A recent investigation by digital security research firm Dismislab has uncovered a sophisticated scam on Facebook that uses fraudulent "groom wanted" posts to redirect users to online gambling, cryptocurrency trading, and foreign exchange sites. According to the research, these deceptive posts are part of an elaborate scheme that exploits the promise of marriage to drive traffic to illegal and high-risk websites.
The bait: Marriage proposals with enticing promises
The scam typically presents itself as a matchmaking post seeking a groom for a woman portrayed as a successful expatriate with assets abroad. For example, one common narrative features a 29-year-old woman returning from Italy who owns a two-story house, four bighas of land, and a coffee shop. These posts claim the bride will take her future husband back to Italy, offering what appears to be an attractive proposition. A link provided in the comment section supposedly offers further contact information, but instead redirects to gambling and trading sites.
Since July, at least 35 of these posts have circulated across multiple Facebook pages, each with slight variations in age, property size, or the bride's appearance. Despite these minor changes, the core elements remain the same, allowing the posts to seem credible while maintaining a high level of user engagement. Dismislab identified a total of 430 posts using this tactic, which were discovered across 66 Facebook pages, 16 profiles, and 22 groups. These posts collectively garnered more than 11,000 shares, 200,000 reactions, and thousands of comments.
High engagement but dubious motives
The fraudulent posts, often labeled as "groom wanted," have sparked a massive response on Facebook. Each post received an average of 513 reactions, 142 comments, and 27 shares, with one post alone attracting nearly 40,000 reactions. In the comments, some users express genuine interest by sharing their contact information, while others voice suspicion, warning potential victims about the scam. However, the majority of comments reflect a high level of user engagement and curiosity, underscoring the scam's effectiveness.
The investigation revealed that a network of over 100 pages, profiles, and groups has been systematically promoting these posts. For example, the Facebook page MN Media, which has 93,000 followers, is a major source of these posts. This page frequently claims to be a legitimate matchmaking service but posts as many as 20 to 30 "groom wanted" ads daily, each with links leading to gambling and forex trading sites.
How the scam works: Affiliate links and honey trapping
At the core of the scheme is affiliate marketing, a method through which scammers earn commissions by directing traffic to gambling websites. Each link embedded within these posts contains a unique identifier, or referral key, that tracks user clicks and generates revenue for the promoter. Dismislab found 82 distinct referral links among the 430 posts, with just 19 unique referral keys, indicating that the scam may be driven by a small group of individuals.
The posts also engage in honey trapping, a technique that exploits romantic or marriage-based narratives to deceive users. While these scams have used various fake profiles, they often recycle descriptions and even use images of different women for the same fictitious bride. For example, one post seeking a groom for a supposed Florida resident named 'Saleha Akter Shilpi' used six different women's photos, all under the premise of taking the groom to America after marriage. In another instance, over 50 posts claimed to seek a groom willing to be a house husband for a widow, yet at least eight different photos were used to represent the same person.
Dismislab's research highlights similar tactics, including simultaneous posting of identical content, shared referral keys, and interlinked pages that promote the same links across different networks.
For example, Dismislab found that the referral key acf125da571a1252aa1538a5b8f86ea8 was used across 19 pages, including MN Media, while another key, aeeba479c670289401436ea393daaf89, was found on 13 profiles and pages promoting online gambling. These interconnections reveal a well-coordinated network designed to maximize reach and evade detection.
Redirecting to dubious destinations
Upon clicking the links within these posts, users are redirected to an array of online gambling and trading platforms. In some cases, the links change destinations with each click. A link that initially led to a cryptocurrency trading platform might direct the user to a betting site on a subsequent visit. Among the gambling platforms identified were "Krikia," "Jit-baaj," "Babu88," "Baji," "Six6BD," and "Six6SBDT Online," while the trading sites included "Quotex" and "Pocket Option." The URLs often used URL shorteners like TinyURL and Cut.ly to mask their true destination, giving the links a misleading appearance of legitimacy, with names such as "BiyashadiBD" (a term related to marriage in Bangla) or "Marriage Media."
Notably, these shortened URLs were also designed to bypass Facebook's monitoring systems. Of the 430 posts, 392 contained referral links using 13 different domain names, such as "Amusinghump.com" and "Highratecpm.com," which are often temporary and set to expire within a year, complicating detection by regulatory authorities. Six of these links were found to be particularly dangerous, with cybersecurity software identifying them as vectors for malware and potential data theft.
Violations of Bangladeshi law and Facebook policies
The scam violates multiple regulations and policies. In Bangladesh, online gambling, forex trading, and cryptocurrency transactions are prohibited under Bangladesh Bank's regulations. Last year, the High Court directed authorities to ban advertisements for such services. Additionally, the scam breaches Facebook's rules against cloaking, spam, and deceptive practices, as the links redirect users to unexpected destinations under the guise of matchmaking.
Meta, Facebook's parent company, has previously cracked down on similar campaigns. In May, Meta removed 50 accounts and 98 pages in Bangladesh for Coordinated Inauthentic Behavior (CIB), where networks of pages and profiles mislead users for financial gain.
Comments