“GhostVendors”: Thousands of Fake Domains Exploit Facebook Ads in Massive Retail Scam
Ddos 
Cyber threat analysts at Silent Push have uncovered a sprawling digital fraud operation dubbed βGhostVendorsβ, a fake online marketplace campaign leveraging thousands of fraudulent domains and exploiting Facebookβs advertising infrastructure to deceive consumers and impersonate dozens of well-known brands.
In their May 2025 report, the Silent Push team revealed the scale and sophistication of this cyber scam, identifying over 4,000 domains involved in impersonating retailers, selling counterfeit or nonexistent products, and disappearing without a trace after their fraudulent ad campaigns run their course.
The operation abuses Metaβs ad infrastructureβspecifically Facebook Marketplace adsβto promote scam offers such as heavily discounted toolboxes or footwear. The ads run temporarily, then are rapidly taken down, leveraging a loophole in Metaβs Ad Library policy which only retains data for active ad campaigns.
βWe determined that the threat actors are exploiting an existing Meta policyβ¦ and then completely remove previously posted ads,β the report explains. βAs soon as a campaign ends, the ads are removed from the Ad Libraryβ¦ making it much more difficult to track threats.β
This policy creates a significant challenge for defenders, as evidence of the scam disappears from public view almost immediately after the ads are paused or terminated.
The scamβs digital infrastructure is both vast and evasive. Silent Push analysts documented:
- Use of Domain Generation Algorithms (DGAs) to quickly create and abandon malicious sites.
- Brand impersonation on a massive scale, targeting major names like Amazon, Costco, L.L. Bean, Rolex, Wayfair, and GE Appliances.
- Deployment of multiple fake identities such as βMillaekeβ, βRabx-Bβ, and βTools Clearanceβ on Facebook Marketplace to circulate misleading product listings.
One example detailed in the report was an ad selling a βMilwaukee 56 Premium 18-Drawer Tool Boxβ through the domain wuurkf[.]com. The product name remained consistent across multiple domains like toolzde[.]com, gardonset[.]com, and yvnbpm[.]com, which often mimicked legitimate marketplaces.
βThis campaign appears to focus on impersonating brands that buy large amounts of online adsβmanyβ¦ are huge and well-known,β the report states.
The GhostVendors operation is not just a widespread financial fraud threatβit undermines trust in legitimate e-commerce, advertising platforms, and consumer protections. Many of the spoofed websites feature ultra-low prices designed to bait clicks, but ultimately deliver no products or harvest credit card details for later abuse.
βWe believe itβs likely that many of these donβt deliver the promised products and may instead engage in financial fraud by abusing credit cards,β the report warns.
Related Posts:
- Beware of Malicious Extensions: Researcher Exposes VSCode Marketplace Threats
- Material Theme Banned: Millions of VS Code Users Affected
- Developers Beware: Supply Chain Attacks Target Visual Studio Code Extensions
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
