Facebook malvertising reveals 4K domains spoofing 68 brands

Suspicious Facebook ads promoting cheap products from well-known brands revealed a massive fraud campaign spanning more than 4,000 domains and impersonating at least 68 brands, Silent Push reported on Monday.

The campaign, dubbed "GhostVendors," has been active since at least May 2025 and leverages Facebook Marketplace ads to promote products from a wide range of brands, including home improvement, fashion, footwear, sporting goods, activewear, food, garden and general retail brands.

The ads often promote unrealistically low prices for specific products and direct users to fake product listings on malicious sites spoofing online stores such as Wayfair and Lidl. Silent Push researchers suspect the campaign is financially motivated, with the threat actors receiving funds without delivering products, or potentially capturing payment information for future fraud.

The extensive use of Facebook ads to promote the fraudulent websites was highlighted by Silent Push due to the fact that ads only appear in the Meta Ad Library while they are still active. Other than ads regarding social issues, elections and politics, which Meta retains for seven years, ads disappear from the Ad Library as soon as a campaign ends.

The GhostVendors threat actors take advantage of this by running frequent, short campaigns, making it difficult for defenders and analysts to reliably track their activity over time. However, Silent Push was able to track the campaign across thousands of domains using “content fingerprints” of the malicious sites, which are frequently cloned from one another.

Some of the domain names were seemingly random, possibly created using a domain generation algorithm (DGA), while others included the impersonated brand name in the URL. Silent Push also noted that the domain link visible on a Facebook ad would not always match the domain name the user would ultimately be redirected to.

The GhostVendors campaign is similar to another e-commerce fraud campaign dubbed ERIAKOS, which was discovered by Recorded Future last year. This campaign leveraged both Facebook ads and comments to promote fake low-price product listings and spanned more than 600 domains impersonating popular brands.

Facebook malvertising has also recently been used to promote fake generative AI tools facilitating the distribution of infostealers and other malware, as reported by Morphisec and Mandiant last month.