is just icing.
I suppose the real lesson to be learned is to simply avoid installing native applications when you can help it. OP didn't screenshot the login screen in app, so I can only assume it was a real Facebook oauth flow, but honestly at that point it's already too late. If anything OP should be grateful that the native app running on what was presumably his personal device didn't do anything worse.
...never, ever buy or even take anything from anyone who approaches you without you being the original initiator of the communication. Simple rule that applies to both online and real world and makes your life simpler and safer.
If you want to see where Google search results really point to, you can right click it and then hover over it to get the real destination... it's been like this for 15+ years (google changes the destination on-click).
Just checked; and while they did indeed use to change the URL (on mousedown (!) - which was infuriating, because right-clicking to copy URLs produced a mess I'd then have to pass to data:text/plain,... in a new tab to extract the URL-encoded... agh), they currently really do just leave the link alone now.
They just fire off a request to google.com/url?... to track the click before letting you on your merry way.
That used to be my strategy until a salesman knocked on my door offering heavily discounted ceiling insulation, which is something I had half-heartedly always wanted but never got round to buying. He said my address was one chosen by the government to give a subsidy to but funds were limited so it was first come first served or risk missing out. Sounded suspicious so I checked with the government who confirmed everything the salesman said was true. I got a 2nd quote from another installer but the door-knocker was cheaper so I bought his. I wouldn't have known the subsidy was available without him and would have missed out on a genuine rare high-value giveaway.
The sad thing is, this is simultaneously the only way to stay safe AND also the underpinning of almost the entire ad industry - and in turn about half of the money that funds what we think of as "the internet" today.
It really sucks that it seems like we've built the most important infrastructure of our generation effectively on quicksand.
I see your position, but I don't view placing an ad as an initiation. He still initiated the conversation by clicking on the ad like he would've if he had called a phone number or anything else and therefore could still have been scammed.
When I'm curious about something that I might have to click through, I DDG it and find source material. It's not overly paranoid, it's been good advice for decades.
Telephone charity calls are exactly the same way in my world, and started me down that handling path. If I look your org up and you look legit, and I'm interested, we'll see. You having called me isn't always strike one, but it often is.
Legitimate organizations are not always a safe bet either. For instance, today I received a phone call supposedly from the Breast Cancer Research Foundation soliciting donations. The organization itself is legit, and the number they appear to be calling from could also be legit, but the number they're calling from could be spoofed.
Personally, I prefer to follow the OP's advice, and only provide information if I initiate the call. Or, more specifically, I'm willing to provide only the information you could find in a phone book, such as name, phone number, and address, and if they truly want my donation, they can mail me something for the request. Still, it could result in mail fraud, but the likelihood is pretty low at that point.
meh, he calls out the exact mistake he made. If I see an ad and like the product, I go to the domain. If the domain is legit (e.g. not developgameonline@gmail.com), you can start to feel pretty good about it. We run ads. If you google my companies name ("seekwell"), the entire first page is properties that we've owned for years. This includes podcasts and youtube videos.
It's ok for the initial pull to be an ad, but only buy from the source.
What if they can register a very similar / regional domain that you didn’t set up already?
Normal rules don’t apply when you’re a criminal so spoofing SSL cert names is something you might as well do too. It’s just not practical to examine and confirm the cert manually of every company you interact with online.
These internets are dangerous, even if you know what you’re doing.
The people here posting about how clever/careful they are, which is why they haven't been scammed, are the ones I see as most likely to get scammed (if they haven't been already without realizing). You're best protection against being tricked is realizing that you can be tricked.
> Normal rules don’t apply when you’re a criminal so spoofing SSL cert names is something you might as well do too
SAN dnsNames in certificates in the Web PKI are verified by the issuer - these days using one of the Ten Blessed Methods. It would certainly be possible to obtain certificates for a name you don't actually own, but it's a bit beyond the usual casual crooks that run scams like this. We see what appear to be nation state adversaries doing it, as part of wider targetted hijack schemes (e.g. to intercept IMAP credentials for a foreign government agency) but it's definitely not something you see an ad scammer doing.
Any vaguely competent modern browser checks the certificate is trusted in the Web PKI and that it matches the SAN dnsNames to the FQDN in the URL exactly so there's no room for any funny business there.
And human readable names in end entity certificates are largely irrelevant. Nobody looks at them, who cares?
You are replying to a point that the GP didn't make. This was the precursor for the might-as-well-go-for-letsencrypt statement:
"What if they can register a very similar / regional domain that you didn’t set up already?"
In other words, they register fakebook.com and then just go get a TLS cert for it. If you're not looking carefully, you might not notice the difference.
Whether the CA system, with fungible, interchangeable certificates that can be issued by dozens of CA's (pinning excepted), is worth sinking lots of trust into is an entirely different matter ;)
The Web PKI does a pretty good job of making the web browser do what lay people assume it did anyway. Surely this is news.ycombinator.com or else why does it says so in the URL bar? Without the Web PKI there was no assurance of that whatsoever, which is not intuitively obvious.
But a very similar domain is the wrong domain. This is not a great novelty, people are aware that a ROJEX watch isn't the real deal, no surprise Fakebook isn't the social media site you actually wanted either.
In terms of authentication, this is where WebAuthn shines because it's tied to that actual domain name. Even if you're 100% dead certain this is really Facebook, your WebAuthn authenticator can't help you. There is no "Look, I know the URL says Fakebook, but ignore that, I am 100% sure this is really Facebook, just shut up and take my money" button.
So my point was that having news.ycombimator.com in the title and address bar is not going to flag anything if they both match and have a SSL cert that's been signed by an authority.
Probably more relevant is that if I have registered luxowatch.com to sell my lovely watches, but am a small store, I certainly won't have registered (as yet) a bunch of global domains. There's nothing stopping you registering luxowatch.co.uk or luxowatch.net with a valid SSL cert to scam my potential customers. Cloning my site to one of those domains (with cert) can be done almost instantly for close to zero cost.
> OP didn't screenshot the login screen in app, so I can only assume it was a real Facebook oauth flow
My guess would be that it was an in-app phishing page. Many legitimate login flows result in the official login page opening in a web view and asking for a password, which is indistinguishable from a phishing page.
> but honestly at that point it's already too late. If anything OP should be grateful that the native app running on what was presumably his personal device didn't do anything worse.
On phones, sandboxing significantly reduces the risk. Yes, it is possible to break out of the sandboxes if you have an exploit for that device, but it's a lot harder than on desktop where by default anything you install has full control over everything and could just steal all the users' passwords.
> Many legitimate login flows result in the official login page opening in a web view and asking for a password, which is indistinguishable from a phishing page.
I don't understand how Google/Facebook/etc can allow this to happen, let alone encourage it. I'm just baffled.
Hasn't been 100% effective unfortunately, and even if it was, it's really hard to make users understand that this flow is incredibly dangerous.
And while Google on Android can simply go through system libraries, Facebook doesn't have the option if the app is not installed. They have to open something that will allow the user to log in (usually a browser), which is something the app can fake (in the case of the browser, just fake the whole browser UI, fake address bar included).
I misunerstood the part I quoted, I thought it was about web pages asking you to log in via Google/Facebook. So the problem I was thinking of is more generally entering Google credentials into logins provided to us by a third party. The "don't use the link in your email to log into google, go to gmail.com instead" advice has been seriously degraded by this. It should always be that if you aren't already logged in, you have to go yourself to gmail/facebook/etc and log in there.
And how are they supposed to do that? If it's a fake login (aka phishing) page facebook wouldn't even know about it. The only effective way is dissuade consumers from entering their login credentials in-app, but even that's tricky because if it's a malicious app they could "fake" a web browser complete with a fake "address bar".
They're supposed to ban the legitimate apps, so as to not normalize the interface that leads to phishing attempts. Right now, it's totally encouraged by google to enter your login credentials by clicking "log in with google" at a random site and just typing into the fields presented to you.
I'm curious if the oAuth flow requested a specific scope to have permission to remove the user from their Ads account. If so, did Facebook make it clear that the permission was be requested.
Permissions scoping is a really under-utilized tool.
I see this most often with extensions, which usually want to act on all domains when they should really need an allow list of just 1-2 domains. There are also many app integrations that use an API token that just straight bypasses login with NO security restrictions.
I would use a lot more app integrations if I knew I could trust the host platform to keep the apps honest.
I think we're missing a lot of innovation because we lack secure and reliable integration points between commodity services. Banking and Health are the most obvious issues. It should be trivial for me to authorize a third-party app to download transaction history from any bank without giving it the ability to change anything. I should be able to assemble my entire medical history by pulling from any medical office I interact with, and push that to any provider I choose to use.
There are lots of industry incentives to prevent this though. It's just like the Cable Card saga. You need strong, un-captured, technically-literate regulators to fix this stuff and unleash broader innovation.
It's possible that the attack didn't happen through the regular oauth credential request flow — if the OP logged in to Facebook inside of an app-controlled webview, the app could have just exfiltrated the user's login cookie and performed the change using "first-party" Facebook APIs.
The problem with many attacks is we've now been trained to do dumb things - like putting our password into webviews inside 3rd party apps - by reputable companies. So it doesn't feel as insane as it should do.
It's not just limited to webview's and tech companies.
When my bank calls me up about an issue with my account, they won't talk to me unless I give them my date of birth and email address for 'data protection' purposes.
They're always really confused when I say I will have to call them back.
This is what I think too. WebView doesn't show the domain of the page, and it is not possible to see if you are really in Facebook login page, or somewhere the attacker controls. Unless the attacker was using Yubikey or some sort of hardware token, the victim would have entered the TOTP code too, which the attacker can ask and pass to authenticate successfully.
How does a YubiKey prevent that kind of relay attack? If those keys blindly sign whatever's given to them, there's got to be a way to trick a user into signing something malicious.
This [1] says that U2F avoids phishing by having the browser tell the 2FA device the domain, but that seems a bit weak to me. The same site even has an app where the info is relayed via a browser plugin, so literally relaying the data that's supposed to be trusted. The only way I can see that actually working is if the security key knew to only sign challenges for a specific domain.
The security of the browser implementation is important. It provides the origin for the security hardware to sign, and the authenticating server ("relying party") verifies it. If your browser tells the key it's google.com when it's really evil.com, then sure, you can log into google.com if the user signs the request.
The WebAuthn spec says: "Direct communication between client and authenticator means the client can enforce the scope restrictions for credentials. By contrast, if the communication between client and authenticator is mediated by some third party, then the client has to trust the third party to enforce the scope restrictions and control access to the authenticator. Failure to do either could result in a malicious Relying Party receiving authentication assertions valid for other Relying Parties, or in a malicious user gaining access to authentication assertions for other users."
If you click further into the older FIDO spec, they cover this more explicitly: "Malicious software on the FIDO user device is able to read, tamper with, or spoof the endpoint of inter-process communication channels between the FIDO Client and browser or Relying Party application.
Consequences: Adversary is able to subvert [SA-2].
Mitigations: On platforms where [SA-2] is not strong the security of the system may depend on preventing malicious applications from being loaded onto the FIDO user device. Such protections, e.g. app store policing, are outside the scope of FIDO."
I fell to a (now) very obvious scam on Instagram. It seems to me that it's really easy to bypass their checks. It was a fake ad for a real product. They accepted PayPal and it took forever to get PayPal to refund me. Worst yet, even after multiple escalations PayPal continued to be on the website. Instagram continued to show me ads for the exact same product from different domains. I realized that PayPal is next to useless if you're a victim of fraud. It's much better to use a credit card directly (esp Amex or Discover) and challenge fraud than PayPal.
I use PayPal as a front to my bank account via SEPA Direct Debit, which has an 8-week no questions asked refund policy. If PayPal doesn’t cooperate when I raise the issue I can easily get my money back through my bank. But I still like to dispute just so the business goes on record for fraudulent transaction.
You should be careful relying on that. While many Direct Debit systems have some sort of quick refund guarantee, they don't guarantee that you get to keep the money.
The normal flow will be your bank reimburses you from their own pocket. Then goes after the merchant to recover the funds, however if the merchant can present evidence that the charge is valid then the your bank will attempt to claw the money back from you.
Now the important question is here is what is a "valid" payment. Normally the direct debit scheme will outline that that is, and it probably some very simple like there's evidence that you requested the funds are removed from your account. With something like PayPal they can probably claim that the request was valid, at least the bit between PayPal and the bank was, and that the onwards movement of money is a separate issue that doesn't fall under the direct debit guarantee.
It's worth really digging through the small print on these things, they're frequently a lot less helpful than you think, and PayPal has managed to exploit these little holes to their benefit.
Personally I avoid using PayPal where possible and stick to debit/credit card where you have a very simple relationship between you, your bank and the merchant. Which makes disputes much easier, and places the law very much on your side. All this comes from experience dealing with disputes from the banks perspective, and trying to get the right result for the customer, while dealing with payment schemes, and regulatory obligations.
Good call. I was referring to SEPA Direct Debit. I should have been clearer. With SEPA Direct Debit, I get an 8-week no questions asked refund, regardless of the nature of the business. In fact, I've used it to recover money from government agencies and businesses that auto-renewed annual contracts without my consent.
In the US, debit cards do not have the same consumer protections that credit cards do. If you’ve gotten refunds from your bank for debit card fraud, you are lucky.
“ But if the item was bought with a debit card, it cannot be reversed unless the merchant is willing to do so. What is more, debit card theft victims do not get their refund until an investigation has been completed. Credit card holders, on the other hand, are not assessed the disputed charges; the amount is usually deducted immediately and restored only if the dispute is withdrawn or settled in the merchant's favor. While some credit and debit card providers offer zero-liability protection to their customers, the law is much more forgiving for credit card holders.”
It might help to read a little about how SEPA Direct Debit works. To begin, it's a European scheme, not American. Not every merchant can sign up for SEPA Direct Debit. They need another bank to be their guarantor (called your SEPA Direct Debit Creditor). When I have issues with a transaction and order a refund within 8 weeks of the transaction, I get my money back, no questions asked. I've used this to recover money from all sorts of businesses and government agencies.
The business can only dispute if I requested for my money back _after_ the 8 weeks. That's when the evidence and back-and-forth with the business comes in.
I recently made a purchase that turned out to be fraudulent on paypal, and somehow had no trouble getting my money back relatively promptly. Maybe have taken about a week from when I filed "I never got the product, I think the whole website was fraud".
Be careful, you can still get scammed here. I got hit for a $75 scam product that I bought with my CC, mistakenly thinking I would be protected. The scammers knew what they were doing though. They ship you a super super super cheap version of the product from china, taking advantage of those low low China -> US shipping rates, so that they have certificate of delivery. So you can't say you never got the product. And in that case, both paypal and the CC company require that you send the item back. Shipping the item back to china costs more than the item itself. So there's no point. Scammers won.
Maybe it's because the banks are all pretty good and modern in Canada, but I honestly just don't get PayPal. My credit cards are all very easy to pay with, fraud detected quickly and easy to dispute, and many purchase types insured.
"If anything OP should be grateful that the native app running on what was presumably his personal device didn't do anything worse."
I don't understand why any of these actions would be taken with a mobile phone ...
What I mean is, managing advertising campaigns and budgets and managing assets and spend, etc., is kind of a complicated workflow ... further, it's a fairly critical business process involving a lot of money.
I can see ordering some workroom supplies or paying a hosting bill with my phone ... but creating and managing ad campaigns ? That seems very unwieldy and inefficient. Google adwords, through the web based interface, is very complex and there's a lot of functions there. I can't imagine trying to do this on a phone.
It's not that unreasonable. When I am on the road, it can be days between sitting at a desktop. If I can do something on my mobile, I'll do it, or try.
Laptops exist as a very efficient middle way between a desktop and a mobile phone: all the desktop functionality and the benefit of mobility. This is not an add :p
That's not a silver bullet though. If the password manager does a poor job of domain matching, the user gets accustomed to having to manually search for logins once in a while.
> The scammer silently removing OP as an admin from their own ad account, preventing them from noticing or stopping the fraudulent ad campaign is just icing.
This hints of not having 2 factor authentication anywhere in the chain?
Would definitely advise to setup 2 factor authentication on anything managing 5 figure sums.
2FA is how you protect your credentials from being stolen and used. This wasn't a case of credentials being stolen, this is a case of someone being tricked into authorizing a separate account to take action. They hacker didn't change his credentials to lock him out, it literally revoked access from him Facebook login to the ad account.
I'm using "login" and "account" specifically here to highlight the difference. On systems where there are likely to be multiple people that need access, there's a distinction between the "service account" and "logins or user accounts" that can control it. Generally, when the service account is created by a login, that login is added implicitly as a controlling user account with full privileges, and other user accounts (logins) can be added with varying levels of control. This situation appears to have been along the lines of the following:
1. User "real_user" create facebook ads account id 123456, and real_user is the admin of the ads account id 123456.
2. At some point real_user adds "scam_user" to the facebook ads account id 123456 with full admin permissions.
3. scam_user uses the full admin permissions it has for facebook ads account 123456 to remove access for real_user.
Note that is is a fully legitimate and common action to take in systems like this. If you are a business and pay someone to manage your facebook ads, they are likely the admin on the account (and you may be too), and if they leave and you hire a new person to manage it, you would want to revoke the old employee's account access and add access to the new employee's account.
This is how you handle it on Google Suite, Zoom's business accounts, Active Directory in Windows domains, etc. The real problem here is that the scammer got enough permissions to revoke the original user, and the original user did not get an email notification. I'm not sure if facebook ads allows adding accounts with limited permissions so only certain actions can be taken and part of the scam was making the permissions asked for non-obvious, or if that's a permissions distinction facebook ads
doesn't support.
Maybe the oauth scope requested edit access to the FB business manager? That way the scammer can remove OP from the business and add himself via the API
I was surprised too since OP's writeup indicates that he has 2FA on everything. You would think that you'd at least get an email or push notification if you get removed from an ad account/notification settings get changed, so it seems like an oversight by FB.
Hardly anybody does the "when changing an email address on an account send an email to the old address to allow them to revert the change and temporarily lock the account". It seems like such an obvious thing to do.
The real lesson is to install ublock origin and be done with deceptive advertising.
Last time I tried to find nvidia drivers for windows 1st result was an obvious scam/crapware. This is not acceptable that big tech companies are making money while not taking responsibility for advertisements.
Is this something that could have just as easily happened through Apple's app store? This sounds like exactly the type of thing that those 30% app store cuts should be going towards to prevent (regardless of the platform).
To me the lesson is the same old basic web security practice: don't click links, navigate to pages yourself. When he saw the ad that interested him he should have googled the offer instead of clicking on the ad.
>Sure, the developer name "Develop App" sounds strange and should I have looked better, the developgameonline@gmail.com developer email and com.acazira.tforbusiness package name would have definitely raised some concerns.
Come on, dude.
I will say that even the most experienced techies among us sometimes become complacent and let our guard down. It's exhausting having to constantly second-guess every application you want to run.
(Not interested in starting another platform flame war, but this is the main reason I don't use Android. I deal with enough paranoia running Windows daily. Maybe I'm misinformed, but I'm also probably not unique in this respect)
I'm curious if this fake TikTok app would probably have been blocked at the outset in the Apple App Store review process because it's trying to masquerade as another business ?
>I'm curious if this fake TikTok app would probably have been blocked at the outset in the Apple App Store review process because it's trying to masquerade as another business ?
I bet that it is possible to slip through the review process however there's also a safeguard on the developer account creation. Apple wouldn't let you create a developer account using vouchers, PayPal or prepaid cards, at least not from countries where scams are commonplace. Also you would be asked to provide documentation of company registration to have an account named “Develop App”.
It is a common theme on HN to trash Apple on its "draconian restrictions" but the reality is that Apple AppStore is a safe place to be. You don't have to study the App before downloading it, you first download then decide if you want to keep it and security is never a concern. The Apple tax is something I am happy to pay for that luxury.
I am a developer and I have no idea what com.acazira.tforbusiness means. What keeps it from being com.toktik.forbusiness?
On AppStore this is something that you type it by yourself on the project configuration screen in XCode and I don't remember reading any restrictions about it, only recommendation to use reverse domain name notation to prevent conflicts.
I will second this "security as a tax is well worth it" mindset, I'm a programmer, and like to think I'm security savvy, but I CANNOT babysit my non-tech-savvy wife 24/7 and having her on iphone / macbook is a weight off my shoulders as far as appstore security, as married assets are shared assets and the "weakest link" plays in the security arena...
No matter how much you learn, you will still never know what you don’t know. A zero day is by definition something you don’t know and therefore we recognize that there is some futility in trying to defend against everything that ever was and all that ever will be
There's a decent case for using anomaly detection in an attempt to solve some zero day attacks. The idea of not knowing what you don't know, can be used in such scenarios. I 'know' what looks right, and I won't allow for anything that doesn't look right. That doesn't solve all problems, but can certainly cut down on a large amount of them.
What I did see a lot of though in a lot of the case studies/readings/etc, was seemingly anytime advancements were made in one area, closing off particular patterns or styles of exploitation. The energy and resources often would switch to another domain, and there's a mad scramble to solve it.
> I 'know' what looks right, and I won't allow for anything that doesn't look right.
The way I view it, it's sort of like when a player glitches themselves outside of the boundaries of the level in a video game and are able to bypass all the battles the game has in store for them and walk directly to the objective. Anomaly detection only works if they are playing inside the realm of the system but if something manages to break out of the sandbox then detection can be bypassed because it was never a condition thought possible and therefore not checked for.
For Example, you can have code to detect abnormal requests http requests, but if there is a vulnerability in a webserver's memory management of reading bytes from a socket then it allows the attacker to "breakout" of the system before you can detect it. Now you might be saying well we can detect when they breach memory but it just creates another cat and mouse game at a different level. This all assumes there are no bugs in the anomaly detection systems themselves
That's a key part of the security landscape that many techie users just don't seem to get. Maybe you'd like to be able to run your own code natively without jumping through a bunch of hoops, and distribute code you wrote without it having to be blessed by some megacorp that might not care too much about you. And maybe you're doing nothing but good and useful things when you use those abilities.
But there are a ton of bad actors out there who will also use those abilities to scam and steal. You can stereotype it as only clueless users falling for that, and there's even a little truth to it, but 1. Some are quite good and nobody is perfect, you can still get scammed yourself, and 2. It seems not cool to just write off everybody who isn't a tech expert, throw them to the wolves, blame them for falling for any scams.
Bad actors often set up fake websites. Should computers and phones have mandatory browser filters so you can only go to approved sites?
Well they don't, but browsers do spend an inordinate amount of effort trying to make sure that bad websites can't do anything other than show you things. I'm pretty sure that all of the browser vendors will pay 5-6 figure sums for any exploit chains that would allow a website to do things like read files without permission or execute code on the OS. And people regularly complain about the ever-tightening restrictions on what websites are allowed to do.
What a false dichotomy. I don't see a problem with the way Microsoft handles it, allowing you to run unsigned apps but only after clear warnings about the consequences and a moderately obscured install button. People ignoring these warnings without understanding them are not being thrown to the wolves, they're consciously deciding to do something they know to be dangerous. Apple's upcoming blocking of anything they don't approve of on macs is not an okay solution to this.
Google could up its Play Store review process + not installing from outside the store would result in the exact same security advantages you're talking about, while still letting you install from third party sources if you're a power user.
Yes, but it's not because Android allows sideloading that the Google Play store is poor quality. Apple could allow sideloading and still have a better quality app store.
This doesn't preclude there being competing app-stores on the platform, though. I'm glad Apple's is the way it is (overall). And if alternatives popped up I would probably mostly stick with the first-party one. But having an alternate channel means you can circumvent Apple's review process when they're being especially unreasonable, and the competition would probably force them to improve their own offering as well. Everybody wins (except maybe Apple).
It's not necessary nor useful to create a false dichotomy. The safety of the AppStore may be a reason to have a strict review policy, but it should not become an excuse to abuse of that policy. The price tag of safety is certainly some amount of freedom, but it's worrisome that people are learning to accept this without also distinguishing when this relationship is being usurped for other means.
If something simply doesn’t exist, how reasonable is it to assume that it could exist? How am I supposed to differentiate the statement that something could exist from fairytales?
Not being an android user and not being familiar with the Play story I might have glanced over "Develop App" having internally misread it as "Developer App" and thinking it was a category, not the developer's name.
I might have glanced over "Develop App" having internally misread it as "Developer App"
I bet many thousands of people on HN would have done the same thing.
I think it's an issue with reading comprehension. In general, comprehension seems to have plummeted in the last five to ten years. I send people e-mails asking two questions, and only get the first one answered. People read a headline and think it means something other than what it says. Flamewars erupt online over something that nobody actually wrote, but someone thinks they saw.
It seems to be rooted in the fact that these days people skim text, rather than read what is written. I don't know if it's because of general information overload, or a lack of attention to detail, or if the mindless scrolling of phone apps has trained us that visual impressions of words are good enough.
Or, if I can put on my old man hat, maybe it's just that people aren't as good at reading as they think, and that if people looked at a book half as often as they look at their telephones, they might get some good reading practice.
It is also the case that people aren't as good at writing as they think. I've seen people write pages and pages of text to say a few simple things, don't separate the important from the unimportant, etc, and then wonder why others don't take 15 minutes out of their busy day to read the incessant, flavorless text until they find the actual point.
A good way to write text where you're going to ask people for stuff is to write it in a top-down manner, where first of all you mention "I want X", then you quickly summarize what exactly you want and why, and then write a more detailed paragraph on the various nuances, always making sure to cut everything down to its absolute essentials.
I really like that style. It's related to the Inverted Pyramid style in journalism, meaning others have thought a lot about how to get important information up to the front of a piece of writing.
I learned about this in journalism class in high school over 20 years ago and it's still one of the most valuable lessons I remember from high school. As someone with ADHD, I really appreciate when people follow this style.
Blog articles, especially medium, are really bad about this. I've clicked on headlines about an interesting topic only to find the article no even mention the topic from the headline until 2/3 of the way into the article.
> I've seen people write pages and pages of text to say a few simple things
Heh...reminds me of a couple anecdotes from my days in school.
Sometimes as we were being handed back tests/quizzes that had some questions that required a couple sentences to answer, there'd be times where I did exactly that. I wrote only a couple sentences. Meanwhile, I glance at the person next to me to discover that they had wrote two entire paragraphs. I got marked as having a correct answer with only two sentences, so what the hell were they writing about?
Then I had a teacher who, before the final exam, said that every question is able to be answered in four sentences or less. If you write several paragraphs, you would lose points for wasting his time, even if your answer was correct.
> In general, comprehension seems to have plummeted in the last five to ten years. I send people e-mails asking two questions, and only get the first one answered.
OMG, this happens to be all the time, and I don't even use email as a primary communication mechanism. It's so frustrating. I think the case is that people are reading and responding to emails on the go on their phone and so don't have/take the time to write a full response.
In the "old days" it was appropriate to answer emails by leaving a partial quote in place and responding below that for each answer. Something changed (I blame Outlook) and now that never happens.
> It seems to be rooted in the fact that these days people skim text, rather than read what is written. I don't know if it's because of general information overload, or a lack of attention to detail, or if the mindless scrolling of phone apps has trained us that visual impressions of words are good enough.
I think it is the former. I'm perfectly capable of reading a poem or code word-for-word, but as soon as I'm in my browser something "clicks" and I'm just skimming text. It is usually completely subconscious, but while reading your comment for example, I realized I was only reading half of each sentence.
> I send people e-mails asking two questions, and only get the first one answered.
This has been bugging me for at least 10 years, and also extends to IM. If it's IM, I ask one at a time.
If it's email, I either have to ask one at a time, form the two questions into one, or turn it into a sandwich - question 1, question 2, rephrase question 1.
What I really want to do is grab them by the shoulders and shake them, shouting "You saw the second question - yes?!?!"
> It seems to be rooted in the fact that these days people skim text, rather than read what is written. I don't know if it's because of general information overload, or a lack of attention to detail, or if the mindless scrolling of phone apps has trained us that visual impressions of words are good enough.
One aspect is that it's a parasitic efficiency increase. The 80/20 rule applies here; you can answer 80% of the emails by skimming. If you just don't handle, or poorly handle, the 20% of the emails that take 80% of the time, you get a bunch of time back.
I also think that the overload comes from notifications, not general information. We get a crazy number of notifications from our personal devices (and many/most people check them), and during the work day that's compounded with all the systems at work that send notifications. I think that we've subconsciously taught people to work between the notifications. It can feel like if you don't respond to them in real time then you might end up with an insurmountable backlog of notifications to handle, so people have acclimated to handling them in real time. Each time someone responds to an IM, a mental timer starts, counting down how long it is until it thinks the next notification might come. Or, conversely, you're in a notification lull, and you start thinking this is your only time to get anything done towards the sprint, so you smash out fast responses to the notifications you do get, trying not to break your train of thought.
Others may have different experiences, but I get notifications from so many systems and people that it can be overwhelming. And the tools we are offered to manage it suck. Slack's notification settings are better than what I had before with Lync, but they're still lackluster. Email has the best filtering record so far, but it is also by far the most abused by tools.
Some things I would love to see in a chat system:
* Chat and notification filters based on whether the user is a bot or not
* A sane "handle this later" queue or some kind of integration with a task manager to let me click to create a ticket
* A way to communicate busy-ness through my status. Either a level I can manually set, or a system that can guesstimate it (i.e. "curryst has 8 active private chats right now") so we can all gauge whether what we need is that important right now
* Customizable options to batch notifications. I would love it if I could have Slack batch my notifications and just send me one notification per minute that says "3 new messages"
My holy grail is if they would let me write my own functions to determine whether to notify for an event, batch it into the next batched notification, or to not alert at all. Most of these desktop clients are in Electron anyways, just let me pass it a path to a Javascript file that exports functions to filter notifications.
Being an Android user, I looked for the developer's name, saw "Develop App" and thought it was a category and I was just mistaken about where on the page the developer's name was supposed to be. This was all instinctive, I didn't sit down to think about it, though.
It doesn't help that the developer name and category have the exact same visual style, I guess.
I wasn't trying to excoriate you for your mistake, so I apologize if that's how it comes across.
I did try to modulate the harshness of "Come on, dude" with the rest of my comment. Like I said, sometimes we let our guard down. So it's understandable if you got fooled.
In hindsight there are more red flags in just that screenshot ("More by Develop App", obviously fake reviews to point out just two), but God knows I've clicked through installs for shit apps on iOS many times.
I still can't believe myself I fell for this, as said I have 2FA on all accounts and I'm normally very cautious. I guess it's a combination of all the factors here at play: Facebook allowing a fake TikTok Ads advertiser, the ad looking very legit (referring to an existing ad credit program), Google allowing a fake TikTok Ads app with fake reviews, and not getting any notifications until the amount was charged from my PayPal account.
FWIW, Given the surrounding context, I interpreted "Come on, dude" as an exhortation for the author to cut themselves some slack. I agree that 100% correct 100% of the time is an exhausting bar to maintain, and one that we should be working very hard to ease this requirement.
I think it's worth pointing out that the difficulty / impossibility of achieving that bar (at least in the general case) is one of, if not the central tenet of Christianity, ostensibly the dominant religion of the West for something like 1500 years. Regardless of one's metaphysical beliefs, it's worth remembering that arguments for the necessity of grace and slack in positive interactions have a long historical precedent, and I find we ignore them at our peril.
I didn't notice it the first time I looked either :-(
Bad spelling and grammar used to be a great indicator of something being amiss, but the volume of it in legit business these days has made me so desensitized that I didn't even blink at this one.
The gmail address as a red flag yes, but the package name? Nah.
Given that a lot of companies outsource app development to third-party companies that in many cases mostly reskin and extend an existing app that they sell to many clients, a package name that could be from a development shop likely wouldn't cause concern.
Sure Tik-Tok has a significant in-house development staff, but they're focused on the backend and client apps and Sales and Marketing may not have much access to them. It may be much easier for those departments to fully outsource that development to a vertical-market vendor, particularly if it's SaaS and the resulting app(s) aren't integrating with internal systems except via downloaded CSV files.
I believe they are saying they didn't NOTICE the "developgameonline@gmail.com developer email and com.acazira.tforbusiness package"; if they had, that would have raised alarm bells. I don't think these are visible on the page without clicking. "the developer name 'Develop App'" is visible, although I don't know how many pay attention to it. They are retrospectively thinking they probably should have thought that wasn't right, and motivated them to look further.
It's the problem of Facebook and PayPal that they have inadequate protections and blame the users for that.
I think the issue is of allowing a payment to go through without triggering any security checks.
Probably some basic checks should also be done whether a company publishing an app actually exist.
I wouldn't blame PayPal as much, this is on Facebook in my opinion. Recurring payments are a good thing, we don't want constant re-authorization when the relationship has been established.
Facebook on the other hand should have handled it differently. I don't know how their permission screen for app authorization looks, but I guess it should have a huge red warning sign if it includes a permission to allow the app to spend your money.
The problem is that people are now trained to click popup windows without reading the contents, just to make them go away thanks to brilliant GDPR and cookie law. I am not sure if a huge red warning sign would have helped. People are blind to these things.
> I'm curious if this fake TikTok app would probably have been blocked at the outset in the Apple App Store review process because it's trying to masquerade as another business ?
Maybe this is too risky to do on the Apple App Store because you need to /pay/ for an account to publish on the app store, which means you more or less need to verify yourself. Doing something like this would make it too easy to lead back to you and get in trouble?
>It's exhausting having to constantly second-guess every application you want to run.
Maybe try to have a sip of coffee before jumping for that $3000. Let's not pretend that this is just ToS fatigue. The only reason they installed this app is for the free money.
So yes, maybe if someone is offering you thousands of dollars, you should consider that to be the time to second-guess what's happening.
I don't know looking at the other parts the app looks legit, however TikTok asking for facebook login? That is where I would stop and think for a little bit.
"Sign up for TikTok", "Continue with Facebook". It's literally the first screen you see from the official app, so it's not unbelievable. Social sign in is pervasive.
The payment is authorized by the author (i.e. his PP account wasn't stolen), the whole thing being a scam is irrelevant and PayPal shouldn't be the judge here (if you got scammed and send some physical items to the scammer, can you ask the post office to take it back?)
I sold digital goods on eBay a few times (like, less than 10 times) and I've already got 3 (!) people claiming their purchase is "unauthorized" after I sent them the goods (redeem codes, so I can't really let them "return"). I'm more than glad that PayPal took my stance instead of giving them chargeback, since they're likely trying to scam me.
> I sold digital goods on eBay a few times (like, less than 10 times) and I've already got 3 (!) people claiming their purchase is "unauthorized" after I sent them the goods (redeem codes, so I can't really let them "return").
This shit is why I don't sell on eBay anymore.
I have a friend who sells stuff on eBay a lot (or at least, used to), and he says about 5% of his sales go to scammers who will request refunds claiming they never received an item.
Of course, now that I think more on it, I wonder how many of those 5% were scammers versus how many of them simply had their package stolen from their front door.
Doesn't matter. About 5 years ago I sold a thing on Amazon, shipped it, and the buyer claimed the box was empty. I had photos of the item, the box, and the shipping confirmation came through Amazon's own systems. I even had messages from the buyer about the item. Amazon refunded the buyer his $250 and charged me $250. That was the last thing I ever sold on Amazon, and I also didn't buy anything on the site again until this year.
This shit is why when I had a medium-ticket item (Starcraft II Collector's Edition, sold for ~$300 at the time), I used the Fulfilled by Amazon feature. It cost me more, but I believed that having Amazon know before it shipped out that it was a sealed box, I'd be much less likely to get scammed.
If the author had payed with a credit card, he could have gotten a refund, and it would be the responsibility of the credit card Issuer to track down the merchant and get a refund.
And if he has paid with a debit card or wire transfer, he would be even more out of luck than PayPal.
Why would we (I'm genuinely asking here) consider PayPal more similar to CC than the others? My point being, it could be (closer to) either, and both make sense to me. PP doesn't necessarily need to operate like CC.
After all, CC as a service charges much more with processing fees from merchants and sometimes annual fees from the customers. It's meant to provide a "better/premium" service.
The payment is authorized by the author (i.e. his PP account wasn't stolen), the whole thing being a scam is irrelevant and PayPal shouldn't be the judge here (if you got scammed and send some physical items to the scammer, can you ask the post office to take it back?)
PayPal does have a 6 month purchase protection policy in many cases. So... maybe, if you manage to argue that this was a purchase that you're entitled to protection for. But that's a different channel and probably a different physical department at the company.
I thought PayPal had a reputation for pro-actively blocking payments for really bad reasons, and now they won't block payment when it's a clear case of fraud?
I think a big reason is that the alternatives are worse across some dimensions. Credit cards are especially bad, since they are trivial to steal (and its at best painful to address fraud, and at worst you can lose a lot of money). So, basically paypal hides your credit card. But, as the OP noted, other things now count as your credit card! In his case, his Facebook account connected to Paypal connected to his bank was, effectively, a credit card that got stolen.
And sadly there are people (on this thread) who still blame the OP. Of course the payment wasn't authorized, and the OP is very articulate about what happened. At the end of the day, money middle-men are very effective at pointing fingers at one-another, the effect being that the user will throw up their hands and give up. (This happened to me once and cost me about $15k, and I was unable to recover any of it). But what makes it even worse is how conditioned we all are to accepting blame for what is, ultimately, an authentication mistake made by the financial institution(s).
Paypal makes it two or three clicks to unsub from any reoccurring payment. No dark patterns or "call us" required. I use it whenever I can for subscription services.
I'm talking about payments to third parties. When you use PayPal to subscribe to a service you can easily unsubscribe where sometimes services make it difficult to do so otherwise.
For example the New York Times forces you to call and speak to a retention specialist if you want to cancel and you paid by credit card. With PayPal it's 3 clicks.
because 95% of the time there's no problem, but if there is one paypal is just going to give you the middle finger in most cases and say "not our problem".
Oddly, I have actually been told in the past by PayPal to file a $1500 dispute with my credit card company (AmEx in my case) because for whatever reason they couldn't handle it internally. Didn't get banned.
Nope, still use them for a handful of things (for convenience.) The charge-backs were of significant size too ($300-$500.) This was around 2012-2013 for one and around 2015 for the other.
Anecdata here as well. I've had two times where I had to contest a Paypal purchase. In both cases, Paypal took a reasonably short amount of time to rule in my favor. (Both however were for clear-cut cases of "online vendor took an order and didn't bother to ship anything at all nor reply to Paypal inquiries".)
I've never had a problem with a chargeback either because, I'm honest and if I made a stupid purchase then I sucked it up. But when I've been duped or someone swiped my number there was never a problem. It helps if you keep alerts on for anything above a certain amount, mine is $50 and I check my cards weekly for weird charges.
The amazing thing is that they are equally unpleasant to deal with as a merchant. You'd think they just favoured one side, but no, they screw both sides.
PayPal fraud protection is mostly about making sure PayPal isn't the one holding the bag in the end. Any actual prevention of fraud is secondary at best.
They have a recent change that is anti merchant, when someone request for a refund they wont give back the transaction fee. Seller lose out on the sale and pay paypal a transaction fee, buyer get their full money and paypal keeps the transaction fee. It used to be returned to the merchant.
A consumer can still file a chargeback through the financial institution (of the payment method used in the transaction) after PayPal declines the dispute. Hopefully, the author was charged on his credit card and not his PayPal balance. Debit cards and bank accounts are in a gray area for this case.
I was under the assumption that the VISA debit card offers me the same protections as the crecit card but I think I was wrong...
> Are PayPal purchases covered? You are unlikely to be protected under debit card Chargeback schemes for items purchased using PayPal. In these cases the act of loading money onto your PayPal account counts as the debit card transaction so, unless the money fails to be credited, it won't be covered. PayPal runs its own purchase protection scheme which extends some cover to your purchases, but it is in house rather than regulated by law.
Consumer protections are based on your country's laws, but credit cards will generally have stronger protections than debit cards and bank accounts. In the US, the consumer's liability for unauthorized credit card use is capped at $50, while the liability for unauthorized debit card and bank account use is capped at $50 (2 days), capped at $500 (3-60 days), or is unlimited (61+ days) depending on when you report it. Most American financial institutions go beyond the law to promise $0 liability for unauthorized credit card use.
In the US, you don't have to pay the disputed portion of a credit card bill while the chargeback investigation is ongoing. Most financial institutions will issue a temporary credit to make this clear.
IIRC the institutions distributing debit cards (banks, credit unions, whatever the heck PayPal is, etc) will often 'voluntarily' give you effectively the same protections as for credit cards at their discretion because they want you to have and use those cards and the benefit they get through transaction fees, etc. outweighs the cost of the fraud that happens.
Details are likely spelled out in the multipage 5-pt text pamphlet that you received with a new debit card at some point.
Yes, I've seen debit cards that have $0 liability guarantees backed by the financial institution. Since this reflects well on the institution, it will typically advertise the guarantee somewhere prominent, such as a list of features.
In the US, debit cards command different processing fees for the card issuer depending on how the transaction is processed. Sometimes, when using a debit card in person, the checkout terminal will ask the customer to choose "credit" or "debit" for the transaction. Choosing "credit" instead of "debit" grants the card issuer a much larger processing fee. Some financial institutions only offer certain features (including liability guarantees or rewards) when the debit card is used to make a "credit" transaction. Almost all online debit card transactions are processed as "credit" (which does not require you to enter a PIN).
About the status of PayPal: it is licensed as a money transmitter but manages a network of bank subsidiaries and third-party bank accounts to profit from interest rate arbitrage and perform other activities that banks would do.
But how would that work in this case? The customer authorized paypal to be used for facebook ads, someone ran facebook ads using their account. If I give my Amazon log in credentials to someone and they order a bunch of expensive TVs to their house without my knowledge, can I get a chargeback?
Yes, in the US. If the person makes the transaction without your permission, it is considered fraud and is legitimate grounds for a chargeback, even if you provided them with the means to make the purchase (credit card information, account credentials, etc.) in the first place.
In the US, you may also want to file a fraud report to the FTC and to your local police department.
That's weird. As a merchant, I get requests for refunds and even if I provide all the details about the transaction (for me that would be a license key and proof the license key was used) they always side with the buyer.
Really, the only way to not get PayPal to approve a refund is to work with the customer and solve the problem so the customer cancels the refund request.
I think it's A) because it's Facebook. and B) because this type of scam is very prevalent, and no-one wants to be stuck with the numerous bills for it.
Exactly this. In my recent experience PayPal is also absolutely inaccessible for a chargeback resolution. This was the reason I left booking.com, now I am considering to get rid of PayPal. In my opinion no serious transaction should ever be done on either platform.
What issues did you have with Booking.com and what are good alternatives?
I absolutely loathe them for their high-pressure sales tactics (their site is full of dark patterns and booking there is outright stressful; it feels like you're trying to browse while a drill sergeant is constantly yelling into your ear "BOOK NOW YOU WORTHLESS SCUM, BOOK, BOOK, WHAT ARE YOU WAITING FOR YOU IMBECILE, CLICK IT, BOOK, NOW, NOW YOU MAGGOT") - however, unfortunately they often do have the best price (by far) or are the only place certain accommodations are available, and aside from the drill sergeant, their UX is absolutely perfect.
I've been burned far too often with sites that let you go through the entire flow only to tack on ridiculous fees for payment or simply fail to process your credit card.
American Express has never denied a chargeback I've initiated. When you say "many banks", of course don't bank with someone who is going to screw you, like Paypal or Wells Fargo (and Bank of America or JP Morgan Chase, to a lesser extent). This should be common (US centric) knowledge by now.
Agreed, but if your time has value, (if you can) structure your financial transactions in a way and with service providers that derisks you having to spend hours chasing down your own money when you shouldn't have to (or going through the motions and being told you're SOL). And never use Paypal!
I doubt many banks would refuse a charge-back considering this transaction obviously didn't use 3DSecure since it went through PayPal. You'd probably get your PayPal account shutdown if it went through though.
If the money left your account because you did a thing, even if you did the thing because you were defrauded, a bunch of banks are going to decline to repay you.
> New protection for individuals tricked into transferring money to fraudsters has now taken effect - but not all banks are signed up to the scheme.
> Some 84,000 bank customers lost money - sometimes tens of thousands of pounds - last year after being caught out.
> Only a fraction of the amount lost was refunded by banks. Now a new code should mean more will be reimbursed.
> The refund will come from a central pot in cases when neither the bank nor the customer are to blame.
See especially this bit:
> Some of the more elaborate frauds see the con-artists using social media and other avenues such as data breaches to gather information about their victim, making it more likely that potential victims believe they are genuine.
> In all these cases, the individual authorises the payment. Banks have often refused to refund these frauds as a result.
The user has authorized PayPal to give money to Facebook. Facebook wasn't authorized by the user themselves to run the ad campaign, but PayPal is doing exactly what it should.
If I have a Visa card saved in the Starbucks app, and somebody uses my Starbucks app, I did not authorize Visa for that transaction. It would be no different than losing the card. If somebody picks up my card and swipes it, "Visa is doing exactly what it should" but also it wasn't an authorized transaction and should be reversed.
I'm not sure. When you give authorization for "all future payments to Starbucks until I tell you otherwise" (which is what you're doing with recurring payments being set up between FB and PP), you're authorizing that payment to Starbucks. You're not authorizing Starbucks to take whatever they want, but that's between you and them, not you and Visa. Visa just happens to be very accommodating and will often pressure the vendor.
Losing your card would have been similar to the OP's PayPal account being hacked.
In what world would paypal be right? Facebook allowed a scammer to advertise on their platform, and then allowed the same scammer to steal 4k. Facebook is as much complicit in this crime as the criminal himself. Paypal was charged by Facebook. Facebook should not be entitled to the 4k and PayPal should take it back.
I came here to say this as well. PayPal is garbage and should never be used, at least as a consumer. There are much better options available. I have never had PayPal side with me in any dispute, no matter how one sided it was. I closed my account in 2014. Haven't missed it.
Back in 2004 or so, I logged into online banking and saw that where I had about $3000 the day before, I now had less than $100. Mortified, I looked and saw that there were a couple of Paypal transactions being processed. I didn't see anything in my email, and I logged into Paypal and didn't see anything on the summary screen, but when I looked at the fully history, I saw two eBay purchases: One for a hacked PS2, one for a laptop. I was able to contact both sellers: The guy with the PS2 hadn't shipped his yet, and canceled. The laptop seller lamented that he had mailed it right away - to the Philippines. To this day, I don't know how this guy in the Philippines accessed my Paypal account - I did manage to reach out to him, but he expected me to pay him to give up his secrets, and I'm not playing that game.
Anyhow, I called my bank and explained to them that these were fraudulent transactions, and thank goodness you have them on hold but haven't processed them, because my rent is coming up and could you please release the money.
The bank refused. I'd been a member of the same institution for probably a dozen years, had a car loan out through them, was on track to get a mortgage through them in a few years, and they told me that even though I had caught it that very morning, about as soon as I could possibly have caught it, that there was nothing they could do.
Paypal, on the other hand, asked me to sign an affidavit, and a couple of weeks later, fully refunded my account.
I've held Paypal above banks ever since. In retrospect, eBay had acquired Paypal only two years prior, and this transaction happening on eBay probably garnered additional scrutiny at the time. However, nearly every time I read about someone's Paypal account getting locked out, it turns out they weren't paying attention to the Terms of Service - which are, without a doubt, designed to minimize fraudulent use of Paypal as a payment provider. It's why you can't do pre-sales on Paypal - it leaves them open to liability.
For better or for worse, the overwhelming narrative becomes "Paypal sucks", but as you start to look at the big boy payment providers, you'll discover that Paypal is often more permissive by comparison, with rates that are comparable to or better than the big boys when you're running with such small transactional values. And if you end up going to some upstart that will let you do things Paypal won't, that party's only going to last as long as those providers don't get stung by regulatory fees or plain old fraud.
While it's nice to hear a good story, PayPal is not a bank and a PayPal account lacks the consumer protections that bank accounts in many countries (including the US) receive by law. PayPal takes advantage of this lack of consumer protection to freeze accounts and hold funds for up to 180 days on grounds that aren't necessarily reasonable or disclosed.
Financial institutions do not have this kind of control over bank accounts. All bank accounts inherit a level of trustworthiness from consumer protection laws that only apply to bank accounts. PayPal does not.
When PayPal freezes/limits an account in a way that a bank account could not legally be subject to, the problem is not the account holder, but PayPal itself.
I wonder what would happen if the author shows this article to PayPal (if not done already), showing that also Facebook confirmed the scam and Google taking down the app.
> The scammer used my Facebook auth token to remove me from the Facebook Business entity. Strangely enough this is possible without getting any emails from Facebook. I had no way to check my Business entity or Ad account on Facebook to see what's going on.
This is an error on the Facebook side. Actions like this should never be possible without appropriate confirmation or re-requesting the password for 2FA confirmation.
* Employee starts a Facebook business page using their personal Facebook account.
* They add their boss to it.
* Employee is fired.
* Boss removed employee from Facebook business page.
edit: Should still send a notification email but I'm guessing angry "why did you remove me from X" reactions are why they don't. Not good but there's a logic behind it.
Sure, but then [employee]'s payment methods should be removed along with them. If they were using the company / boss's card or PayPal, then surely the company / boss should be able to add it back again without too much undue trouble.
Sure although I'd guess having all your advertising campaigns paused (as there's no billing info anymore) would annoy many people especially if they didn't notice or weren't aware it happened. It may in aggregate be cheaper for Facebook to just eat the cost of refunding these things versus providing more friction to their users.
The additional confirmation is not from the user being removed, it's from the user doing the removal. In this example the API/oauth was enough to do this. There really should be an additional confirmation certain times. Like how Google sometimes requires you to put in your password/2fa again, despite previously authenticating or saying something like "don't ask me again".
I presume the scammer added a new account, made it an admin and then used that to take over. So it's not the removal that's the issue but adding a new admin on the account. Of course if you allow this type of activity through oauth I don't think there's a good way to re-authenticate.
I think the trick here was to prompt the user with a fake oauth screen. Many legit apps show the oauth screen using a web frame inside that app. It is absolutely stupid that it is still a common occurrence.
If you need to enter your credentials when using sign-in-using-xxx, be VERY cautious. Even if you have 2FA enabled, the fake oauth screen can just ask you for the 2FA code. You have no way of knowing whether the login page is keylogged or hijacked.
This was pretty much an exact question I had about OAuth 10 months ago:
Something I still don't understand about the OAuth flow is how it's _not_ training users to be more easily phished for actual usernames and passwords. The very first step is "If you are not logged into the third-party, display a login-form from the third-party."
The thing is, you never really know off-hand if you're logged into the third-party (provider) or not without opening a second tab and going directly to the third-party's site, since you're always getting logged out after various timeouts, cookie-clearing, browser-closing, and computer-restarting events.
What prevents an OAuth client application from displaying an OAuth process that shows a fake login form, which looks identical to the provider's login form, to get the user to enter their provider username and password before they realize the URL is off? It seems like it trains users that it's normal for websites to launch a Gmail login form and this is perfectly safe.
I think you're right. Users are being trained to enter their passwords and 2FA tokens everywhere with the false promise that 2FA makes it secure. Even U2F using a signed challenge seems iffy to me.
This [1] says "In fact, the spec requires that browsers only expose the API in secure contexts", so if that's correct it's better, but still not good enough.
This [2] looks like it does U2F by grabbing the challenges via browser plugin and relaying them to a phone app for signing.
Trusting the browser to "expose the API in secure contexts" seems like a failure because it's assuming nothing else can collect the credentials or send a challenge to a security key. Is that true? Could I write an app that would phish a user into signing a challenge with their security key?
> Could I write an app that would phish a user into signing a challenge with their security key?
What sort of app? A full-blown Windows/ OS X/ Linux desktop application? Yes.
You definitely should not install software that asks you to interact with your FIDO authenticator in this way unless you really trust it. I trust the Operating System vendor installed OpenSSH packages, I would not trust some random github project.
The two big phone ecosystems won't let you talk directly to a third party authenticator or to their built-in platform authenticator. The authenticator talks to them, and they talk to you. So while it would be possible to make a Windows EXE program that says "Touch authenticator to stroke your 3D pet" or whatever and actually steals your Facebook login credential this way, it should not be possible to put something on Google Play or Apple's iPhone store that does the same thing.
Edited to add: For Android at least there is a concept of "Privileged" apps that get to do stuff that is otherwise impossible to ask a user for permission to do. The ability to fill out WebAuthn-style rpId values (for WebAuthn these are Internet FQDNs) is locked behind such a privilege. So, Chrome has privilege, release builds of Firefox have privilege, and so on, but yet another fly-by-night app developer who uploads Flappy Bird clones to the Play Store can't use this feature.
Without this privilege when you talk to the authenticator (either a platform authenticator or a 3rd party one) the OS will insist on picking an rpId with a platform specific prefix. So e.g. maybe your app can ask for rpId android-584fac03:google.com but there's no way (without privilege) to get just google.com, which is a problem because that's the value you'd need in order to get working Google credentials.
If you want your app to talk to your own web site, you can build a bunch of extra goops (in Android at least) to enable that, but part of what will happen is your web site's backend code needs to explicitly go "OK, I should allow android-584fac03:my-private-app even though that's nowhere close to my actual FQDN" so that seems safe enough.
I'd guess it's a fake oauth screen as well. I coded one of the first (I think) Tinder auto likers for Android back in 2013, and the only way I could do it was get the real facebook username and password and log into Tinder on the phone in the background. I just put up a fake Oauth HTML page in a webview and saved the login, with a disclaimer of course, but nearly everybody ignored it. I was surprised how easy it all was.
Is it? Couldn't the backend (or even a human attacker) just type the credentials you provide into the real login page, giving you the "tap yes" push notification just the same?
Come to think of it, you're right. I was mentally combining that 2FA method with “new device attempted login” detection, but the latter is usually separate from 2FA. If a login system uses that and provides notice and requires confirmation through a side channel, rather than merely providing informational notice, it will stop (or at least, make it easier to stop; a second user mistake or preexisting side-channel compromise is still possible) the attack. If it's just notice, it at may limit the impact or streamline recovery from the attack.
But now that I think about it, it would make sense to combine new device notification with push-notice 2FA for exactly that reason, since you've got a push channel that takes a confirmation already, flag unexpected devices in that channel as well and it becomes much more secure.
Yup. Notice that this can't work on WebAuthn (or its predecessor U2F), which is why everything should do WebAuthn and you should ignore attempts to downgrade you to any other method.
An attacker can play the legitimate WebAuthn request from the real site, which will (statistically certain) be nonsense if played by their phishing site.
Or they make their own request, which doesn't help them because it's not valid on the real site they want to sign into so it's pointless.
In this case the application shows real facebook in a webview and after user logged in, the application retrieved the session cookie from the webview. How webauthn will behave here?
And even if you find a correct oauth address, you still have the risk that you understand what permissions you give and facebook implements them correctly.
Your mistake is using "Log in with Facebook" on a mobile device.
Since neither iOS nor Android have any kind of trusted UI, there is no way you can be sure if you are logging into Facebook on an app, or just giving that app your credentials for them to do as they please.
Until iOS or Android get trusted UI for these usecases, I suggest using browsers on windows/Mac/Linux where you can see the in the address bar which company you are giving credentials to, and can't as easily be faked.
If you must use a mobile device to log into Facebook via a third party app, I suggest using a new Facebook account each time.
> If you must use a mobile device to log into Facebook via a third party app, I suggest using a new Facebook account each time.
I might be wrong about this as I've not used Facebook for many years now, but doesn't Facebook require a phone number for new accounts nowadays, and requires you to use your real name as well?
It's actually even nastier than that. If you fail their automated checks for fake accounts, they'll lock your account and require you to submit a photo of your face and ID card.
No I have an older relative who creates a new account every other week for whatever reason.
Think of how many accounts are created for games reasons. Some games require friends taking action to progress. Some allow friends to send prizes like lives/money/resource.
> No I have an older relative who creates a new account every other week for whatever reason.
Could be like my grandma who would occasionally manually log out of the app, but then the next time she loaded the app, rather than actually logging in again, she'd create a new account because that's what she did the first time she loaded the app and thought she had to do that every time.
I don't feel comfortable tying any two logins together for any site, regardless of mobile vs. desktop. Choosing to log into any site using facebook, google, etc. is setting up for trouble. I much prefer a strong password manager and separate logins for everything.
It's possible to do "trusted UI" on iOS/Android by opening a browser window that shows you're actually logging into facebook-dot-com. That still wouldn't prevent these scams from working because users don't necessarily know how to tell the difference between "trusted UI" and "scam UI".
If you open a browser window, there is going to be some things that can't be faked 100% accurately, e.g. on iOS there will be a link back to the app at the top left, there is going to be an animation, and so on.
It could be faked 95% accurately, but that's moot, because like I said, the user hasn't necessarily learned what "trusted UI" is in the first place.
While you are absolutely right, I want to highlight that this was done in a quite sophisticated way. It's actually the real login page of Facebook in a webview. I have 2FA on all my accounts including FB, so it looked very legit. Once you have logged in, they seem to grep the token and close the webview.
If your app has a webview in it, on both iOS and Android, you have full access to run script inside that webview and take/set cookies for any domain. You can easily take the auth cookie.
Some Google auth cookies can only be used on the same tls session that created them[1]. That means the TLS session resumption information (which can be tied to hardware platform features like the TPM) is required to make use of a stolen auth cookie. Unfortunately while that approach has big security benefits, it's pretty anti-user-privacy.
iOS has trusted UI via "double-tap-side-hardware-power-button". So it's a trusted trigger, and a presumably native UI.
I've been very impressed by eBay/PayPal providing "very good" almost native-feeling payment integration (swipe-to-pay, UI coming up from the bottom of the screen), so it may not last forever, but interesting to hear of the depth of scamming possible on phone UI's (and probably desktop UI's too).
1) Google Playstore allowing someone to impede on the TikTok brand.
2) The app getting 10k+ fake reviews. At this point can you trust the review system if it can be so easily manipulated?
3) "Strangely enough this is possible without getting any emails from Facebook." Facebook security is weak here. You shouldn't be able to change ownership without explicit 2fa verification. oauth tokens can be easily phished. password + 2fa device is much much harder.
In general the trend I see is that Facebook and Google are driven to making ad purchasing as frictionless as possible. Having scammers, click-farms, fake reviews on their platform is good for them, it helps them make more money. They'll happily tradeoff human oversight/support and security for automated algorithms that optimize $$$ growth.
Apple AppStore is polarizing. Some feel it has too much control, but on the other hand I find a lot less scammy apps in Apple AppStore than Google Playstore.
I lost $2k in a Facebook scam that I'm really not proud of. A company spoofed BitMain's FB page and ran ads for their newest AntMiner models saying they had a batch that was ready to ship in limited supply. The BitMain FB account looked legit. The website itself obviously had an SSL cert (and was a pixel for pixel clone of their real site, except the product was in stock), but what I didn't notice was the microscopically small presence of a dot over one of the characters. It was an IDN homograph attack, and looking at the website and not noticing the unicode character, everything else looked right.
The fact that they took BTC as payment didn't raise any red flags either, because, you know, BitMain does.
I'm mostly infuriated at Facebook for not validating the company name or doing anything resembling protecting their audience. I lent them too much credibility because it looked like they were ads from the real company's page, and so I let down my guard elsewhere.
I've never otherwise been hacked or scammed, and I know allllll of the basics to look out for, but this one still infuriates me for making a fool of myself.
Every now and then I catch myself not doing this but by and large I always type out URLs for ads/emailed links by hand. It takes out a lot of the attack surface for me, and it looks like in this case it would have worked.
I wouldn't bet on proofreading even if the address was all ascii. It's inherently unsafe to click a random link, think you ended up in the right place and start doing all sorts of things.
Not blaming you at all, but a good tip is to look at the number of “likes” a page has and see if it sounds reasonable. Definitely not foolproof though.
Oh absolutely. I admit it’s not foolproof, but if a page named “Amazon” only had 100,000 likes, I’d be a bit suspicious. For comparison, the actual Amazon FB page has 19 million likes IIRC.
I have been scammed only once by a company so far. It was oyo (another gem run by softbank). They sold all my information, made me paid twice and left with such a poor service. Few of their actual employees were the scammers along with the hotel manager (likely) so I wasn't suspicious... because ya know, you are supposed to trust official communication portals.
It opened my eyes to how far scam can go. A billion dollar valuation or millions of likes says nothing.
I filed a complaint but have yet to follow up due to covid. It was a visit due to medical reasons so we didn't focus too much on it.
Facebook ads seem to be an ocean of scams. If I click the comments of half the ads I see there's nothing but complaints about products not shipping, fake closeout sales, cloning another store and then not shipping, etc, etc. I'm guessing they delete the bad comments so you can only imagine how many people must be upset to not be able to handle the flood of bad comments. At this point I just assume any Facebook ad is a scam of some kind.
Perhaps a 'truth in forums' regulation should require all comments to be accessible, with the reason for their removal from standard view being indicated? That way removal of all negative comments could be monitored and consumers would have sufficient information to moderate their trust in companies advertising.
I reported one of the 'miracle showerheads' to UK Trading Standards [it was possibly ASA?] as it clearly gave false (physically impossible) claims. I was seeing lots of their ads on FB and people were clearly falling for it.
They reported back that it was a foreign company and so they couldn't do anything. Which is weird because they're allowed to advertise to me, so they should have to follow the rules. Also, they had a UK Trademark, which seems a major flaw - protect the trade of scammers but don't hold them to account.
Which is why I assume everything is a scam since the ones I notice from comments are simply the ones that they either didn't bother to delete comments on or had too many negative comments to delete.
Most ads I see these days on Instagram are scam. They usually lead to sites that have been built with a quick template and always offer 50-80% discount on little things I want, for example lamps.
They all offer PayPal so I took the bait once. The scam was clever: they ship something that isn’t what you ordered. Like a jump rope for $1 instead of the $30 lamp (discounted from $200) or drone. To get a 60% refund, you have to send it back on your own cost.
Now it gets more tricky: the parcel might not even be delivered to your address. Mine never arrived but got delivered to a zip code close to mine, but not mine. There are lots of reports of people that receive things without ordering anything and people who never get their stuff. There is also no guarantee what you ship back arrives back at them. If it doesn’t, the company doesn’t refund anything.
I quickly realized this is an obvious scam and asked them to cancel, and opened a PayPal claim before anything got shipped. The company said they are processing my refund and it will take 3 days for my money to be back (which is not how PayPal works). Guess what? In the 3 days, they just shipped something which threw the PayPal claim off because now they have to wait until the shipment arrived and gets sent back (info from PayPal cs).
It’s been over a month and I am still trying to get my money from PayPal back. It’s difficult because I haven’t received anything but the shipping number says it arrived. The site no longer exists and the email I previously used to reach out is gone too.
It’s crazy to me that PayPal enables all of these scammers. They clearly know how to play PayPal to get around the buyer protection.
These days I can’t trust any ads because of this unless I do a lot of research on the site. It’s very likely all scam. I saw similar sites on google shopping (the price comparison product), so it’s not just Facebook.
I've had a similar experience- something sold for a deep discount (MIDI controller), received something else entirely (cheap bluetooth speaker), and was told to keep it instead of sending it back and sell it to recoup my costs while they refund 15%. I recognized it as a scam at that point and saw that the email I paid to was different than their support, and when I replied asking for 100% it was yet another email.
Luckily for me, taking it up with PayPal got me my 100% refund, but I was nervous while they went through the motions of asking the seller to settle up with me, which I had to approve or reject, and then PayPal would review further. Screenshots of everything, showing the weird random email addresses, and the fact that their website didn't exist anymore landed in my favor.
I am confident that I will get my money back too, it will just take some time. PayPal even called me on my phone to ask details about the case, so it's definitely in progress.
It's hard to believe that this seller is able to play PayPal like this though. There must be dozens over dozens of claims against the same vendor at this point.
It seems odd that the Facebook authentication token would allow that kind of access - admin on the business pages - by default. Were you asked for particular permissions? Or did they fake the Facebook login completely?
I'm assuming the app impersonated a real login with Facebook prompt. When I use a real Facebook login in another app, it tells me which permission I want to grant to another site, and lets me edit them.
But I wouldn't think twice if I was asked to enter my credentials (which happens if you don't have the Facebook app installed) and didn't receive that permissions prompt.
It's actually the real login page of Facebook in a webview. I have 2FA on all my accounts including FB, so it looked very legit. Once you have logged in, they seem to grep the token and close the webview.
The moral of the story: if you use your Facebook account for anything concerning money, do not enter its credentials into any app or site that asks for it.
Or don't use Facebook at all for anything. Facebook makes money off of selling real people's information to anyone who pays; if some of them are fake, or the purchaser is fake, it's still money to Facebook. If the Facebook data customer is getting ripped off, what incentive does Facebook have to police the situation as long as they still get their cut?
Perhaps the most interesting part is the final line of the document:
> Initiated a PayPal chargeback process - PayPal responded: "we’ve determined there was no unauthorized use"
While I get the impression that the user had authorized Facebook to charge via PayPal in the past, I find this conclusion rather silly. If I give my credit card number to Amazon, and someone hacks my Amazon account and starts making random purchases, chances are I'd have no trouble filing a chargeback.
Yep. Authentication is being used as an excuse to blame the user. It's because Facebook's a big company. If it was a small website where a user got phished PayPal would have charged it back IMO.
As someone who also takes all the right account security precautions, I too have been fooled by a scam Facebook ad. It seems like this is an increasingly-common attack vector that FB needs to address.
Specifically, I think it would help for them to verify ads, as they do people / pages.
Yet another scenario where we're collectively being bitten in the ass because most of the world is still lacking a proper digital identity system.
If you're thinking that sending pictures of identity documents or bills is going to fix it no, it's clown-tier identity verification and will just postpone the issue a tiny bit with massive human resource cost and false negatives.
I remember learning this when I got my first code signing certificate. I had to jump through a TON of hoops including sending notarized copies of my ID to Comodo. After all that, they asked ME to send them a list of notaries for my jurisdiction. They also wanted a direct line to call the notary I used which is basically impossible to provide.
The verification is outsourced to the cheapest English speaking 3rd world country they can find and there's ZERO localized knowledge. I don't think you could build a system that's worse if you tried. The whole think is just a process of checking boxes which is very similar to most of the 2FA systems in existence.
One attack I personally had was when I had an android tablet and a client who has business in China asked me to put a promotional video on some Chinese version of youtube. So I thought I found the app in Play store, but once opened it asked me something in chinese, so just thinking this is obligatory privacy agreement or something, I click okay. Instead it started downloading an update, and rebooted. After my tablet was malware ridden and unable to be recovered, because older version of Android.
I learned that a lot of apps behave differently if they find a different language keyboard. I don’t know if this attack is still possible in Android, it’s been some years now.
Is there any evidence that the people/pages verification is safe? I've seen plenty of fake accounts and the existence of misinformation or outright criminal (card fraud, etc) pages suggests the opposite.
I read things like this and keep thinking about the "web of trust" from the 90s. There is no way to visit some random app store, or read an email or website, and trust that it's actually officially what it says it is. The author of this article relies on some heuristics; good spelling, reasonable-sounding developer email, reasonable Java package name, etc. but these things can go either way. It is possible for a scammer to be good at spelling, and it is possible for a big company to contract out some app they don't care about to the lowest bidder and be perfectly running their ads program through the "FooCorp Develop App; ru.definitelynotascam.dumbcodename". It has historically been an okay data point, but in the future scammers are going to be good at English -- it's only a matter of time.
Where I'm going with this is that there needs to be some sort of mandatory linkage between something you trust and this random app you see on the app store. You trust Google. You trust TikTok. So why doesn't Google generate some sort of code that TikTok can stick in their DNS (or website) to create a linkage? By default, an app on the store could say "not trusted by any company", but then TikTok could add that record on their website and it would say "Trusted by TikTok" or something.
There are some problems with this, of course. Anyone could claim any app, and then you'd see incorrect information. DNS and web servers can be hacked, TLS roots of trust aren't trustworthy, etc. But there has to be some way to create this linkage safely, so that people aren't misled again and again and again in the same way.
Just go to tiktok site and download whatever you want there. But if you go to app store, you can barely tell what is what in this grey faceless pile of garbage.
2) All to force 'spend' on some odd Vietnamese add? How does that benefit the scammer?
3) If the money went to FB for clearly scummy purposes, how on earth does FB not simply refund the ad spend? There's not cost of goods sold here for them, usually they should be pretty easy on giving you the money - or at very least giving you credits?
Not sure if Facebook allow some sort of max-spend cap that can only be increased with a 2FA together with an alert from the Facebook app itself. That should atleast alert someone in the sense that "why am I getting a confirmation message to debit for a voucher credit" and worse case scenario even if they don't realize it, should limit the damage.
> the scammer used my Facebook auth token to remove me from the Facebook Business entity
If you are able to use the account to purchase something in my name, I would expect the security to at least include a 2FA prompt. I'm not really big into the Facebook ecosystem but this sounds terrible.
I was scammed through PayPal, PayPal did the same thing to me, basically gave me a "Looks good to us, case closed, go fuck yourself." The negation of my case was automated, too. I received the "resolution" a few seconds after submitting the case.
Thankfully, I had paid with a credit card as the PayPal funding source for that transaction, and I disputed the charge with my CC company, which found in my favor, and did a chargeback to PayPal.
After that, I immediately unlinked all of my funding sources from PayPal and closed my decade+ account. Never again. Not as a buyer, and certainly not as a seller.
> the app asked me to log in with Facebook to get the credits.
These places (facebook, google, etc) really need to separate the "login with ____" button with a "authorized ___" button. Several times I've tried to login using google only be greeted with a permission request, such as READING ALL OF MY EMAILS. Even Dropbox requires you to give them permission to your contacts if you want to login with google.
When you're not paying attention it's really easy to miss this kind of thing. So much so that now I prefer creating an account traditionally using a generated password.
On iOS, if you have the Facebook application installed, the Facebook Login user journey opens the actual Facebook application. If you don’t have it installed, it will open the Facebook website in Safari. In both cases, assuming you are an active user of Facebook, you will already be logged in.
If it’s a fake OAuth screen? The first tip-off, assuming you use the application, is that it didn’t open the application. The second tip-off, in either case, is that it’s prompting you to log in. You can verify that you are logging directly into Facebook by going back to the home screen (which is not something an application can intercept), and re-opening Safari or the native application. If you were really in Safari / the Facebook application beforehand, it will come back to the same screen. Then you can check the URL to ensure you are on Facebook if you are in Safari.
As far as I am aware, it’s never "impossible to know". However it may be difficult for the average user to know how to determine this. For the average user, the rule of thumb "never log in to Facebook if a different application opened the Facebook login screen; only log in to Facebook if you opened the native application yourself or typed the website address yourself" is adequate.
It’s also worth mentioning that most password managers will pay attention to the domain, and there’s also a mechanism for this for native applications on iOS. So the password manager not auto-filling is another red flag.
>On iOS, if you have the Facebook application installed, the Facebook Login user journey opens the actual Facebook application. If you don’t have it installed, it will open the Facebook website in Safari.
Can someone else confirm this?
Those authentication screens are scary.
With a web browser, I can at least scrutinize the URL.
If you have any doubt as to whether you are in the legitimate Facebook application or not, return to the home screen and open Facebook from the icon on your home screen.
Bu really, the tip-off is the login prompt. Unless it’s the first time using the Facebook application on this device, you would normally be already logged in and it shouldn’t be prompting you to log in to Facebook.
I was looking for an android app to make my phone contacts on Outlook available on my phone.
The official app screws up with my share menu. I'd see one set of share targets and just before I hit my choice, outlook will place two contacts at the top. And this causes the remaining to rearrange.
Got pissed and uninstalled it. And I don't want to copy my contacts over to gmail.
I tried two contact apps and they both open a login screen - typing my password both times raised alarms in my head. Neither app worked. And couldn't risk trying more apps. Gave up and reinstalled the official outlook.
PayPal is not very dependable when it comes to handling disputes. If you paid with a credit card through PayPal, file a chargeback via the card itself and your financial institution should be able to help. But if you paid with your PayPal balance, you're most likely at Facebook's mercy at this point. Dutch laws might offer additional consumer protections.
The image above is a confirmation that they removed a false AD I flagged and thaking me for it. Yeah, ok, but as I said, I'm getting tired of flagging this kind of ads.
I sent an email to Instagram not so long ago, complaining that is hard to know a official AD from a fake one in Instagram, cause they use that ridiculous thing of opening a webpage inside their own browser (?!) hiding the address.
I'm sorry that this happened to you. I usually deal with low effort scams (but they usually get my parent's attention) but maybe it's time for Facebook to be held accountable for this kind of stuff.
Did you bought a TV from an AD you saw on Instagram and turned out to be a scam?! Well, let's have Facebook accountable. Maybe they'll improve their ADs platform.
You didn’t lose 4k- Facebook have the money, it’s in their account.
They sold virtual space at an almost infinite margin to a hacked account. The account was hacked on their system, the ad that facilitated the attack was ran on their platform and they allowed the whole thing to perpetuate.
If this was in meatspace, Facebook would be an accessory to fraud.
I don't understand the step where the author is logging in with Facebook.
Was that a legit OAuth 2.0/OpenID Connect log in? (In this case this must have been OAuth 2.0 with a scope giving the application write access to business stuff.)
Or was it a phishing page in which the author gave his facebook password?
I believe it was actually OAuth or else FB would have likely blocked the login from another country or at the bare minimum sent OP a suspicious login email.
Play Store is much more flexible than the App Store regarding what it will allow published -- also how much attention it places on its gatekeeping activity.
It is a walled garden but the walls simply aren't as high.
i don't get how an adblocker would have help in this case. the victim could easily be conned into downloading this app through a marketing email or some other way. the real issue is that an app like this is even allowed on the play store at all.
Please always check for the correct spelling, punctuation and stylizations of words/brands in a suspected ad. It's written as "TikTok" everywhere, not "Tiktok". I almost always see this kind of stylization errors in fraud ads.
Good advice, and I'm generally pay attention to correct brand stylizations, but I do have to acknowledge that the large "TikTop" icon in the ad and the app description was attractive enough for me to let my guard down (I'm not the author), I didn't notice the incorrect "Tiktok" text in the app screen until I saw your comment.
I'm completely unsurprised. I cannot be the only sucker in here who bought something off of a Facebook ad, and got a token piece of China-shipped junk instead. Mine was a video of a steel light saber being disassembled and put together, with all working parts. I was stupid, I paid $30 for it, and a month later, a box from China shows up with a $1 plastic sword.
After that, I started commenting on every Facebook scam ad I saw, and guess what? That just got me into the queue for MORE scam ads! Facebook sees me commenting "SCAM" on ads about cheap Legos, and it says "Hey, this guy likes cheap Lego scam ads!"
Plus, these ads go to different sites, have different company names, and different images every time, but they are the EXACT same scam, guaranteed. It's like Facebook is incapable of having a legitimate and ethical advertising business at some genetic level, and all the money from these obvious scam ads is just too good.
This shit is so prevalent and so brazen, I've considered setting up my own scam ad, maybe sell a Qanon book that's blank and say "Fuck you, idiot" inside... I mean, why not? It seems like people are getting rich by fucking over Facebook users, and Facebook LOVES it!
They have such utter contempt for their users. And here I am still using it because it's the only platform I can see pictures of my family members on, as they are non-technical users. Am I supposed to run some kind of internal family campaign to get them all to move to some non-existent alternative? I hate this so much. I feel trapped by Zuck's heartless machine.
> That just got me into the queue for MORE scam ads!
I once created a Facebook account to test something and for some reason it decided I was some sort of gambling addict (that e-mail was registered on a legitimate gambling website and I guess they leaked it) and the "people you may know" was full of fake accounts all related to some kind of scummy mobile casino game (I guess the game requires login with FB or maybe gives new people free tokens so they just register tons of fake accounts?).
I've spent a good 20 minutes reporting every single one of them (up to actually hitting the rate limit on the report endpoint) and not only did the algorithm not take the hint that maybe it wasn't a good idea to recommend me more accounts out of that category but their support didn't deem the majority of them as violating the community guidelines despite them being obviously fake (and I couldn't notice any difference between those that were deemed as violating their guidelines and those that don't).
It may be that there were cultural clues that cued you into them being fake but that would be completely meaningless for someone being paid pennies to review those reports in another country.
Yes but it is that person's job is to spot those things. If I as a user can do a better job than them then something is very wrong with the resources/training they are provided. They should be better than I am, not worse.
Is it just me, or the screenshots just scream "scam"?
1. Inconsistent spelling TikTok vs Tiktok, business vs Business in app names and logos
2. Inconsistent font in Tiktok logo (Times New Roman like font in Android app, wut)
3. Typos and clumsiness: "vocher" instead of "voucher"; space between $ and 3000 on confirmation screen.
4. As mentioned, the app developer not being TikTok
I'd not be surprised for random person to fall for this, but an experienced techie should have seen many red signs.
(Having said that, as some other comment said, logging with FB on mobile is inherently unsafe because you can't really tell if it's FB or impostor site. Plus the way the ads markets work, which is just built for scams like this. Modern web sucks).
A lot of comments, and I gave them all a quick browse, but I can't see anyone say it, but it's so obvious it has to be said:
What tech-savvy person is not only SEEING ads, but would actually deliberately click on one? I feel like I'm taking crazy pills.
You don't click on ads! Why would you click on an ad! What's wrong with you people!?
As user beefield points out, another good rule of thumbs is to just never buy or take anything from anyone who approaches you or communicates to you if you are not the originator of that communication/request. Just don't do it, and you save yourself a lot of pain (and don't worry, you're not missing out on anything).
HN loves to downvote any comment about grammar & spelling, but now we see it in its proper context as a cybersecurity measure. If I'd seen "vocher" (i.e. voucher) on a big blue button I would've applied the brakes on my clicking finger. Whether one of these little mistakes is unintentional (indicating incomplete mastery of English and perhaps foreign scammery), or intentional (indicating a purposeful screening device to make sure only rushed, inattentive and stupid people respond), take advantage of the warnings they leave for you.
Voucher was spelled as "Vocher" in multiple places. At first I thought it was localization, but then I realized that the author was spells it as "Voucher". That was the red-flag for me.
> Sure, the developer name "Develop App" sounds strange and should I have looked better, the developgameonline@gmail.com developer email and com.acazira.tforbusiness package name would have definitely raised some concerns.
Sorry that you have to deal with this, and well done on actually flagging all these things as suspicious. I also sometime make these tradeoffs, when something sounds 'not quite right' I would still sometimes make a judgement to ignore it.
Wow, I guess people really do random app installs on their phones. I've never installed an app after being redirected to the app store... never. I've always considered that the equivalent of .exe's in emails. Just don't do it!
The fact that just about every damn site (reddit, etc) all desperately try and force the issue makes me think that if apple/google had ones best interests at heart they would disable the functionality.
I’d say that the prevalence of marketing hacks out there have made people let their guard down. We assume businesses will lose money on purpose to gain traction to the degree that when we see deals like these, we jump at it without a second thought. No doubt there’s technical engineering that went into this scam, but the social engineering and manipulation of the target’s psychology is the real secret sauce.
It's really easy to find services like this just by googling the right thing. I've never used one, but just from a quick search $630 can get you 200 five-star reviews. I don't know if the site I found will let you repeatedly purchase for even more reviews, but several of these sites came up when I googled so it would also be pretty easy to just use 5 different fake review sites to get up to 1000 fake reviews.
If the price is consistent across them, that means 1000 reviews costs about $3.1k. Expensive, but it apparently only takes 1 tricked user to become a profitable scam.
Not saying a similar scam would not have fooled me, as I'm looking at the screenshot in the article with the knowledge that it's a scam, so it's an unfair comparison. However the first thing that immediately stands out to me is there are no 2,3,4 star reviews on this app. The reviewer comments are also very generic and have many grammatical errors in each featured one in the screenshot, and the featured reviews are all from Sept 1.
> Contacting Facebook about such scams/hacks is a challenge on its own: there is a support page but in all my attempts I was unable to click the "email" icon. The "chat" icon always says "chat unavailable"
This is both incredibly frustrating and incredibly unsurprising.
How exactly did they get around the 2FA? I'm guessing the app he installed stole his password when he entered it, but he does say that he had 2FA enabled. How did they get around this and log in to his account? Or did the app somehow siphon off the 2FA code also?
They probably want to run the budget as fast as possible because sooner or later you get caught and care little how effective it is or how much to optimize it.
I don't know whether this is relevant for fact checking, but the add logo in the first image with the bullseye image uses an image (the bullseye itself with the arrow) that is available as a logo/icon on MS Office exactly as is.
If I understand right, the scam was a phishing attempt, that succesfully got their facebook credentials (or an Oauth token? they might not be sure?) and used them to buy ads on facebook in that amount?
I think single-sign-on stuff and "Sign In with X" are a cancer. They encourage you to type in your sensitive credentials all over the place and hope it's safe.
Astonishing that people with such creativity would resort to theft and deception -- you cannot steal as much as you could earn legally, making something useful for everyone!
He had a Facebook ads account with PayPal linked, and the hacker used his login info to run their own (apparently Vietnamese aluminum product) ad campaign and spend using his account.
If you accept a billing agreement with a merchant on your PayPal account, that merchant becomes able to charge your PayPal account without confirmation.
Some merchants encourage or force a billing agreement before the customer can make a purchase. The PayPal UI does not make a strong distinction between entering into a billing agreement and making a standard purchase. For users who are not familiar with the PayPal checkout process, the billing agreement UI looks just like a normal step in the process.
I actually happened to be going through the Paypal settings yesterday as I couldn't get it to make a purchase on ebay and thought something might be wrong there.
I had around a dozen merchants who were listed in the automatic billing payment list and only one of them was a subscription I remember setting up. (the others were all legit and large businesses and none of them have charged me, but they could have!). I have since 'deactivated' all of them.
I really do hate Paypal but I often choose them when I buy something from a smaller web shop as I do not trust the web shop to keep my card details safe...
TL;DR: guy clicked on a link promising him 3000 usd out of thin air if he gives access to his account linked to PayPal.
Malicious user used his account to buy digital items (ads).
Maybe not "spotted" an ad while browsing Facebook (since even with uBlock Origin, FB is ruthless at shoving Sponsored posts into the feed), but certainly clicking on an ad disqualifies one from being able to claim "I am cautious with account security."
That was like, the #1 rule I learned in the 90's: don't click on banner ads unless you want to get a virus or get scammed, what the heck.
I wouldn't go quite that far, but the sense of schadenfreude on reading the article was through the roof.
Spam and web advertising have always been underhanded, and if a person with "15+ years in adtech" can't avoid an ad scam, what does that mean for everybody else?
The app looks poorly made and there are clear spelling mistakes plus the fact that it was not offered by TikTok which should have made you suspicious. It sucks this happened but maybe you should have done some research and checked if this app actually did belong to TikTok. I assume the app also asked you to login to Facebook directly rather than OAuth which should also made you suspicious.
I've often heard the argument that scams add spelling mistakes to only catch the idiots that have a high conversion rate for the scam. That doesn't feel like it makes sense on something like this which is highly sophisticated. Is it just bad quality?
Just to be clear, this didn't happen to me. I just posted what Niek van der Maas wrote on his GitHub. I don't think he's even reading this HN thread, so no use giving him advice.
(My moral compass is still up and running while some call disabling it "running bussiness")
I wonder why something like this never happens to me?
- I am not paying a dime for advertising as it is completely inappropriate to spam more users with ads (Zillions of ads and you are one of them? And this works? Really? Not for my users and my reputation.)
- I dont use facebook as I have real friends to go to a beer with
- I dont open any ads (but ad nauseum [1] does)
- I dont use TikTok and I dont see anything positive in it so even if I would be advertising I surely wouldn't spam kids with ads
-- ...
(I could call this whole event a "poetic justice")
(edit: fixed wrong wording as suggested - anyway I dont attack op - in same manner I dont attack drug dealers. I am just explaining why I dont do that. Or sell drugs. Someone might learn something from it.)
The TikTok promotional program is actually a real thing that does give around that amount of ad credit, and they have been promoting it very aggressively on Facebook with for a long while now, so it makes sense that OP would've not had any mental red flags triggered by the designs and creatives used by the scammers. The real killer is that PayPal is actually well within their rights to process this transaction (as part of the billing agreement generated when you link PayPal to Facebook Ads Manager: there actually was real ad spend in a real Facebook ad auction), so it's down to Facebook itself to refund the ad spend. (As an aside, I'm actually impressed that OP managed to reach Facebook support at all, and that they acknowledged or even understood what the problem was. I have had worse experiences in the past with FB...). What's really amazing to me is that the scammers managed to get on Google Play with thousands of obviously fake reviews, and get through Facebook ad review at all.
The scammer silently removing OP as an admin from their own ad account, preventing them from noticing or stopping the fraudulent ad campaign is just icing.
I suppose the real lesson to be learned is to simply avoid installing native applications when you can help it. OP didn't screenshot the login screen in app, so I can only assume it was a real Facebook oauth flow, but honestly at that point it's already too late. If anything OP should be grateful that the native app running on what was presumably his personal device didn't do anything worse.