This article was originally posted on the Hunchly blog on Medium.
This story starts with Sidney Crosby. A professional hockey player and Canadian icon. I can neither confirm nor deny that I welled up like a small child at the Hockey Hall of Fame’s “Golden Goal” display (I will never forget that moment). So imagine my surprise when I was performing an investigation and I was sidetracked by this advertisement:
Now I can already see you rolling your eyes. It does look a bit scammy doesn’t it? The problem is that I looked at the domain of the advertisement and saw ctvnews.ca which is a reputable news organization in Canada. This of course made me think that something actually was up with Sid. So I clicked. Yep. I surely did.
So you will notice that this looks an awful lot like ESPN, not like CTV News at all. Not only that but the domain espn.l1dh.com does not exactly leave me feeling confident that I have landed on ESPN’s site either. Scrolling further down the page we see the inevitable advertisements for supplements.
So clearly this is not ESPN and Sid the Kid is not endorsing this supplement. At the bottom of the page you can see the “social proof” of people recommending the product. Let’s do a quick reverse image search to see if these are real people. Charles Barrott is the target of our search in this case:
This will reverse search Google for that exact image. Lo and behold, this turns out to be Sam Muirhead, a filmmaker.
Ok. We can stop there. Clearly someone has figured out how to game the Facebook system in order to run ads that look like they lead one place (ctvnews.ca) and ultimately lead to somewhere vastly different. Not only that but they are repeatedly using trademarked names, terms, and false information to sell product. This violates a number of Facebook advertising policies. My guess is that you sign up for the “Free Trial” and you are going to get dinged once a month for life. Or worse.
What the hell is happening here?
At this point I am wondering how often fraudsters are using this bait and switch technique. Could this just be a one-off fraudster that was able to trick Facebook and I was lucky enough to catch it? I turned to my own Hunchlyindex. Hunchly allows you to perform a full-text search across all of the captured pages you have viewed while Hunchly was turned on. In looking at Facebook ads, there is always the keyword “Sponsored” in the HTML so a quick search like this:
Will do a fulltext search for all facebook.com URLs that contain the keyword “sponsored” in it. This brought up a pile of hits (I have about 5k pages in my index), as you would expect since most Facebook pages contain sponsored ads. I started hunting around various archived pages and found a page that I had viewed on an investigation on December 11, 2015, roughly 6 months ago.
I viewed the page in Hunchly and saw an ad that looked suspicious just based on the ad copy. The displayed domain is for btmontreal.ca, which is a legitimate news site. I started to smell smoke.
Since Hunchly has a live copy of the entire page, all of the links are preserved. I mouse over the ad to see where the click will actually land me and I see the URL displayed in the bottom of Chrome does not correspond tobtmontreal.ca. We have anotherhit. Now I see fire. Rather than click on the link, I right-click and copy it into a text editor.
It is a big messy blob, and if you see all of those little %’s this is telling you that the URL is encoded. You can easily find an URL decoder online that you can paste it into and the first bit you will see is this:
The first bit is the Facebook advertising handler, and the part in bold is the destination URL of where you land after you click. I have cut it off at the first “&” so that we just have the shortened Google URL. This leads us to the next part of our investigation.
Analyzing Shortened Google URLs
The Google URL shortener works like any other shortening service like bit.ly. You pop in a big URL and it spits out a little URL. The cool thing with the Google URL shortener is that they provide analytics for you so that you can see how a shortened URL was accessed and how many times.
So how do you find these wondrous analytics?
You simply add .info to the end of a shortened Google URL and you will be taken to a page that has the data:
So we can see that there were 26, 812 clicks through this shortened URL and if you hover over the doughnut chart you’ll see that there were a confirmed 11,246 of them from Facebook. That is a lot of clicks. The “Unknown” clicks could be a case of browsers not passing along the Referer HTTP header but I can’t confirm that. What we can see from the activity graph is that the campaign only ran for a relatively short period of time before stopping. In Facebook’s defence, this may have meant that they detected this fraud or someone reported the ads. It could also mean that the fraudster made enough money and decided to bail on the campaign and tear down all of their infrastructure. Tough to confirm either way.
We also see that the destination URL (which is now dead) is:
There were no cached copies of the site, and since I didn’t click on the links when I was first viewing it back in December I did not have a copy of the landing page stored in my Hunchly index. So we do not have enough proof to show that we have a fraudulent landing page, but if you dig into thedftrack6.com domain, you will quickly see that it looks suspicious.
The main point here however has been proven: fraudsters can create ads that appear to point to legitimate sites, and then drive tens of thousands of clicks through to their landing pages. Facebook apparently is asleep at the wheel, and sadly, I feel that the general Facebook user and consumers as a whole are being victimized because of it.
How Hard Can This Be?
Now it was time for me to put this all to a test. I will use local advertising and target, well, only me. I used my postal code, age, and set it so that the ads would only run for people connected to both my AutomatingOSINT.com page and the Hunchly Facebook page.
For a minute I would like you to think about the capability to do this targeting from a spear phishing perspective. Scary isn’t it?
I set up my ad to run for the Hunchly page, and the destination URL to be for https://www.hunch.ly but I set the display URL to www.cnn.com. Like so:
Now of course this is really an insane thing from an advertising network perspective. If you tried this in Google AdWords, you would be laughed right out of your account. There are no other indicators in the ad that tell the user they are destined for www.hunch.ly. Any normal user will simply seewww.cnn.com and think that they are heading to a trusted domain. How many Facebook users are actually checking the bottom of their browser window every time they hover over a link? Not many.
This is all fine and dandy, but of course I need to get the ad through by Facebook’s approval process. Surely they must catch the fact that the destination URL is not even close to the displayed URL. Surely they must see how bad this would be for the average consumer or Facebook user.
With a big resounding thud, our ad is approved and we can even see the wonderful preview, complete with a display URL of cnn.com:
Once the ad started running, I turned it off right away. I am sure if someone from Facebook is reading this article and has made it this far, my advertising account will promptly be suspended.
In the security world we have long been pushing to make sure that products become more “secure by default”. This means that no matter how little a user knows, they are protected as best as possible from day one. While we are all aware that there are ways to commit fraud through advertising networks, in a lot of cases it requires numerous tricks or a relatively high level of sophistication. Google AdWords is extremely vigilant when it comes to placing a new ad (go try it) to make sure that you are not doing anything suspicious. While AdWords is not a perfect system, like anything in security the idea is to raise the bar high enough that only the most sophisticated fraudsters can game the system.
Facebook is missing a simple check that is leaving users at risk. We are not talking about enhancing or tweaking a sophisticated anti-fraud algorithm. In fact the code looks like this:
if (display_domain == landing_page_domain)
approve_ad = true;
approve_ad = false;
Now what I would love for you to do is to check your own Facebook account for sponsored ads. Do they point to the domain that they say they do?
If not email me your findings, I would love to start collecting some statistics or to see some spinoff investigations to see how widespread this problem truly is.