GhostVendors Scam Network Found Using 4,000+ Fake Retail Sites to Run Facebook Ad Fraud
Threat analysts at Silent Push have uncovered a massive network of fraudulent websites, dubbed GhostVendors, exploiting Facebook Marketplace to push deceptive ads mimicking major retail brands. The operation spans over 4,000 fake domains and uses cloned websites and stolen images to carry out financial fraud.
These sites impersonate well-known brands like Amazon, Costco, Argos, Nordstrom, Rolex, and Birkenstock, offering fake product deals with eye-catching discounts. The goal is to trick users into purchasing items that are either never delivered or used to harvest payment data.
Facebook Ads Disappear After Campaigns End
A key part of this scam is how the actors operate within Facebook’s ad framework. Silent Push researchers noted that the malicious ads disappear entirely after the campaign ends, leaving no trace in Meta’s Ad Library.
“We found that after the threat actor posted its malicious Facebook Marketplace ads for a few days, it stopped its campaigns, thereby deleting all traces of them from the Meta Ad Library,” the report reads.
This tactic exploits Meta’s policy which only retains ads while they’re active. Once the campaigns are stopped, there is no publicly accessible record, making long-term tracking impossible for investigators.
Fake Ads Promoted Cheap Tools, Sandals, and Clearance Sales
Scammers lure users using unbelievable discounts, often disguising themselves under slightly altered brand names. For example, one ad spoofed Milwaukee Tools, using the name “Millaeke” while showing the original toolbox image at a fake discounted price of $129. The ad led to a suspicious domain: wuurkf[.]com.
Other ad examples include:
- Phrases like “Clearance Sale” or “Holiday Celebration Sale”
- Stolen product images from real brand sites
- Dozens of cloned websites with minor variations
These tactics mirror common patterns in social media scam ads, but the scale of GhostVendors distinguishes it from past campaigns.
Financial Fraud and Ad Tracking Challenges
The end objective of these scam sites is financial fraud. Silent Push states the damage comes from two main outcomes:
- Victims never receive the product they ordered
- Payment details are stolen during checkout
However, the most concerning finding isn’t just the fraud itself—but how easily the threat actors can launch and shut down campaigns without leaving a trace. This makes defense and detection extremely difficult.
“It’s currently impossible to holistically track malicious ads on this network,” said the researchers.
By exploiting Meta’s ad lifecycle and using thousands of rotating domains, the group behind GhostVendors operates under the radar, evading traditional ad monitoring and enforcement systems.
