Sponsored Ad Fraud: Mystery Box Scams Flood Social Media

Social media platforms are overflowing with scams.

In the past couple of months, Bitdefender Labs has been monitoring a steep increase in fraudulent social media ads on Facebook promoting various swindles ranging from crypto-doubling to AI-generated celebrity-endorsed giveaways.

Our latest analysis has spotted a consistent trend, with fraudsters continuing to exploit Meta’s ad system to deceive consumers.

The hustle? A long-established ruse that involves peddling so-called mystery boxes from Amazon, Apple, Sephora, and other local retail giants Emag, Altex, and Kaufland.

These mystery box scams continue polluting social media, reaching targets via paid ads.

Here’s the inside story into our investigation:

• The phony ads promise consumers the chance to get their hand on mystery boxes that contain return packages from big retailers for as little as $2, or €2.
• Mystery box scam ads have been running on fraudulent Facebook pages since November 2023.
• The boxes allegedly contain items valued in the thousands of dollars, including Apple, Samsung, Dyson, and JBL merchandise, and even have a guaranteed 30-day return policy.
• Mystery box scams targeting the Romanian public had an ad reach of over 1.5 million people. One particular ad promoting Emag mystery boxes had a total reach of 100,000 people aged 18 to 44.

• Most of the ads and fraudulent profiles that manage them use fake comments to boost credibility and hook more victims. These comments are from “lucky customers” and include photos of opened mystery boxes. They participated in an online raffle, filled out the survey/form on the website and won. The package arrived in only five days.

• Other top targets for the scam include Australia, France, Switzerland, Canada, Sweden and Germany, with a fraudulent ad reach of over 500,000 individuals.

• While some malicious pages are directly accessible, others employ the usage of User Agent checking, making them available only on certain devices such as Androids or iPhones. This behavior deters easy detection of the domains via sandbox analysis which is usually done from a Virtual Machine on a PC. This way, the scams can operate for longer periods of time and ensure availability on devices where it's easier to lure victims with minimal interfaces that require less effort to build and manage. If the user accesses the link from a PC, the returned page will show nothing but an error or a short text message.

• The websites prompt users to fill out a form or survey to claim the mystery box and provide financial information to pay for shipping. Upon completion, the customer is, in fact, tricked into a recurring subscription that can rack up hundreds of dollars per year.

How the scam works

Online mystery box scams usually involve the sale or giveaway of high-end tech products or luxury goods inside so-called unclaimed or returned boxes from different online retailers.

However, no matter the type of “surprise content” (whether themed around electronics, beauty products, toys, or other merchandise), the buyer never knows what he gets.

A customer could receive a box of useless items or nothing at all, or simply get slapped with a recurring subscription charge, as we’ve seen in our recent scam analysis.

Here’s a breakdown of the entire process:

1.      Setting the bait – a too-good-to-be-true sales event

Scammers set up a fake ad promoting clearance on return packages and targeting various users on Meta’s social platforms. They lure customers with a “unique opportunity” to participate in a yearly or quarterly sales event involving mystery boxes from Amazon, Apple, Emag and Kaufland by submitting a request.

Some of the advertisements state that unclaimed packages come from local depots that sell them for just 9.90 RON or 15 RON ($2-$3) every 3 months. Every box contains merchandise valued at 2,500 RON or 5,000 RON (between $500 and $1000).

Description of one of the ads (machine-translated):

By law, we keep unfinished parcels for three months and then organize amazing sales. In each box you will find amazing technology from Apple, Samsung, Dyson, JBL and other brands, all for only 15 lei. Participate by pressing "Submit a request"!

It’s important to note that there is no legislation surrounding the sale of mystery boxes in Romania, compared to bespoke legislation from the US and other countries that make this activity subject to local Gambling Act legislation and consumer protection laws.

1.      Hooking the victim

The deceptive ads are meant to lure targets to fake websites where they have to fill out a form. Most significantly, the scam platforms are only visible for mobile phone users. At first glance, the platforms seem legitimate and only ask the customer to fill in their name and contact information.

After the customers fill out the questionnaire, handing their personally identifiable information to the scammers, they are directed to a page prompting them to pay a small shipping fee to receive a mystery box.

1.      Consumers get recurring card payments and no mystery box

The sellers of these mystery boxes never intend to send customers a thing. Instead, they focus on capturing credit card data and tricking users into signing up for recurrent subscriptions. As expected, no prizes, packages or other goods are sent to the customer.

The devil in the details

The ads and websites are highly misleading. While the ads clearly state that plenty of mystery boxes are for sale, the websites tell a different story, alluding to the fact that users have a chance to win a random mystery box with a single product.

In the screenshot below, you can see Apple products that the users can “win” for $2.

However, the white on black text at the top of the above screenshot is what we need to focus on.

This apparent “fine print,” clearly obscured in the background says that users can enter a “Skill Game” for a chance to win an Apple Mystery Box. The cost for a 3-day trial on the platform while only 2 euros, switches to a monthly membership fee of 67 euros.

How to protect your identity and wallet against mystery box scams

Purchasing mystery items or boxes can be a lot of fun, and many internet users have gathered considerable subscribers and views after posting videos of their loot on various social media. Despite the hype surrounding the purchase and unboxing of mystery, many listings that users come across online are scams that put your identity and money at risk.

Here are some of the tip-offs and best practices to protect against them:

1.      Know the red flags

The internet is abuzz with mystery box scams themed around different categories including fashion, beauty products, electronics, toys or high-end products with various price ranges.

The most common red flags of a mystery box scam are:

• The ads or posts make outlandish claims, promoting amazing offers and unusually low prices. Amazon and other online retailers never give away high-value merchandise for $2.
• The mystery boxes are promoted on social media platforms and paid ads
• The profiles promoting the ads are new and lack any other activity or posts
• Users are asked to take a short survey or fill out a form with your contact information
• You only need to pay a small shipping fee
• The scam websites are of low quality, and the domain is very new

2.      Prioritize your digital wellbeing

• Scrutinize all social media ads and posts that say you can win free mystery boxes.
• Check for reviews on independent websites and platforms.
• Closely inspect the URL and websites for any errors, typos and uncommon phrasing.
• Always look for the Privacy Policy and Terms of Service. Scam platforms rarely offer detailed information.
• Monitor your financial accounts. If you fall victim, immediately call your bank to stop any recurrent payments, dispute fraudulent charges, and cancel credit cards.
• Don’t share personal or other sensitive information.
• Install a security solution on your devices that detects phishing and fraudulent websites, including ones that promote mystery box scam giveaways. Bitdefender security solutions have multiple layers of security that can protect your devices and data, and alert you whenever you access websites trying to scam you.
• Have a chat with Scamio, our AI-powered scam detector online or via Facebook Messenger. You only need to describe the details of a potential scam, copy-paste links or upload screenshots and QR codes to receive recommendations and thwart potential security threats.