If you search “Ray-Ban event” on Facebook, a flood of posts comes up. They all contain roughly the same language, although their posters live everywhere from Bangalore to Tecumseh, Okla.
Aug. 13, 2:12 p.m.: “FYI I did not send out invites to some Ray ban charity event.”
Aug. 13, 2:48 p.m.: “If I invited you to a Ray-Ban event, please ignore it.”
Aug. 13, 3:28 p.m.: “I did not create this event.”
Aug. 13, 4:31 p.m.: “If you were invited to like a Ray Ban Charity event by me, DO NOT ACCEPT!”
You’ve probably seen these posts, even if you haven’t posted one yourself. They’re the remains of this summer’s big viral scam — a pestilence of invites to fake Ray-Ban events.
The scam is simple, explained Lukas Stefanko, a malware analyst for the security firm ESET: People set up fake Ray-Ban Web stores, and then promote those stores through Facebook events advertising discounts on behalf of unnamed “charities.”
Ray-Ban makes a good hook, since the brand is popular, globally known and inexpensive relative to other luxury goods. And Facebook events, shared by hacked or malware-compromised accounts, make an excellent promotion vehicle. People love their sunglasses and trust their friends, so many click into the promoted Web store and order when they wouldn’t have otherwise. They never actually get any Ray-Bans, of course, and their credit card may be compromised.
Stefanko says the racket has been in full force since April, and it shows no signs of slowing down. In fact, it appears the scam hasn’t yet reached its peak — despite Facebook and Ray-Ban’s best attempts to wipe it out.
According to Luxottica, the multinational company that owns the eyewear brand, more than 16,500 Facebook-related Ray-Ban scams have been shut down since the beginning of the year.
“There are sophisticated operators behind this, registering thousands of domains,” said Justin Gaudio, an intellectual property lawyer with the firm Greer Burns & Crain and one of the people tasked with getting fake Ray-Ban stores off the Web. “It’s a coordinated effort. There’s no doubt about it.”
It’s impossible to tell precisely who is behind these schemes, on both the Web store and the Facebook-promotion end. Domain registrants are required to provide a name, physical address and other contact information, but in the case of the Ray-Ban scammers, that’s frequently invented.
Experts such as Stefanko suspect a loose syndicate of Chinese hackers and scammers, who buy up cheap Ray-Ban-related domains in bulk. They can then cycle a pre-made Web store template from site to site if and when each is taken down.
On Facebook, the scam’s mechanism is slightly less straightforward — Stefanko says the scammers use both malware and more conventional password hacks to gain access to user accounts around the world. Once they have that access, they create an event, copy-paste the usual promo text (usually in broken English, though Stefanko has also seen it in Japanese and Spanish), and invite hundreds or even thousands of the user’s friends.
These mass invitations are risky for spammers, of course: Any one of the invitees could alert Facebook or their friend to the suspicious account activity. At the same time, if even one of the invitees buys from the fake Web store, it’s just paid for itself.
That makes the Ray-Ban charity scam a special challenge for Facebook, which is not unaware of its spread.
“[It’s] unique in that, unlike other applications of machine learning, there’s a live adversary on the other end, trying to get around your controls,” said Melanie Ensign, a Facebook spokeswoman. “This makes spam-fighting a fascinating engineering challenge.”
Ensign says the plague of Ray-Ban event-invites is actually far smaller than it could be: Facebook prevents most spam from ever posting, using a combination of automated systems and manual auditing. Facebook’s automated spam system looks at roughly 2 million distinct “classifiers,” or signals, to guess when something might be spam — and the site runs about 1 million checks per second on other types of suspicious behavior, from mass event-invites to rapid-dash friend requests.
Facebook also monitors for malware, Ensign said, and alerts users when it suspects their machine may be infected, even providing a free scanner they can use to clean it up. But that won’t help users whose passwords have been bought or guessed . . . and the scammers are forever dreaming up new techniques.
No one knows this struggle better than the intellectual property and legal teams at Luxottica, the people charged with fighting back against fraud old and new. (During the past two years, in fact, the teams have bulked up to better address some of these issues.) The company works with a third-party monitoring agency to identify fraudulent Web stores, then sues for trademark infringement in the federal court system of whatever country the scammer was selling to.
Gaudio, the intellectual property lawyer, handles these cases for Luxottica in the United States, sometimes suing thousands of websites and website owners at a time. Rarely does Luxottica see any response from the defendant — let alone damages. Instead, the company generally gets a court injunction that transfers the fake store’s URL to its ownership, and lets it post the corporate equivalent of “sorry for that weird invite message.”
“WARNING: Website shut down!” Reads the usual text, as seen on former fake Ray-Ban store fbger.com. “The online store that formerly used this domain has been disabled, pursuant to a U.S. federal court order, for the sale of products bearing counterfeit trademarks.”
Luxottica declined to estimate how much money it had lost from these schemes — that’s a difficult number to settle on. And it’s equally difficult to calculate how much scammers make, Stefanko said, because consumers aren’t usually willing to fess up when they’ve fallen for a scam like this one.
Across Facebook, however, you can easily find thousands who will admit to having been hacked by the Ray-Ban scammers — people like Simon Lane, a father from southern England, who found out he’d been sending weird invites when a friend asked him about it. Lane changed his password, got his 14-year-old son to check his settings, and posted the following, predictable status:
“Just to let you all know, I have absolutely NOT just invited you to a charitable sale of Ray Ban sunglasses.”
Liked that? Try these!