Hackers infiltrated a big Facebook data partner to launch scams

When hackers take over your account on Facebook, it could mean you see suspicious posts about deals on Ray-Ban sunglasses, which are definitely bogus content. But when hackers take over a single account belonging to one of Facebook's biggest data partners, it means a widespread campaign that could lead to thousands of dollars lost and a huge number of credit card numbers stolen.

That's essentially what happened in October, when hackers commandeered the personal account of a LiveRamp employee and used it to gain access to the company's Business Manager account -- allowing them to run ads using other people's money. 

It wasn't the only time something like this has taken place. Hackers have been targeting the heart of Facebook's empire, its advertisers, knowing that the same tools that marketers use on the social network could be effectively harnessed to scam countless people.

In December, for instance, Facebook filed a lawsuit against a Chinese ad company, accusing it of running a hacking campaign that targeted ad accounts on the social network. 

Facebook's lawyers alleged in that case that the hackers took over people's ad accounts through malware on browser extensions, and then spent at least $4 million with those accounts' credit cards for fraudulent products like counterfeit goods and male enhancement supplements between 2016 and 2019.

"Hacking an advertising account may be the perfect cover-up for a threat actor to jump-start a malicious campaign," said Marcin Kleczynski, CEO of cybersecurity company Malwarebytes. "Typically, brand-new accounts go through a period of supervision or greater scrutiny in order to avoid abuse. However, a well-established account already has been approved and trusted."

Advertising is essentially Facebook's lifeblood -- it's the reason the social network is free for more than 2.2 billion people. The company is projected to take in $84 billion in revenue in 2020 from advertising because Facebook has gotten incredibly effective at serving up targeted ads to specific audiences. 

Ads are the most effective way to get your content seen on Facebook, and hackers have taken notice. By compromising a LiveRamp employee's account, the attackers went after one of the social network's most prominent data partners. 

In LiveRamp's case, the hackers didn't need to target multiple accounts, they just needed one to gain access to the marketing giant's customers on Facebook. 

LiveRamp said the damage was contained.

"The instance to which you are referring affected a limited number of LiveRamp customers and associated Ad Accounts," a LiveRamp spokeswoman said in a statement. "Facebook promptly communicated the issue to the affected accounts. Moreover, LiveRamp worked with Facebook to revoke unauthorized access and restore functionality to normal for customers." 

LiveRamp declined to specify how many of its customers had been affected, or what security measures it requires from its own employees who have this level of access to Facebook ads accounts. 

Facebook declined to comment. The company confirmed in November that a personal account of an admin for a Business Manager account had been hacked but didn't specify that it was LiveRamp.   

What is LiveRamp?

LiveRamp is a major data partner for Facebook, and a marketing powerhouse that pioneered data onboarding, which is matching data from your real-world actions to your online identity for advertisers. 

It's how a company would know, for example, if you'd bought something in its store after also visiting its website. LiveRamp works with more than 300 businesses and data providers, including Google, MasterCard, Uber, Snapchat, Spotify and Equifax. 

Facebook is one of LiveRamp's many data partners and helps advertisers target ads on the social network based on data gathered from offline activities. In 2016, LiveRamp said that it was integrating with Facebook's Offline Conversions API, which lets advertisers see the connection between their marketing campaigns and what you buy in person.

LiveRamp is also listed as a data partner on the Facebook for Business page, where advertisers can give LiveRamp special access to help on-board offline data and provide insight on ad campaigns. 

While LiveRamp doesn't run the ads itself, that level of access as a Facebook-approved partner gives it the ability to do so for its clients. 

Hackers took advantage of that privilege in October, after hijacking the personal Facebook account of a LiveRamp employee who was an admin for the company's Business Manager account. 

Using that access, the hackers ran a series of ads on LiveRamp's customer accounts on Facebook. They'd spend thousands of those victims' dollars to trick viewers into buying fake products. 

One of the ads had been viewed more than 60,000 times and directed visitors to a page designed to steal people's credit card numbers.   

LiveRamp wouldn't disclose how many of its customers were affected because of its hacked employee, or how much of the victims' money had been spent through the cyberattack. It declined to comment on whether that employee still works for the company but added that it has security requirements for its staffers. 

"LiveRamp has a number of security requirements in place, and the company will continue to take all appropriate measures to ensure the highest integrity of LiveRamp systems and data, both in its core platforms and partner application integrations," a company spokeswoman said. "Such practices and protocols include, but are not limited to, password controls and multifactor authentication; and conducting security access reviews frequently and ongoing."

Security concerns

Facebook offers a plethora of security tools to help protect your account from hackers, such as two-factor authentication and login alerts, so you know when someone has accessed your account without permission. 

It also has a Security Center page specifically for business manager accounts. On the page, Facebook recommends that business managers do security cleanups each quarter to ensure that employees have the proper amount of access.

Facebook only recommends these security measures, and doesn't require them, even for its major data partners like LiveRamp, which hold a high level of privilege on the social network. 

Malwarebytes' Kleczynski raised concern that, given the stakes, Facebook wasn't requiring business managers to set up accounts that are completely separate from their personal accounts.

"The fact that you share the same identity to manage potentially multiple millions of dollars as the one you use to post cat videos is pretty insane," he said. 

He also questioned why Facebook didn't hold its data partners to higher standards, given the temptation for people to indulge in poor security habits such as reusing passwords or not using simple protections such as two-factor authentication.

Until the tech giant does, Kleczynski said, cybercriminals would have every incentive to go after personal Facebook accounts belonging to employees of the social network's data partners.

"If I were a criminal, I would continue to go after Facebook profiles, because these personal profiles could potentially have access to advertising campaigns," he said. "Not only do you have access to a personal account, which is far less lucrative, you have access to the business account, which could be a small start-up or a multimillion-dollar conglomerate."