Internet marketers exploit Facebook ads to rent Facebook accounts in Ukraine

Scammers and shady marketers bombarded Ukrainian

Internet marketers exploit Facebook ads to rent Facebook accounts in Ukraine

Share this story
THE FOCUS

Scammers and shady marketers bombarded Ukrainian users with ads, enticing them to offer their Facebook accounts for rent in exchange for money

(Sources: @r_osadchuk/@DFRLab via Facebook)

Shady marketers used multiple pages and personal accounts on Facebook to rent real users’ accounts in exchange for money. The effort’s scale and persistence suggest that these services are profitable, in-demand, and conducted by multiple actors.

Marketers may use leased online assets for multiple purposes, including “ad laundering,” information operations, or classic scams. Researchers have identified similar attempts to rent out or buy user accounts before. In the past, marketers have offered cash and even laptops to incentivize people into renting out their accounts. Facebook’s rules prohibit scams, and the company has previously enforced against these rental schemes, both by suspending the marketers and disabling leased accounts.

How the scheme works

To find new accounts for rent, scammers create multiple pages with similar names, usually including the words “rental” or “marketing.” These pages often feature just a few posts, profile pictures, or cover photos. Many of them are registered as “places” in random categories, such as “Beauty Salon” or “Finance.” Sometimes the pages listed the accounts’ rental price. The price tag ranged from a weekly payment of 100 UAH (about $3.50 USD) to more than 2,000 UAH (about $71.00 USD) per month.

Three pages named “Advertising and marketing” with similar logos but listed under different categories, such as “Magazine” (top left), “Not a business” (top right), and “Entertainment Website” (bottom). (Source: Advertising and marketing/archive, top left; Advertising and marketing/archive, top right; Advertising and marketing/archive, bottom)

The pages the DFRLab examined did not have many followers; however, some posts managed to amass up to a few hundred engagements. In the comments, most users commented the “+” sign, indicating their willingness to participate, questioning how to join, or asking how the process works. Pages usually responded by suggesting that users switch to private messages. Some users also inquired about the pages’ ownership.

Another available communication tool was a link to a chat or landing page of a separate website, where users could pick the most comfortable mode of future communication. These sites typically hosted social buttons to direct users to private messenger apps, like Telegram or Viber.

The pages typically described themselves as “large digital agencies” that run multiple ads and need new accounts belonging to real people to run additional ads. Marketers assure future clients that they would use only their Ads account, that the client would retain access to their account as usual, and that their friends would never know about the rental.

Marketers also listed requirements for rented accounts. Accounts needed to be at least six months old and have a certain number of friends. There were several red flags indicating that the pages were running a scam: in comments, some users called out the pages as scams that never paid out, but these comments got lost in the noise.

Groups

The DFRLab identified at least three distinct groups of marketer pages that shared similar naming conventions and visuals, as well as promoted the same channels for communication.

The first group noted it was affiliated with the 7xmedia advertising agency, which borrows its name from a U.S.-based media agency that manages U.S. athletes. The Ukrainian-based company has an empty website, but it used to have a designer posting on djinni, a Ukrainian job posting service for IT jobs. The DFRLab identified that this group ran three pages, two of which were “places,” and also ran a Telegram channel.

Assets associated with the first group, which was linked to 7xmedia. (Source: @r_osadchuk/@DFRLab)

The first two pages in the group of assets listed different burner emails in their contact information, but indicated the same cell number and used the same stock photos. The second page was unavailable at the time of writing, but the archived version was still accessible. This page also advertised a referral system that paid individuals who brought new users to the scheme $1 USD per new account.

The now-defunct page “Cabinet rent” also referred its followers to a Telegram channel called “Facebook accounts rent.” The channel set the price range for an account from $7.10 to $17.80 USD per month. The rest of the “Earn on Facebook” pages repurposed the explainer text of lease benefits from the “Buy/rent your FB account page” and the now-defunct “Cabinet rent” page.

Cover photo of the “Advertising and marketing” page reads, “Will rent out Facebook for Ads launch,” indicating remuneration of “200 UAH immediately + 150 UAH/week” (in a green box). (Source: Advertising and marketing/archive)

The second group of “Advertising and marketing” pages consisted of 19 mostly empty assets, all of which used similar cover photos and profile pictures. There were no public details on how to connect with marketers on these pages, suggesting that the scheme was likely conducted over private message.

“Advertising and marketing” assets. (Source: @r_osadchuk/@DFRLab)

To prove that they indeed compensated users for their accounts, a few pages featured bank account statements that supposedly showed payments. A few pages used screenshots that resembled branding from Monobank, a Ukrainian mobile bank.

A reverse image search did not provide a hit for these screenshots, suggesting that they may have been genuine, or at least had not been taken from an online source. One minor detail that stands out in the screenshots, however, is that the card that supposedly pays renters is replenished from another card issued by Tinkoff Bank, which is registered in Russia.

Bank statements from supposedly the same card shared by two different marketers’ pages. (Source: Advertising_marketing/archive, left; Advertising and Marketing/archive, right)

The third group consisted of at least 16 pages with “Lease” in their name. While these pages did not advertise remuneration, they referred followers to external links, where users could pick a private messenger app of choice communicate with marketers directly off-platform.

The “Account Lease” page directed people to an external link and encouraged them to get in contact via private messaging apps. (Sources: Account Lease/archive, left; mssg.me/archive, right)

Some page administrators appeared to participate in other scams as well. The page “Lease ‘Franklin’” indicated the same phone number as a page that claimed to sell facemasks during the coronavirus lockdown, a common scam amid a shortage of masks and other protective equipment in Ukraine.

The “Arenda ‘Franklin’” (at left) and Медицина (“Medicine,” at right) pages used the same phone number and images. (Source: Arenda Franklin/archive, left; Медицина/archive, right)

Ads missing from Facebook’s Ad Library

This research also revealed some obstacles for researchers hoping to use Facebook’s Ad Library to uncover pages’ ad spending. While searching for additional pages undertaking this scheme, Facebook served the researcher multiple ads from pages with vague names like “Summer,” “Fall,” “Love,” and “Winter is coming.” Most of these pages served ads that pointed to the same website, with contact details for messenger apps, but their Ad Libraries remained empty a few days after the ads’ creation.

Pages linked to two different Instagram accounts (in purple boxes) that used the same description to describe terms of accounts leasing (in green boxes). (Source: @r_osadchuk/@DFRLab)

This suggested that the ads were either removed or disabled by Facebook’s systems. But there were discrepancies: in one case, the same page’s ad library showcased five ads a week after creation.

An ad that was served on November 10 (top left) that reads “Just sit on Facebook” (top meme text) and “Receive from 3.000 for your Facebook account” (bottom meme text), page transparency (top left), and Ad Library of the page (bottom) on November 13 with zero ads. (Source: Personal brand — the top of the path/archive; Ad library/archive)

In the short video below, the DFRLab investigated a page named “Autumn” that served an ad to lease user accounts. While the page was created on November 4, the Ad Library indicated that the ad had started running a day earlier, on November 3. While the desktop version of Facebook showed no ads in the page’s Page Transparency section, the mobile version did briefly show an active ad.

These discrepancies complicate open-source investigation of Facebook advertising, as researchers may see different results depending on whether they are viewing ads on desktop or mobile.

While the DFRLab cannot estimate the prevalence of these types of ads on Facebook, renting out accounts is against Facebook’s Terms of Service, and the practice jeopardizes the security and reliability of Facebook’s Ads platform and makes it vulnerable to exploitation in the future.


Roman Osadchuk is a Research Assistant, Eurasia, with the Digital Forensic Research Lab.

Follow along for more in-depth analysis from our #DigitalSherlocks.