I’m sure you’ve probably heard some horror stories about facebook ad accounts getting hacked and thought that would suck, I’m glad we’ve not had to deal with that. Maybe you’ve also wondered, how it happens to others. Is it someone responding to one of those spam DM’s or emails from suppossed facebook reps telling you your account is going against policy and will been suspended unless you take action.
Yeah, like these ones.
[Insert spam messages]
And if that is how they get hacked, or if by some other means. How do they remove the hacker and what exactly does the spammmer do?
Well, we can’t speak for everyone’s situation, but this what happened when our facebook business manager was hacked and hackers spent over $10,000 in fraudulant ad spend in less than an hour.
How it started was our ad’s team began noticing some unconventional naming conventions in a few different ad accounts. The Typical “TOF | Single Image” ads were accompanied by a mysterious “New Sale Ad”. Although we were building some new promotional ads accross accounts, the naming convention didn’t match our typical naming convention. Sp after some quick digging we realized these we’re not promotional ads for our clients, but instead promotional ads for a random e-commerce product that was being ran from a page other than our clients. It looked pretty bad on our end because it was a random product running to our client’s audience using a random page in our business manager spending our client’s budget. And the worst part was, that the ad was running with a 15k/day budget .
Once we realized this, it was all hands on deck. [insert gif of sailors jumping up and getting to the deck]
Fortunately, it was easy to spot what accounts had been affected because within the 10-30 minutes these ads had been running they had spent $500 – $2,000 in ad spend which was 10x the normal daily spend of most of our clients. So their daily spend was easy to identify as abnormal, and we quickly hopped in and pasued the ads. *We didn’t delete them so we could show facebook the illigetmate activity and corresponding illegitimate spend to hopefully get them refunded. (keep reading to see how that turned out).
Within 30 minutes we we were able to extinguish the flames and put a pause to all illigetimate ads that were running and identify the source of the hack (one of our ad specialists’ personal accounts had been hacked). However, things started to get a little more interesting as we started to tally the damage. Fraudulent ads had been turned back on, but the hackers had smartened up a bit and were now being more evasive with their tactics. They must have realized we had caught on to their naming convention. So they were now duplicating existing campaigns we were running and placing their ads in those duplicated campaigns to help disguise their actions
Again their actions were easy to spot with their comparatively huge daily budgets, but we still scoured the accounts to ensure there was nothing that was going undetected. As we were doing this all of a sudden things went black and our internal slack channel started to light up with everyone saying the same thing. Our business manager no longer has Access.
Our business manager had been suspended, and we had lost access to all of our accounts. Most of the ad accounts were still running, although some of them with limited budgets, but we weren’t sure the hackers were gone for good. The worst part was not only did we not directly have the ability to stop the attackers if they struck again, we had limited visibility to even see if the attackers were stricking. We new the enemey was out there, but our radars were down. We quickly strung together some third party reporting tools that gave us enough insight into the accounts to know if we had to take immeadiate action on an account and screenshare with the client to pause anything.
Luckily, our actions prior to our business manager getting suspended (turning off duplicated campaigns and removing the hacked employee from the business manager) ensured that no additional fraudulent spend occurred while our business manager was suspended. Fortunately for us Facebook made the process of contacting them and addressing this issue extremely easy. Which for most
After a grueling 24 hours
After ensuring all fraudulent campaigns were turned off and every person in the business manager had reset their personal facebook passwords multiple times. we began to do another sweep of the accounts.