When Google got into advertising, they were relaxed about what ads they accepted. They happily ran just about any advert. But then two things happened.

1) the scammers came.

2) governments started holding Google accountable for running ads for online gambling and prescription medication. Google (and Microsoft and Yahoo) had to pay large fines for running ads for products and companies that governments saw as illegal.

As the years passed, Google has become ever more restrictive in what ads it will run. To the point where trigger-happy Google Adwords staff whose job is to approved ads reject many ads that are actually fine.

I think Facebook will go down the same path.

My main product is software used by poker players to track and analyse their winnings and losses. I haven't been able to advertise on Google for years, because the ad reviewers see the word 'poker' and demand proof that I am certified to running a gambling company in the locales I'm advertising in. I've given up trying to argue my case to Google that just because my product has the word 'poker' in the title doesn't mean I'm running a casino!

Facebook, however, still approves my adverts within a few hours. I'm expecting this to stop as Facebook tightens up after a few large government fines.

Considering that Facebook lets you set the display domain separately from the actual link domain, this behavior seems entirely intentional. Convincing people to click on ads (by lying wholesale, in this case) is a crucial element of Facebook's business model.

This does seem like they're trading long-term trust for short-term profits - users will click on fewer and fewer sponsored posts as the number of deceitful posts like this increase.

I discovered something quite similar to this several months ago and tried to submit it as a bug report. One can easily make the display URL of any shared post be anything they choose (screenshot of spoofed whitehouse.gov link [1] and techcrunch.com link [2]), while the link actually goes to any site the user wants. I was told, quite simply, that it wasn't a bug. No one seems to care about the implications of this.

[1] http://prntscr.com/bckcf4

[2] http://prntscr.com/bckdml

Oh, and it gets worse in the shameless-clickbait category.

I've see frequently (and have documented) numerous cases of ads implying that a famous person has died (e.g. Sly Stallone, The Rock, Lamar Odom, Colin Kaepernick), luring clicks for details.

But what really disgusts me is the "Suggested Post" mechanism. In the past week alone, I've had "Suggested Posts" from people selling obviously counterfeit merchandise and sites that claim to be the "Official NHL/NBA/MLB Store", when they are not. And these include plain text that should be simple to parse and check, if they cared. (A more complicated strategy to catch is when the bogus claims are only in text within the ad image, like the oft-posted phony Ray-Ban Official Site.)

And Facebook (and especially the ad network who made the ad) makes money for every sucker served.

I know a guy who does this for a living. What I gathered from talking to him:

- I'm not sure how his ads break the ToS, but something like what this article describes might be part of it.

- Put some non violating ad on for approval, then change it.

- He changes the destination based on whether the viewer is coming from FB's network.

- Use a prepaid card with phony details to pay for the ad.

- Says he is one of FB's largest customers. Readily admits to being a bit shady with his ads, doesn't seem to bother him.

I have no idea whether things have changed much in the past couple of years wrt to how the system works.

Is it just me, or do other people actually LOVE this new trend of plugging your product/work/yourself through interesting blog posts? Like, I don't care how much $$$ this guy could spend on advertising --- this blog post is certainly far more effective in getting me to buy the product. I learned something, I was entertained, I now "trust" this individual, I got a great demo of the product's use... love it!

1) Avoid phone apps.

2) Install uBlock Origin on your browser.

3) Install Privacy Badger* on your browser.

* I used to use just uBlock origin, but things work so much better with privacy badger. There must be some kind of code to indicate "yeah, yeah, you're tracking me so well" because I don't get nearly as many broken sites. Third party comments don't work (like disqus), but HN is about the only place comments add value.

Fraud, malware, deceit unwanted intrusions are reasons to block all advertising. Facebook or otherwise, they are becoming the norm. We see this over and over again. It is past time to take a stand.

On a related note. Does anyone know whether or not there are advertising groups that provide single line, vetted ads (single line could be small non-intrusive ads) to be embedded into a site rather than injected from an ad network? There has to be SOME good actor providing single line unobtrusive ads like the old google ads.

FB should really be doing a bit more review when displaying popular websites - flag them for quick further review. For instance, how many legit CNN accounts do they have?

But this seems to be the norm. Google displays highly misleading ads, especially on mobile. I see fake virus scans, "fix battery issues" and other junk. Google's main search ads had malware downloads, even for popular things like Skype. (And Chrome?)

Microsoft's store had many misleading apps, including fake Netflix apps. It took several interactions between MS and Netflix to get that sorted, and MS still ran fake apps (paid!) for popular software and movies. MS wouldn't even deal with ISVs that complained. Hell, the Windows Store even carried a fake version of Windows at one point! They didn't (don't) verify any details, such as publisher name. For a while, typing "Facebook" into the Start Menu brought up a fake FB app. This should put W10's invasiveness into new light: MS is not competent when it comes to this kind of stuff.

I do wonder how much money this stuff brings in. Is it a significant percent of business for these companies? It can't just be simple incompetence -- in MS's case, they sometimes paid for the junk apps.

I'm still sort of surprised that this junk can make enough money for people to advertise it though. Guess even 20 years after the net started getting popular, there's still enough unsavvy people to scam.

Why isn't Facebook doing domain verification for the display domain? There are plenty of ways (email to well-known account, DNS records, etc.) to verify domain ownership. Google is doing that and I'm sure plenty people at Facebook are familiar with the concept.

From a legal perspective, I wonder if the legitimate sites can sue Facebook over that, or if there's a case for class action on behalf of users.

In any case, I don't buy any arguments that claim this is intentional to help actual advertisers or an oversight. From a security standpoint this is a spoofing tool and without any kind of validation or verification it should be clear what this tool is being used for. Facebook's in the business of collecting and analyzing data, and I'm sure they know very well that it's being misused.

Not to defend Facebook for not doing their due diligence, but this article is really underselling the complexity of the problem. The pseudocode given:

if (display_domain == landing_page_domain) { approve_ad = true; }else{ approve_ad = false; }

is, for one thing, not robust against cloaking (if malicious advertisers see the request coming from a Facebook IP, they might actually redirect to the displayed domain).

Why is there even a separate field for "Display Link", is there a reason this can't be parsed from the actual URL (like HN)?

It could also mean that the fraudster made enough money and decided to bail on the campaign and tear down all of their infrastructure. Tough to confirm either way.

Or the ads simply did not generate a positive ROI. I have read that Facebook advertising (especially for US traffic) is very expensive and tends to not convert well. I often see people run Facebook ads for non-scammy purposes (for example three months ago James Altucher ran Facebook ads for his books, and those ads are gone) and then pull them down , presumably because the conversion is crud. No one ever pulls a successful advertising campaign because they 'made enough money'.

Usually infomercial type blog posts like this turn me off both the content and the product, but this is a pretty great example of how to pimp your product through genuinely interesting content. I've rarely seen it done this well.

I've been running ads for a bit now on Facebook. Compared to googles ad stack, Facebook's feels definitely more unrefined, to say the least, than Google's. Sometimes basic things on Facebook's platform simply do not work.

Their ad approval process is random. I've had ad's that were not approved, resubmit for "automatic" approval. (Keep trying till it passes into the sample group of Auto-Approve, it's an older account?)

All that said... I know Facebook was under pressure after their IPO to get revenue coming. They've figured out now how to monetize their traffic base and marketers are flocking to their platform. I expect that over time you're going to see slow tightening of their policies, especially as marketers learn to exploit it. It's still impossible to get someone on the phone from Facebook if you have a problem and though you can generate very low cost CPA actions from facebook, it's dangerous to bet big on them right now as this article points out, change is going to have to come.

Considering FB insistence on "real name" this is priceless.

Pretty egregious. I hope facebook wakes up to this type of fraud quickly because it is the kind of stuff my relatives fall for all the time.

Here's another "bug" I noticed today: if your browser window is "too narrow", for example because you're using that widescreen to have two windows open at once, you get a horizontal scrollbar and ads display like this:

http://chunk.io/f/d1c9168e2f0c41edb8ea4bf3d29ddadc.png

scroll to the right and you get this:

http://chunk.io/f/f6020ad14aa84a6c9a3415291cfbb920.png

Yes, someone's being charged for an ad where even if I scroll I can only see a few pixels on the left. If I make the window a bit narrower I don't see it at all, but it's presumably still an "impression".

"If you tried this in Google AdWords, you would be laughed right out of your account."

Feel the burn Facebook.

The article feel a bit like an ad for hunch.ly as well

I've been seeing an uptick in the number of spam relays coming from Facebook attempting to use Neocities for the landing page (or often times a redirect to a landing page elsewhere). We shut the sites down very quickly and the scammer finds a slower and less responsible service eventually. Still, Facebook needs to take better action here to deal with spammers and it's definitely gotten worse lately. They have a ton of money, no excuses here.

Perhaps we can also do an education campaign so that people don't think buying dick pills from scrambled domain names is a good idea. A Youtube video ad starring Ron Jeremy with the motto "Size Doesn't Matter".

tl;dr:

Facebook ad's can have different display-URLs and target-URLs, even the domain can be different, e.g. ad shows cnn.com but leads to myshadysite.com

+ some subtle promotion for Hunchly (full-text search for your browser history)

Laughed way too hard at the code suggestion. Fantastic write up. Genuinely shocking that Facebook allows such an easy loophole undetected. Or maybe they know it.

These ads are appearing on more reputable news sites, but for things like gambling. The story line is almost always about a guy who is left by his woman and he gets revenge by winning big. There are a list of "Facebook" comments, and they make sure a few of them state that it's a scam, which makes it look more legit.

I see a lot of posts suggesting what FB should do about this (as if they have incentives to change things; they don't) but perhaps we should focus on informing end users about the dangers of ads and how to properly use an ad-blocker. What would really be great is for the tech community to provide solutions that regular non-techie users can use. For example, if Firefox started bundling anti-ad functionality into its browser.

The age of debating whether ads are acceptable or not is long passed; ads are not acceptable because they are malware. Period. We should be teaching people how to avoid malware and that means avoiding all ads. How can we expect FB to fix this problem when they are causing the problem and they are profiting from it? On the other hand, putting ad blocking technology into the next Firefox would not only fix a huge chunk of the problem, but also send a clear message from a huge fraction of web users that malware is not acceptable in any form, including in ad form. I can't think of a better solution.

I recently got an ad from the same vendor that lead to the same landing page. Only the ad caption had to do with Sylvester Stallone "revealing his dark secret" in my case. I never click these things but the "cnn.com" part fooled me.

I surprised that so far in the comments, no one has brought up the R word. "Revenue" How much revenue is fb getting for allowing this? Their income has suddenly jumped dramatically in the last few years. 26K Clicks is pretty good income imho.

facebook is rife with this kind of stuff, there are whole business' setup(that also advertise on facebook) to help you skirt this stuff.

i know a number of people that play in the space spending 6 figures a month doing this... they wouldnt be hard to catch, if you tried, but why would facebook want to get rid of that revenue until absolutely forced to? and imagine, i only know a handful of them.

The article feel a bit like an ad for hunch.ly

If you search for the word 'video' on HN, the top link is 'Facebook Fraud'.

Response from FB : "it was a bug, ooopsies, carry on".

None of this is new, or surprising.

Also relevant - Veritasium: Facebook Fraud [1]

  [1]  https://www.youtube.com/watch?v=oVfHeWTKjag

undefined

IN NEED OF PROFESSIONAL HACKERS?

contact us on {masterminditservices@gmail.com}. or +1(205) 900-9736

Below is a list of some of some services we offer Mobile Hacking, email, Social Media Hack, School grades changing, Clearing of criminal records, Password sniffing, Bank Transfers and Company Money-Wire services, Cyber Security, Computer Security, SMTP Any domain, Cpanel, Unlimited, Shell, RDP, Leads, Cpanel, fulls, EIN, Pin, W2, SSN, DOB, fulls for Loans, Mystery shopper, Assistant BOS, Any Country Leads, Location detecting, SQL DB penetration, Penetration testing, Software testing, Database Penetration, Website Ransoming etc