Facebook Scam Ads Target Japan, part1

8 min readNov 20, 2022

Meta distributes many ads on its two most significant SNS, Facebook and Instagram. However, many ads are fraudulent, taking you to investment scams and fake shopping sites.

In this article, I will show how Meta ads, i.e., ads on Facebook and Instagram, are used as entry points for online scams targeting Japan.

The Overview of Scam Ads

I often see Meta scam ads which abuse the Sony name or logo.
The following ads were distributed on Facebook and Instagram. “ソニー” is Sony.

Victims are tricked into believing this ad is an advertisement for a new Sony product. Once they click it, a fake news article appears.

Fake news: The design is similar to Nikkei

This fake news design is similar to Nikkei 日本経済新聞, which is the largest economic newspaper in Japan. Nikkei’s logo is also abused.

Sony has issued an announcement to be aware of the fake advertisement.

You can read the fake article in urlscan.io.
https://urlscan.io/result/57c1a177-1997-4445-8390-9fb9ed4533f7/

Fraud Structure

At first, here is the whole process of this scam.

The entry point is a common advertising scam. The attacker (Actor) makes up fake news which explains fake investment products. Then actors publish Scam Ads that direct victims to fake news sites.
Meta’s ad screening quality is terrible, and many scam ads pass the screening process.

When victims are duped, they are prompted to enter their email addresses and phone number into a fraudulent website.

A short time after victims send their personal info, the scammer calls and verbally tries to get them to pay an initial fee of $250. The call comes from someone claiming to be from an Elland Road Capital company.

Note that this scam targets the Japanese. The caller speaks in Japanese, but he identifies himself as “I am Turkish, and I am in Turkey”.

Analysis of scam advertisements

The scam ads used by this Actor are so simple that we can easily find them. (Although Meta doesn’t seem to be able to find them…)

Accounts of the owner of Scam Ads

Almost all advertisers’ accounts had nothing to do with Japan and appeared to be abandoned for some time. They are probably hijacked by attackers and used as platforms to run fraudulent advertisements.

Scam Ads features

The actor is advertising with the words ソニーの電子マネー (Sony e-money) as of November 2022.

There are also other patterns, a passport and a Japanese 銀行(bank) in the background. Here are the cases:

Of course, these photos of Japanese banks are being abused as camouflage.

The Fake News Infrastructure

There were several domains in the fake article, all of which were obtained from NameSilo or GoDaddy. Because these two Registrars are major players, commonly used by both regular users and scammers.

Domain Name: 44mscmsc.com
Registry Domain ID: 2721805830_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namesilo.com
Registrar URL: https://www.namesilo.com/
Updated Date: 2022–11–06T07:00:00Z
Creation Date: 2022–08–29T07:00:00Z
Registrar Registration Expiration Date: 2023–08–29T07:00:00Z
Registrar: NameSilo, LLC
Registrar IANA ID: 1479

All IP addresses belonged to Cloudflare, so I could not determine where the Origin Server was.

Pinpoint Attack on Japan: GeoFence

As indicated by the fact that the ads and fake articles are written in Japanese, this attack targets Japan. The web pages of the fake articles are designed to deny connections from outside Japan. Since I live in Japan, I have not noticed this filter for some time.

You can access the fake news only from Japan

When connecting from an IP address outside of Japan, the fake article could not be accessed because the site appeared to be a normal shopping site. Such a technique is called GeoFence, one of Cloaking methods, and is often used to hide phishing sites to avoid detection.

List of Japanese Companies Affected by Brand Theft

Scam Ads
・SONY (ソニー)
・Sumitomo Mitsui Banking
・Mizuho Bank
・MUFG Bank

Fake Article
・Nikkei
・The Asahi Shimbun
・The Yomiuri Shimbun
・Jiji Press
・Sankei Shimbun
・Nikkan Gendai

I tried to fall myself for the scam

I expected this scammer would contact the victim because I was asked to enter my email address and phone number. Therefore I entered my email address and phone number for my research.

Phone conversation

About 10 minutes later, a person immediately called me back, speaking in Japanese. He claimed that he worked for a company called Elland Road Capital.

His Japanese was advanced level, and although he had some faltering, he had no problem with basic communication.

I am an account manager at Elland Road Capital. We have economic experts on hand, so let’s invest together!
You have created an account with Elland Road Capital, and I have called to activate your account! We need you to deposit $250 to activate your account. Because we want only serious investors to use our services!

I asked where is he calling from. He said:

Turkey. I am Turkish and I speak Japanese, so I am in charge of Japanese.

hmm! Next I asked him, “Are you aware that you are committing fraud?”

No, no. Our company is not a scam. We even have a proper financial license number, which we will send you via email so you can verify it too.

Perhaps he is fishing(phishing) for “suckers” and really doesn’t know anything about investing.

I also asked him why you would mention Sony’s name on their scam ads. He said he knew nothing about scam ads.

I do not know the truth, but I felt his words were true. It is a common practice in such scams to break up the work into smaller pieces.
Perhaps he really believed that he was hired by an investment firm to do telemarketing work….

Elland Road Capital

The caller told me the name of the company as Elland Road Capital ltd. The company’s web page exists here.
https://www.ellandroadcapital.com/

He also sent me an email with the licence number and how to verify whether it is an official company. Surprisingly, the email was written in fluent Japanese!

They sent me an email how to “verify” their company.

Japanese is a difficult language to machine translate, so we Japanese usually find strange translations. But this one was nearly perfect. (I won’t mention what was odd about the translation, as that would be a hint to the scammers.)

I checked the email headers and it looks like they are using Zimbra. They appear to have an in-house IT system.

X-Mailer: Zimbra 8.8.15_GA_3945 (ZimbraWebClient - GC107 (Win)/8.8.15_GA_3928)

What is Elland Road Capital?

Indeed, this company appears to have a South African financial license number 52127. However, everyone can obtain the number simply by applying, so this license alone does not tell us whether this is a fraudulent company or not.

I searched for this company on the Financial Sector Conduct Authority (FSCA) in South Africa, and sure enough, I got one result.
https://www.fsca.co.za/FAIS/Search_FSP.htm

https://www.fsca.co.za/FAIS/Search_FSP.htm

OFFICE 162, FIRST FLOOR
WILLOW BRIDGE CENTRE
CARL CRONJE DRIVE , CAPE TOWN
7530

Then I found that this Elland Road Capital location is a Virtual Office address. It is highly likely that there is no actual business.
https://www.davincivirtual.com/loc/south-africa-virtual-offices/cape-town-virtual-offices/facility-6553

https://www.davincivirtual.com/loc/south-africa-virtual-offices/cape-town-virtual-offices/facility-6553

Reviews

Elland Road Capital was listed on several investment review sites.

・https://www.trustpilot.com/review/ellandroadcapital.com?languages=all
・https://www.sitejabber.com/reviews/ellandroadcapital.com

When looking at review sites you should pay attention to score bias. There are many fake reviews nowadays, and just looking at the average score is not the right way to make a correct decision.

The above picture is a review rating for Elland Road Capital on Trustpilot. The average score appears to be reasonably high, but what is noteworthy is the bias in the scores.

This score is heavily skewed between a high of 5 and a low of 1. Such skew is a common bias often seen in fake reviews, where high ratings are fake reviews and low ratings are actual user reviews.

Let’s see another review site, sitejabber.

https://www.sitejabber.com/reviews/ellandroadcapital.com

The average score is 4.5. 🫠 OK, let’s check the bias in the scores.

There are only 5 star reviews and 1 star reviews. Many fake reviews have been posted for this as well.

Similar situation: he was duped by clicking on a scam ad.
https://www.sitejabber.com/reviews/ellandroadcapital.com

Conclusion

Spam will inevitably flow into social networking sites. However, the platform provider of a social networking service is obligated to make the site safe for users to avoid becoming a victim of cyber crime.

Scam ads abusing Japanese bank logos (銀行=bank) / Meta Ad Library

Compared to other companies, Meta’s ad screening process is so bad. Fraudulent advertisements that use the logo images of famous Japanese companies such as Sony and various banks should be blocked by their screening process.

⚠️ Do not click on Instagram and Facebook ads if you do not want to be scammed! ⚠️

In Part 2, I plan to write about another huge fraudulent ad, Fake Shopping Sites.

references

海外FX業者を辛口評価 - 検証4

本ページでは以下を検証します。いずれも金融庁の金融商品取引業者のリストに該当は確認出来ず、無登録の違法業者と考えられます。検証項目は順次追加の予定です。 ●ThreeTrader (スリートレーダー…

sites.google.com

This is a very detailed explanation. Awesome!

IoC

fake news sites

hxxps://le-surgele[.]com/sunniesstudios/bobbi
hxxps://tryaminick[.]com/products/a-nurses-prayer-glass-plaque
hxxps://fastandfurriousnews[.]com/products/treats-for-my-peeps-platter-set-of-2-cookie-cutters
hxxps://fitnessbydesignmn[.]com/madewithspin/wrap-wicker-console-s
hxxps://44mscmsc[.]com/mountainfirewheels/roughcountry1674

Scammers’ phone number

442080970979
441518081437
441518081438
441518081440
441518081442
441518082316