Hackers took over the account of an employee at LiveRamp – one of Facebook’s significant data partners and a marketer extraordinaire that helps advertisers target ads – to access its Business Manager account and launch a campaign to run scam ads, tapping other user accounts to pay for them and deceiving customers.

“The instance to which you are referring affected a limited number of LiveRamp customers and associated Ad Accounts,” a CNET report cited a LiveRamp spokeswoman as saying in a statement. “Facebook promptly communicated the issue to the affected accounts. Moreover, LiveRamp worked with Facebook to revoke unauthorized access and restore functionality to normal for customers.” 

The company integrated with Facebook’s Offline Conversions API in 2016 to give advertisers insight into the success of marketing campaigns in influencing consumer purchases. As a Facebook data partner, LiveRamp has tremendous access to advertisers’ data and campaigns as well into the social media giant’s advertising apparatus.

The hackers leveraged that access to use other accounts to buy and run ads for non-existent products, including one that was viewed more than 60,000 times, scamming buyers into parting with dollars and payment information.

“Hacking into an ad network or partner that spends huge money on ads allows the criminals to target demographics, regions and specific people with ads that would normally be very expensive,” said Jason Kent, hacker in residence at Cequence Security. “The level of sophistication in this sort of scam is getting more and more impressive.”

Kent said Cequence CTO Shreyans Mehta asked him “to look into some web domains like https://rxmxtnx.com/ (don’t buy anything from this site, it’s fake),” which offer expensive brand name products and huge discounts. “Unbelievable savings, and that’s just the thing.  The criminal organization is getting premium ad services for free and using them to advertise fake websites that in turn, just collect credit card data,” he said. “That’s the end goal of this type of fraud, more credit card numbers.”

Kent found 13 sites associated with that domain, mainly copies. “Authentication on one site worked on all,” he said. “They’re taking the credit card numbers and using them in another scam somewhere else.”