
Fraudulent Advertising on Facebook - bennettfeely
https://medium.com/@hunchly/bait-and-switch-the-failure-of-facebook-advertising-an-osint-investigation-37d693b2a858#.6g98nbipi
======
stevoski
When Google got into advertising, they were relaxed about what ads they
accepted. They happily ran just about any advert. But then two things
happened.

1) the scammers came.

2) governments started holding Google accountable for running ads for online
gambling and prescription medication. Google (and Microsoft and Yahoo) had to
pay large fines for running ads for products and companies that governments
saw as illegal.

As the years passed, Google has become ever more restrictive in what ads it
will run. To the point where trigger-happy Google Adwords staff whose job is
to approved ads reject many ads that are actually fine.

I think Facebook will go down the same path.

My main product is software used by poker players to track and analyse their
winnings and losses. I haven't been able to advertise on Google for years,
because the ad reviewers see the word 'poker' and demand proof that I am
certified to running a gambling company in the locales I'm advertising in.
I've given up trying to argue my case to Google that just because my product
has the word 'poker' in the title doesn't mean I'm running a casino!

Facebook, however, still approves my adverts within a few hours. I'm expecting
this to stop as Facebook tightens up after a few large government fines.

~~~
AJ007
Facebook's ad platform is very mature, it was launched in 2007.

I think Facebook is able to let more questionable stuff run in part because
the micro-targeting makes it easy to disperse bad stuff to narrowly targeted
audiences. On Google, investigators could search well known pharmaceutical
terms and it was plain as day the advertisers were breaking US law. It is kind
of like putting crack for sale in your storefront window verse in the back
behind a maze of doors.

From what I have heard first hand, Facebook's platform was much more difficult
initially and now is more lax. This could be in part the sheer scale of their
ad network and the difficulty in policing it, or everyone figured out which
loopholes Facebook couldn't plug without screwing up their quarterly numbers.

~~~
jack9
Generally, the older an advertising platform the less mature it is. DFP is
horrid and Liverail is a bit better than AdJuggler but less sophisticated than
AOL's or SpotX.

------
sleazebreeze
Considering that Facebook lets you set the display domain separately from the
actual link domain, this behavior seems entirely intentional. Convincing
people to click on ads (by lying wholesale, in this case) is a crucial element
of Facebook's business model.

This does seem like they're trading long-term trust for short-term profits -
users will click on fewer and fewer sponsored posts as the number of deceitful
posts like this increase.

~~~
madeofpalk
I think the case for this is to be robust for the many legitimate ways that
online marketers use ads and create landing pages.

Often marketing platforms (like Hubspot or whatever) lets you create multiple
landing pages which might all be on a subdomain(s) to rather than handing full
control of the root domain to the platform. In these cases, you wouldn't want
pages.ctvnews.com to appear as the display domain.

Also not to mention the myriad of services and ways that act as a middleman
for the click, in the same way that the link display on Twitter appears as
ctvnews.com but it's actually a t.co link

~~~
radicalbyte
I think you're right.

It looks like Facebook host a lot of ads themselves, so I guess that
advertisers use URL shorteners as a way to verify click throughs from
Facebook.

For unsophisticated advertisers (i.e. with no referrer log analysis) I guess
it's pretty easy and effective.

~~~
mrweasel
>For unsophisticated advertisers (i.e. with no referrer log analysis)

In that case most advertisers are unsophisticated. Even the biggest ad-
networks/retargeting/tracking solutions all depend on redirect via their
servers to their end customer.

I am constantly disappointed with the technical knowledge and understanding
display by our advertising partners. A large number of them have almost zero
understand of how the internet work. Of cause part of the problem is that as a
developer you're inclined to point out that something won't work because it
won't work 100% of the time. That a useless answer for the advertising
department and you end up with duct taped solution that works well enough, but
of cause create their own set of problems.

~~~
Fiahil
I've worked with multiple retargeting company and advertisement departments in
the past, and I got the exact same conclusion. Most of the time the people in
charge of "digital innovation" or "e-marketing" have absolutely no idea of
what's going on behind the curtains. Even worse, their whole pricing model
(ctr, conversions, ...) is hanging on broken solutions that "work most of the
time". So, needless to say you often have to alter numbers/rates manually in
AB testing reports to let them have clean numbers they can sale. Even if every
tech knows how much bullshit is flowing in this industry, it's way easier to
let the big ones have what they want than argue about how everything is broken
(especially when you don't necessarily have a way to fix it).

I secretly suspect they -at least- know, but prefer to sweep these issue under
the rug and that's why they prefer to involve as little technical people as
possible. And that's why I don't work in this industry anymore and I won't
come back to it until they've all burnt to the ground.

~~~
mrweasel
We currently have an issue where the company that handle our ad-
tracking/referral payout track and want payment for the same orders multiple
time. They honestly doesn't seem to understand the issue, customer will,
sometimes, return to the conversion page (checkout-success page) multiple
times, because people are just weird like that.

The fix is super simple: Their tracking pixel receive our order number, all
they need to do is accept that it's unique and just tracking the first
occurrence. Part of their problem is of cause that they switch to a new
platform and didn't migrate any data.

Because many of the amount are so small, they just accept a ton of errors and
as you say: "sweep these issues under the rug" because it's just a few cents
so who cares. But it adds up.

------
downandout
I discovered something quite similar to this several months ago and tried to
submit it as a bug report. One can easily make the display URL of any shared
post be anything they choose (screenshot of spoofed whitehouse.gov link [1]
and techcrunch.com link [2]), while the link actually goes to any site the
user wants. I was told, quite simply, that it wasn't a bug. No one seems to
care about the implications of this.

[1] [http://prntscr.com/bckcf4](http://prntscr.com/bckcf4)

[2] [http://prntscr.com/bckdml](http://prntscr.com/bckdml)

~~~
ethanbond
Well no, they _do_ care about the implications. The implication being that by
cutting out fraudulent but paying users, they will have fewer paying users.

Advertisers and the networks that serve them will _never_ be on the consumer's
side. If a consumer wanted to do what an advertiser wanted, the advertiser
would be out of work. It's all subversion.

~~~
the_watcher
> Advertisers and the networks that serve them will never be on the consumer's
> side.

This is a danger, but in an optimal system, one that doesn't come into play.
Advertisers pay for eyeballs, eyeballs are there because they haven't been
driven away from the product by ads that ruin the experience.

------
DrScump
Oh, and it gets worse in the shameless-clickbait category.

I've see frequently (and have documented) numerous cases of ads implying that
a famous person has died (e.g. Sly Stallone, The Rock, Lamar Odom, Colin
Kaepernick), luring clicks for details.

But what really disgusts me is the "Suggested Post" mechanism. In the past
week alone, I've had "Suggested Posts" from people selling obviously
_counterfeit merchandise_ and sites that claim to be the "Official NHL/NBA/MLB
Store", when they are not. And these include _plain text_ that should be
simple to parse and check, if they cared. (A more complicated strategy to
catch is when the bogus claims are only in text within the ad image, like the
oft-posted phony Ray-Ban Official Site.)

And Facebook (and especially the ad network who made the ad) makes money for
every sucker served.

------
lordnacho
I know a guy who does this for a living. What I gathered from talking to him:

\- I'm not sure how his ads break the ToS, but something like what this
article describes might be part of it.

\- Put some non violating ad on for approval, then change it.

\- He changes the destination based on whether the viewer is coming from FB's
network.

\- Use a prepaid card with phony details to pay for the ad.

\- Says he is one of FB's largest customers. Readily admits to being a bit
shady with his ads, doesn't seem to bother him.

I have no idea whether things have changed much in the past couple of years
wrt to how the system works.

~~~
heyalexej
It still works the exact same way, except prepaid cards won't take you far at
several thousand dollar spend per day per account. Residential IPs are needed
and FB accounts with history (hint: have a look at craigslist). Also pre-
warming the white hat ads can cost several thousand $. And yes - those can
become the biggest spenders on FB.

------
ChicagoBoy11
Is it just me, or do other people actually LOVE this new trend of plugging
your product/work/yourself through interesting blog posts? Like, I don't care
how much $$$ this guy could spend on advertising --- this blog post is
certainly far more effective in getting me to buy the product. I learned
something, I was entertained, I now "trust" this individual, I got a great
demo of the product's use... love it!

~~~
runarb
Personally I did feel a little cheated when I realised that the article was an
advertisement.

Content marketing like this blurs out what is someone's genuine opinion and
what is advertisement.

I do not like it. Where I live, in Norway one has to clearly mark content
marketing as advertisement or risk some steep fines.

~~~
Kiro
It's written on Hunchly's own blog so I'm pretty sure it would be fine in
Norway as well.

------
daveguy
1) Avoid phone apps.

2) Install uBlock Origin on your browser.

3) Install Privacy Badger* on your browser.

* I used to use just uBlock origin, but things work so much better with privacy badger. There must be some kind of code to indicate "yeah, yeah, you're tracking me so well" because I don't get nearly as many broken sites. Third party comments don't work (like disqus), but HN is about the only place comments add value.

Fraud, malware, deceit unwanted intrusions are reasons to block all
advertising. Facebook or otherwise, they are becoming the norm. We see this
over and over again. It is past time to take a stand.

On a related note. Does anyone know whether or not there are advertising
groups that provide single line, vetted ads (single line could be small non-
intrusive ads) to be embedded into a site rather than injected from an ad
network? There has to be SOME good actor providing single line unobtrusive ads
like the old google ads.

------
MichaelGG
FB should really be doing a bit more review when displaying popular websites -
flag them for quick further review. For instance, how many legit CNN accounts
do they have?

But this seems to be the norm. Google displays highly misleading ads,
especially on mobile. I see fake virus scans, "fix battery issues" and other
junk. Google's main search ads had malware downloads, even for popular things
like Skype. (And Chrome?)

Microsoft's store had many misleading apps, including fake Netflix apps. It
took several interactions between MS and Netflix to get that sorted, and MS
still ran fake apps (paid!) for popular software and movies. MS wouldn't even
deal with ISVs that complained. Hell, the Windows Store even carried a fake
version of Windows at one point! They didn't (don't) verify any details, such
as publisher name. For a while, typing "Facebook" into the Start Menu brought
up a fake FB app. This should put W10's invasiveness into new light: MS is not
competent when it comes to this kind of stuff.

I do wonder how much money this stuff brings in. Is it a significant percent
of business for these companies? It can't just be simple incompetence -- in
MS's case, they sometimes paid for the junk apps.

I'm still sort of surprised that this junk can make enough money for people to
advertise it though. Guess even 20 years after the net started getting
popular, there's still enough unsavvy people to scam.

~~~
tdkl
In Microsoft's case they just wanted more apps to flaunt at the next event to
display how their Store is growing now.

Same shit as forcing upgrades with dark patterns and silently changing things
so Windows 10 can be a success on powerpoint slides.

------
deprave
Why isn't Facebook doing domain verification for the display domain? There are
plenty of ways (email to well-known account, DNS records, etc.) to verify
domain ownership. Google is doing that and I'm sure plenty people at Facebook
are familiar with the concept.

From a legal perspective, I wonder if the legitimate sites can sue Facebook
over that, or if there's a case for class action on behalf of users.

In any case, I don't buy any arguments that claim this is intentional to help
actual advertisers or an oversight. From a security standpoint this is a
spoofing tool and without any kind of validation or verification it should be
clear what this tool is being used for. Facebook's in the business of
collecting and analyzing data, and I'm sure they know very well that it's
being misused.

------
GeneralMayhem
Not to defend Facebook for not doing their due diligence, but this article is
really underselling the complexity of the problem. The pseudocode given:

if (display_domain == landing_page_domain) { approve_ad = true; }else{
approve_ad = false; }

is, for one thing, not robust against cloaking (if malicious advertisers see
the request coming from a Facebook IP, they might actually redirect to the
displayed domain).

~~~
Cpoll
Facebook could probably check periodically from a separate IP (secret-
shopping, if you will) and pull the URLs that don't comply.

Of course, it'd probably turn into an arms race as malicious advertisers try
to profile FB's bot behavior and properly redirect it.

That is to say, I agree with you, the problem is non-trivial.

~~~
eonw
this is a shared service and the operators of this service have gotten pretty
good at catching FB when they do this... they will just add the last 10 IPs
that saw the banned ad, to their list of IPs to only show a "safe" page to.
then everyone paying into the service has that rule.

------
Lxr
Why is there even a separate field for "Display Link", is there a reason this
can't be parsed from the actual URL (like HN)?

~~~
Animats
Because the actual URL is often some metrics or ad-billing service which is
supposed to redirect to the target. This is quite common on Google as well as
on Facebook.

~~~
raverbashing
Then the possible check would be simply for FB to follow the original link and
see if it matches the display link after the redirect from the tracker

But of course they won't do that.

~~~
x0
then you'd send facebook's checker to the real url, and then redirect everyone
else

~~~
raverbashing
Check using a random referrer and random IP, also possibly recheck later

Also, for example, if they claim to be CNN, it should go to a relevant page,
not just cnn.com

------
paulpauper
_It could also mean that the fraudster made enough money and decided to bail
on the campaign and tear down all of their infrastructure. Tough to confirm
either way._

Or the ads simply did not generate a positive ROI. I have read that Facebook
advertising (especially for US traffic) is very expensive and tends to not
convert well. I often see people run Facebook ads for non-scammy purposes (for
example three months ago James Altucher ran Facebook ads for his books, and
those ads are gone) and then pull them down , presumably because the
conversion is crud. No one ever pulls a successful advertising campaign
because they 'made enough money'.

~~~
AznHisoka
This. It's all fine and well he's getting lots of clicks but is he actually
converting them to revenue? If all he's doing is an ad arbitrage mode (i.e.
Hope visitors click on Adsense ads) he's doomed because that will never
succeed.

~~~
CaveTech
To both you and the parent... I can promise you he made money. Affiliate
advertising is rampant on Facebook because of how profitable it is. They do
anton of shady things because Facebook actively tried to shut them down. This
person is 't doing view arbitrage, theyre clearly doing affiliate marketing
and I know it accounts for no less than several hundred million per year in
revenue for Facebook.

~~~
AznHisoka
I've done my share of affiliate marketing in various channels, and Facebook
was by far the least successful for me. The guy in this piece doesn't seem to
be targeting based on fans of that supplement, or something very targeted.
He'd be lucky to get a 1% conversion rate. If I was a betting man, I'd wager
it wasn't successful at all. He'd have better luck targeting keywords in
Adwords, and preventing those ads from being seen in the city the supplement
makers are based at, or something sneaky.

~~~
CaveTech
I work for an Ad Network, I see this shit all day long. They're profitable.
Very profitable.

------
dansingerman
Usually infomercial type blog posts like this turn me off both the content and
the product, but this is a pretty great example of how to pimp your product
through genuinely interesting content. I've rarely seen it done this well.

------
markab21
I've been running ads for a bit now on Facebook. Compared to googles ad stack,
Facebook's feels definitely more unrefined, to say the least, than Google's.
Sometimes basic things on Facebook's platform simply do not work.

Their ad approval process is random. I've had ad's that were not approved,
resubmit for "automatic" approval. (Keep trying till it passes into the sample
group of Auto-Approve, it's an older account?)

All that said... I know Facebook was under pressure after their IPO to get
revenue coming. They've figured out now how to monetize their traffic base and
marketers are flocking to their platform. I expect that over time you're going
to see slow tightening of their policies, especially as marketers learn to
exploit it. It's still impossible to get someone on the phone from Facebook if
you have a problem and though you can generate very low cost CPA actions from
facebook, it's dangerous to bet big on them right now as this article points
out, change is going to have to come.

------
heisenbit
Considering FB insistence on "real name" this is priceless.

------
ChuckMcM
Pretty egregious. I hope facebook wakes up to this type of fraud quickly
because it is the kind of stuff my relatives fall for all the time.

~~~
ptaipale
A hope in vain: they most certainly have noticed, and they most certainly know
that they profit.

~~~
ChuckMcM
Actually having been at Google and later at a search engine dealing with
people trying to do these sorts of games, the FTC in particular is pretty
active in this space as are the various states attorney generals. And there
are liability issues which have been litigated several times, the biggest one
I know of being the Canadian Pharmacy ads on Google, where fines are paid and
the user experience is damaged.

So I am pretty confident that they don't allow this stuff on purpose just for
profits. I can believe they are slowly walking up the learning curve of how
they can be defrauded, and it is slow. You have to train a lot of people. But
it gets better. Now if I were in a leadership position in Facebook's
advertising group this would be on my list of top priorities to get done.

------
red_admiral
Here's another "bug" I noticed today: if your browser window is "too narrow",
for example because you're using that widescreen to have two windows open at
once, you get a horizontal scrollbar and ads display like this:

[http://chunk.io/f/d1c9168e2f0c41edb8ea4bf3d29ddadc.png](http://chunk.io/f/d1c9168e2f0c41edb8ea4bf3d29ddadc.png)

scroll to the right and you get this:

[http://chunk.io/f/f6020ad14aa84a6c9a3415291cfbb920.png](http://chunk.io/f/f6020ad14aa84a6c9a3415291cfbb920.png)

Yes, someone's being charged for an ad where even if I scroll I can only see a
few pixels on the left. If I make the window a bit narrower I don't see it at
all, but it's presumably still an "impression".

~~~
stevoski
> someone's being charged for an ad

When I advertise on Facebook, they charge me per click, not per impression. I
assume this poorly displayed ad also is charged per click.

------
josefresco
"If you tried this in Google AdWords, you would be laughed right out of your
account."

Feel the burn Facebook.

------
mathraq
The article feel a bit like an ad for hunch.ly as well

~~~
kevincox
That's because it was.

------
kyledrake
I've been seeing an uptick in the number of spam relays coming from Facebook
attempting to use Neocities for the landing page (or often times a redirect to
a landing page elsewhere). We shut the sites down very quickly and the scammer
finds a slower and less responsible service eventually. Still, Facebook needs
to take better action here to deal with spammers and it's definitely gotten
worse lately. They have a ton of money, no excuses here.

Perhaps we can also do an education campaign so that people don't think buying
dick pills from scrambled domain names is a good idea. A Youtube video ad
starring Ron Jeremy with the motto "Size Doesn't Matter".

------
greenspot
tl;dr:

Facebook ad's can have different display-URLs and target-URLs, even the domain
can be different, e.g. ad shows cnn.com but leads to myshadysite.com

\+ some subtle promotion for Hunchly (full-text search for your browser
history)

------
andrewvijay
Laughed way too hard at the code suggestion. Fantastic write up. Genuinely
shocking that Facebook allows such an easy loophole undetected. Or maybe they
know it.

~~~
eonw
there are similar loopholes in other ad networks, if you want to play in those
sorts of things. this is not a unique problem, its just that facebook is the
largest and most obvious target. Those that made their money when it was much
easier are selling off their knowledge, nowadays thats more lucrative then
playing the cat and mouse game.

------
chris_wot
These ads are appearing on more reputable news sites, but for things like
gambling. The story line is almost always about a guy who is left by his woman
and he gets revenge by winning big. There are a list of "Facebook" comments,
and they make sure a few of them state that it's a scam, which makes it look
more legit.

------
joesmo
I see a lot of posts suggesting what FB should do about this (as if they have
incentives to change things; they don't) but perhaps we should focus on
informing end users about the dangers of ads and how to properly use an ad-
blocker. What would really be great is for the tech community to provide
solutions that regular non-techie users can use. For example, if Firefox
started bundling anti-ad functionality into its browser.

The age of debating whether ads are acceptable or not is long passed; ads are
not acceptable because they are malware. Period. We should be teaching people
how to avoid malware and that means avoiding all ads. How can we expect FB to
fix this problem when they are causing the problem and they are profiting from
it? On the other hand, putting ad blocking technology into the next Firefox
would not only fix a huge chunk of the problem, but also send a clear message
from a huge fraction of web users that malware is not acceptable in any form,
including in ad form. I can't think of a better solution.

------
mthoms
I recently got an ad from the same vendor that lead to the same landing page.
Only the ad caption had to do with Sylvester Stallone "revealing his dark
secret" in my case. I never click these things but the "cnn.com" part fooled
me.

------
TimMeade
I surprised that so far in the comments, no one has brought up the R word.
"Revenue" How much revenue is fb getting for allowing this? Their income has
suddenly jumped dramatically in the last few years. 26K Clicks is pretty good
income imho.

------
eonw
facebook is rife with this kind of stuff, there are whole business' setup(that
also advertise on facebook) to help you skirt this stuff.

i know a number of people that play in the space spending 6 figures a month
doing this... they wouldnt be hard to catch, if you tried, but why would
facebook want to get rid of that revenue until absolutely forced to? and
imagine, i only know a handful of them.

------
mathraq
The article feel a bit like an ad for hunch.ly

------
sidcool
If you search for the word 'video' on HN, the top link is 'Facebook Fraud'.

------
tdkl
Response from FB : "it was a bug, ooopsies, carry on".

~~~
xufi
(Sarcastically) So thats why those ads started taking over the gradient outer
part of the page for me " Thanks a lot FB

------
Exuma
None of this is new, or surprising.

------
areyoucrazy
Also relevant - Veritasium: Facebook Fraud [1]

    
    
      [1]  https://www.youtube.com/watch?v=oVfHeWTKjag

