Tamara Yesmin Toma

Research Officer, Dismislab
How fake “groom wanted” posts drive Facebook users to gambling sites
This article is more than 3 months old

How fake “groom wanted” posts drive Facebook users to gambling sites

Tamara Yesmin Toma

Research Officer, Dismislab

A Facebook post is seeking a groom for a 29-year-old Italy returnee. She owns a two-story house, four bighas of land, and a coffee shop in Italy. The post claims she will take her groom to Italy after marriage. The comment section contains a link for further contact. However, clicking the link redirects users to foreign currency exchange, cryptocurrency trading, and various online gambling sites.

Since July, at least 35 posts have appeared on different Facebook pages searching for a groom for this Italy returnee. The details in these posts remain largely the same, though some mention a different age, land area, or photo of the bride.

The “groom wanted” posts describe different women. Dismislab searched Facebook using 12 sentences or key phrases from these posts and found a total of 430 similar posts. Of these, 92% redirected users to gambling or foreign currency trading sites. This campaign involves more than 100 Facebook pages, profiles, and groups, organized into multiple networks or groups.

In affiliate gambling promotions, a link is used to lure people to online gambling sites. These links are known as referral links, and each contains a unique identifier (key). This campaign used 19 unique referral keys along with various domain URLs. When someone clicks on these links, it allows the promoter (who created and shared the link) to earn money. Some of these links also lead to phishing or data-theft sites.

In total, these 430 posts have been shared over 11,000 times, with thousands of comments and more than 200,000 reactions. Many users are being misled. In the world of cyber fraud, using dating or marriage as bait to trap users is known as “honey trapping.”

There are several issues with this campaign. First, according to Bangladesh Bank regulations, online gambling and investments in foreign exchange and cryptocurrency are illegal. Second, the campaign violates Meta’s policies on spam and cloaking, which prohibit hiding the true destination of a link. Dismislab found several accounts and pages to show networked behavior, where a network of accounts or pages work together to mislead users for financial gain. The campaign exploits almost believable stories and uses shortened links to bypass Facebook’s monitoring and enforcement.

A brief overview

The research began with a page named MN Media, which posts an average of 20 to 30 posts daily, seeking suitable partners for brides. Dismislab initiated the investigation by taking the first sentence from 12 of these posts and using them as keywords to search on Facebook. This search uncovered 430 “Groom Wanted” posts in 66 Facebook pages, 16 profiles, and 22 groups. Each of the posts shared a link for contact in the comment section. Different pages are found to use the same narratives often modifying the links and assets like photo and bride descriptions.

The Facebook posts have reached a vast number of people. On average, each of the 430 posts had 513 reactions, 142 comments, and 27 shares, with one, alone garnering nearly 40,000 reactions. Many users commented on these posts asking for contact information or further details. Some people shared their phone numbers for communication. A few users did warn others in the comments that the posts were fraudulent, but the number of people showing genuine interest was far greater than those raising warnings.

The 430 posts contained 101 distinct shortened links, often reused across various posts. Of these, 82 were referral links that redirect users to gambling or foreign currency trading sites, allowing promoters to earn from clicks. Each referral link had a unique identifier (key) to track these clicks. Despite circulating 82 referral links, only 19 unique referral keys were found, indicating reuse across multiple links. This suggests the profits from the 430 posts, spread across over 100 pages, profiles, and groups, were likely concentrated among a small group—possibly as few as 19 individuals, though the exact number may vary.

Six of these links were harmful. ESET Internet Security Software found that clicking on them could lead to malware infection or data theft. Thirteen links had no referral keys and were not harmful, but five still led directly to online gambling sites. None of the 101 links provided the contact information for the bride or matchmaker mentioned in the posts.

Honey Trap: Too good brides, too easy terms

The MN Media page, which has 93,000 followers, initially appears to be a matchmaking service. The effort to make the posts seem credible is clear. For instance, in an ad seeking a groom for a London-based bride, it warns that those with bad intentions or immoral minds should stay away. Some posts also mention that the bride’s family is completely against dowry.

The language in these “groom wanted” Facebook posts is often flashy, paired with enticing offers such as allowing the groom to live as a house husband in Dhaka, or taking him abroad at the bride’s expense after marriage. Other offers include promises of business investments, property in the bride’s name, and full financial support for the groom. Posts frequently use different women’s photos for the same bride, and the same photo is often reused for different brides. Each post primarily serves as clickbait for the provided links.

For example, a post seeking a groom for ‘Saleha Akter Shilpi,’ a bride supposedly living in the U.S., used six different women’s photos. All the posts claimed she lived in Florida and would take the groom to America for permanent residence after marriage. In another case, more than 50 posts were looking for a groom willing to be a house husband for a widow. While the descriptions were identical, at least eight different women’s photos were used. Posts seeking grooms for the Italy returnee bride used 12 different women’s photos at various times.

In most cases, these posts do not mention the bride’s name but repeat the same personal details. For instance, multiple posts seeking a groom for a widow have used six different women’s photos, but all state that the bride resides in Dhaka’s Moghbazar area.

Sometimes, the fake posts also feature the images of celebrities or influencers from Bangladesh and neighboring countries. For example, images of Bangladeshi news presenter Deepti Chowdhury, Indian internet personality Aishwarya Ruparel, and Pakistani model and influencer Malaika Batool have all been used in these campaigns.

In phishing, data theft, or cyberattacks, a common tactic used by cybercriminals is honey trapping, where users are lured into scams under the pretense of marriage or dating.

Where do the links lead?

In a post seeking a groom for a divorced woman, the comment section includes a link: https://tinyurl.com/Biyashadibd. Seeing the name “Biyashadi BD” at the end might make you think it’s a link to a matchmaking service. However, clicking the link won’t take you to the bride. Instead, it redirects to a cryptocurrency trading or gambling website.

These links often change destinations with each click. For example, when a Dismislab researcher clicked the link the first time, it led to a forex trading site called “Quotex”, but on the second click, it redirected to a betting site called “Jit-baaj”. In this way, the link takes users to different sites, mostly betting platforms. Some of the gambling sites identified in the research include “Krikia”, “Jit-baaj”, “Babu88”, “Baji”, “Six6BD” and “Six6SBDT Online”, while others led to currency trading sites like “Quotex” and “Pocket Option”.

To hide the real destinations, the scammers used URL shorteners like TinyURL, Cut.ly, and Uclick.link. These shorteners allow them to add words in the URL that sound trustworthy. Many of the shortened URLs were labeled with terms like “Marriage Media”, “Marriage View”, “Bibaho”, “Marriage Online”, or “BiyashadiBD” (Bibaho and Biye-Shadi refer to marriage) to make them appear legitimate.

Using tools to trace the full URLs, the research found that 392 out of the 430 posts contained referral links. These links had domain names with attached referral keys. The 13 domains used in this campaign included “Amusinghump.com”, “Highratecpm.com”, “Cpmrevenuegate.com”, and “Highrevenuenetwork.com”. Such domains often work within networks and are designed to redirect users or display pop-up ads that lead to other sites, typically gambling or trading platforms.

The 13 domains found in this research were mostly registered in 2024 and set to expire within a year, a tactic used to avoid detection by regulatory authorities. These domains are typically inactive or contain minimal visible content unless accessed through a specific referral key, which redirects users to the targeted site.

You click, they profit

The investigation found 19 different referral key numbers (unique identifiers in the links) across several domains that the pages and profiles used repeatedly. Ashraful Haque, a digital security expert with Engage Media, explained that these referral keys are tied to individuals involved in affiliate gambling.

The image shows which pages and profiles used specific referral keys in their posts. Four networks were identified, each using several pages and profiles to promote the same referral keys in multiple “groom wanted” posts to generate income through clicks.

In affiliate marketing, promoters earn money by directing traffic to a company’s website. In gambling, affiliates play a major role and often receive high commissions for their efforts.

A report titled “The Role of Affiliate Services in Promoting Illegal Online Gambling in Australia” points out three key differences between gambling affiliate marketing and other industries. First, gambling affiliates can earn commissions as high as 30% to 50%. Second, their revenue comes from the money lost by the gamblers they recruit. Third, gambling affiliate programs offer longer tracking periods, allowing affiliates to earn for a longer time.

According to the website Playtoday, affiliates can earn between $50 and $400 for each player they bring to an online casino. In some cases, affiliates receive up to 90% of the money players lose.

Networked behavior

Meta’s community standards define Coordinated Inauthentic Behavior (CIB) as a network of accounts, pages, or groups managed by the same entity, working together to deceive people. CIB is often linked to politically or financially motivated campaigns that aim to manipulate public discourse or exploit users. In this case, while the primary goal is financial—directing people into online gambling or foreign exchange sites—this network of fraudulent posts uses misinformation as a key tactic to lure people under the guise of matchmaking.

In May, Meta removed 50 Facebook accounts and 98 pages from Bangladesh for their involvement in coordinated inauthentic behavior. Similar tactics are used in this honey-trapping scam. For example:

  • The same content is posted on multiple pages and profiles at nearly the same time.
  • The same referral keys and domains are used across different posts.
  • The pages, profiles, and groups are often interconnected.

The research identified at least four networks that share the same posts and links daily. Pages like MN Media, Creative Minds, Monmoon, Ajaira People, Rina Akter, Golden View, Sneha Paul, and Golden View share “groom wanted” posts almost simultaneously every day. For example, on September 15, at 1:15 PM, a post seeking a groom for a 25-year-old schoolteacher was shared by eight different pages within a short time frame. These pages consistently follow this posting pattern.

Another network uses fake profiles for similar posts. On September 14, multiple profiles and pages promoted a post seeking a groom for a 30-year-old working woman named Ishrat Jahan Mim. The posts appeared at nearly the same time, with each sharing the same link in the comments.

Two other networks also use similar strategies, repeatedly sharing posts and links. Several pages regularly share these posts within their own groups. For instance, a Facebook group called Viral Video Link frequently shares these posts and links. Four of the pages running fake “groom wanted” campaigns are administrators of this group.

Multiple pages and profiles were also connected through identical referral keys. For example, the referral key acf125da571a1252aa1538a5b8f86ea8 was used by MN Media and 18 other pages to promote betting and cryptocurrency sites. Similarly, the referral key aeeba479c670289401436ea393daaf89 was found on 13 profiles and pages, all involved in running fake “groom wanted” campaigns.

Violation of laws and policies

Cryptocurrency exchange, transfer, and trading are not approved by Bangladesh Bank, making such transactions illegal and punishable under the Foreign Exchange Regulation Act. In August last year, the central bank reiterated its zero-tolerance policy against hundi, online gambling, gaming, betting, forex, and crypto trading. The High Court had also directed the BTRC to ban advertisements for online betting and gambling.

This campaign also violates Facebook’s community standards on spam. The use of shortened URLs to conceal the final destination (betting sites) breaches Facebook’s cloaking policy. Additionally, the links mislead users by promising specific information, such as details about the bride, but redirect them to unrelated sites, violating Facebook’s misleading links policy. Redirecting users to multiple different URLs also falls under deceptive redirect behavior, which Facebook categorizes as spam.

In a report on Facebook scams, cybersecurity expert Thomas Orsolya highlighted how scammers use URL shorteners to hide malware links and bypass security filters. Common tactics include phrases like “Watch this funny viral video” or “Update your app” with shortened URLs. Clicking such links can expose users to viruses, spyware, ransomware, and other harmful programs that steal information or damage devices.

Coordinated networks of fake accounts, as seen in this case, are able to manipulate Facebook’s security filters by slightly altering content or referral links, making it harder for the platform to identify and block these campaigns. While Facebook periodically removes accounts involved in such scams, according to Ashraful Haque, “these actions often come too late, long after damage has already been done.” 

“This delay in detection and enforcement allows fraudsters to continue their activities, exploiting users and generating revenue through malicious tactics,” he added. 


Research Methodology

The research began by analyzing several posts from a page called MN Media. On August 27, 12 distinct posts from the page were selected, and the first sentence of each post was used as a key phrase to initiate the search. Using Facebook’s search option for posts, a total of 430 “groom wanted” posts were found, all of which included at least one link in the comment section, urging users to click for further contact.

The earliest post discovered was from June 12, while the most recent post was from September 7, the day the data collection was completed.

The shortened URLs found in the comment sections of each post were expanded using URL broadening tools to trace the original links. For analysis, the domains and referral keys of the links were separated. The registration history of the domains was individually verified.