As Facebook continues to deal with the public backlash over its role in distributing fake and hyperpartisan news, the site remains vulnerable to another potentially dangerous, but much less publicized, risk: fake advertisements.
Facebook ads purporting to direct users to a website but, when clicked on, go somewhere else entirely are easy to set up. In some cases these ads are approved in minutes. The bait-and-switch approach, sometimes called “domain spoofing” or “clickjacking,” involves displaying a URL that users would be likely to recognize and trust, but sending those who click on the ad to an unrelated page. It poses a risk for users who unknowingly click on an advertisement and end up on a potentially malicious website. In some cases the landing pages serve as vehicles to distribute malware, often disguised by what appear to be legitimate brands or media outlets, littered with ads for supplements and other products. In theory, the technique isn’t difficult to detect. But a basic design feature of Facebook’s advertising system–the option to manually enter the URL displayed in the ad–makes the reality tricky to enforce.
Canadian hacker Justin Seitz first identified the problem last summer, when he authored a Medium post outlining how easy it was for him to set up his own fake ad campaign after he was fooled into clicking on one himself. Seitz was recently dismayed when, in a demonstration shared with Forbes, he discovered that not much had changed since then. It took Seitz less than 15 minutes to get an ad featuring a bogus display URL approved and up on Facebook.
Using his own company, an online organizing tool aimed at journalists at private investigators called Hunchly, Seitz quickly clicked through to his advertising dashboard. Borrowing text from a previous ad and directing it to his website, “www.hunch.ly”, Seitz changed the display URL at the bottom of the ad to read “CNN.com.” Above it, he typed “Hunchly is the best investigations software ever,” a tongue in cheek attempt to see how far he could push the boundaries of phony advertising. “It’s like my 10-year-old wrote it,” he said with a laugh.
After setting a daily budget for his campaign and targeting adults living in the United States, Seitz submitted the ad for approval. Less than 13 minutes later, he received a notification informing him that his ad was approved. Seitz then toggled over to his user dashboard, and watched as the impressions started to rack up. “I wouldn’t even attempt this with Google,” Seitz said, echoing what he wrote in 2016: “If you tried this in Google AdWords, you would be laughed right out of your account.”
Preventing advertisers from being able to change the display URL is “low hanging fruit” that Facebook isn’t addressing when it comes to policing fraudulent advertisers, Seitz said. “It’s the bare minimum to protect your users from going to malicious sites.”
While the demonstration is limited in scope, Seitz has come across numerous examples of fake ad campaigns that appear to have been active for months, driving traffic to questionable websites such as “dftrack6.com”, “evolutiotv.com” and “vicinitieser.com”–all claiming to direct users to established, reputable publications.
A Facebook spokesman acknowledged that advertisers had been caught doing what Seitz demonstrated, and that some have been blocked as a result. Facebook’s review process is largely automated, with human review only in instances where a red flag is been raised by the site’s filtering system or by user reports.
“Spoofing domains with the intent to mislead by mismatching the preview domain and the destination domain is a violation of our ad policy. Our goal is to prevent any misleading ad from appearing on Facebook, and we use both human and automated methods to flag these ads before they go live,” the spokesman said in a written statement to Forbes. “Occasionally, policy-violating ads get through, and we use signals from our community such as user feedback to identify and quickly remove them. For the worst offenders, we will take additional steps such as blocking the entire advertising account and any connected accounts.”
While Seitz faced little resistance when setting up his bogus ad campaign, he ran into trouble when he tried to more narrowly target it. A couple days after demonstrating how easy it was to exploit Facebook’s URL loophole, Seitz got an automated message informing him that his ad had been removed. The reason? His display URL didn’t match the landing page. Facebook eventually caught Seitz, but the hacker stressed that the time between his ad being approved and removed was more than enough to cause damage unbeknownst to an average user.
Facebook is a behemoth in online advertising, and its presence is still growing. In its most recent quarterly financial results, Facebook reported ad revenue of $8.6 billion, up more than 50 percent. But as digital ad revenue projections grow, the lion’s share will be claimed by one of just two companies: Facebook and Google. Combined, the pair accounted for as much as 90 percent of total online ad revenue growth last year, according to one estimate.
Despite this shared dominance, in some ways Facebook lags behind Google’s AdWords platform, which powers the advertisements in online search results. Industry experts interviewed for this story called Google’s system the “gold standard” when it comes to weeding out bad actors, citing the platform’s edge in experience over Facebook (Google started AdWords in 2000, four years before Facebook was launched) and more proactive enforcement.
A Google spokeswoman confirmed that “any modifications to the ad text,” including the display URL, triggers an automatic human review. Google does not track how many ads are removed specifically for domain issues, the spokeswoman said, pointing to the company’s annual report which contains aggregate figures. In its most recent report, Google said it had removed 1.7 billion ads in 2016, more than double the previous year.
The extent of fake ads on Facebook is unclear. Seitz has identified numerous examples of bogus display domains in his own research, but Forbes was unable to independently verify this. A Facebook spokesman declined to disclose how often ads are removed for violating the company’s policies, or say whether the company tracked even this information.
Regardless of the scope, advertising that misleads users “is a problem,” said Ginny Marvin, a reporter at the website Search Engine Land who has written extensively about online ads. Marvin said Facebook’s policy of allowing advertisers to change their display URLs is baffling. “The fact they aren’t thinking about that is crazy,” she said. “That’s either a willful misstep, or a learning curve issue.”
Facebook spokesman Tom Channick defended the URL editing option, and said the “use of this feature is not always misleading or malicious.” Channick gave an example of a nonprofit organization running a donation campaign through a third-party site, and linking to it directly from a Facebook ad. In this scenario, the company “may want the preview URL to be their own homepage,” Channick said. “This is not always an unexpected or misleading experience for a user.”
Seitz disagreed, and argued that allowing differences in the display URL and landing page “is a terrible idea.” In the hypothetical case of the fundraising nonprofit, Seitz said the organization could easily set up a landing page on their own website that directs users to donate. “Regardless of who is running the ad with a different preview domain, it is always misleading for the user if the displayed domain is different than where they landed,” he said. “No matter how good the intentions of the advertiser are, it is still misleading and is bad advertising platform practice.”
Source: SANS ISC SecNewsFeed @ March 2, 2017 at 06:54AM