• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Hackers deploy fake SonicWall VPN App to steal corporate credentials

 | 

Mainline Health Systems data breach impacted over 100,000 individuals

 | 

Disrupting the operations of cryptocurrency mining botnets

 | 

Prometei botnet activity has surged since March 2025

 | 

The U.S. House banned WhatsApp on government devices due to security concerns

 | 

Russia-linked APT28 use Signal chats to target Ukraine official with malware

 | 

China-linked APT Salt Typhoon targets Canadian Telecom companies

 | 

U.S. warns of incoming cyber threats following Iran airstrikes

 | 

McLaren Health Care data breach impacted over 743,000 people

 | 

American steel giant Nucor confirms data breach in May attack

 | 

The financial impact of Marks & Spencer and Co-op cyberattacks could reach £440M

 | 

Iran-Linked Threat Actors Cyber Fattah Leak Visitors and Athletes' Data from Saudi Games

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 50

 | 

Security Affairs newsletter Round 529 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Iran confirmed it shut down internet to protect the country against cyberattacks

 | 

Godfather Android trojan uses virtualization to hijack banking and crypto apps

 | 

Cloudflare blocked record-breaking 7.3 Tbps DDoS attack against a hosting provider

 | 

Linux flaws chain allows Root access across major distributions

 | 

A ransomware attack pushed the German napkin firm Fasana into insolvency

 | 

Researchers discovered the largest data breach ever, exposing 16 billion login credentials

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Cyber Crime
  • Security
  • Social Networks
  • Cybercrime abuses Facebook paid advertisements

Cybercrime abuses Facebook paid advertisements

Pierluigi Paganini September 01, 2013

A reading of an interesting study on the criminal abuse of Facebook’s Paid “Sponsor Ads” system to deliver nefarious websites to the users.

In the last weeks I presented on an interesting study of the techniques adopted by the cybercriminals organizations to abuse of the popular social network Facebook. The researchers Frank Angiolelli, Eric Feinberg, Ian Malloy issued a follow up on the analysis they presented titled “Facebook Paid Advertisements to Defraud“, it is an interesting study that analyze with you in this post.

Facebook, and any other social media platforms, offer a multitude of opportunity for cybercrime that could exploit the numerous services they provide, in particular the study evaluate how organized cybercriminals are leveraging Facebook’s Paid “Sponsor Ads” system to deliver nefarious websites to the user of the social network.

“These cybercriminals are paying Facebook to obtain sponsored advertisement space which is presented to the user without request or choice“

The investigation revealed that coordinated groups using multiple brand names in a mass distribution system affecting the entire ecosystem.

Facebook fraud website

It has been estimated that every single user was presented with as many as 20 unique fraud advertisements in an 8 hour period on Facebook, as well as multiple repeat fraud websites. The Facebook frauds are managed through masses of redirector sites owned by ascribable groups employing varying evasive techniques to redirect users to their fraudulent content.

“The payment methods being employed by these websites are tied to numerous reports of fraud.Users who are tricked by a Paid Sponsored Advertisement send their money to nefarious groups with no recourse. There are two primary types of advertisements, a “root” website and a “zombie redirector” which equates to a farm of websites that can be submitted to Facebook. The root nefarious websites holds the actual content being delivered to the user.”

The researchers collected evidence that many fraudulent activities are attributable to Chinese actors that anyway adopted different techniques for bot management. Most of the content delivery sources are Chinese CDN networks

  • CNZZ and 51.la are the most frequent CDN networks employed
  • A majority of these websites have been developed using Chinese versions of software
  • The code replication techniques are published under what appear to be Chinese names
  • The registrars, outside of Godaddy, are primarily Chinese registrar technology companies.
  • The genesis of this has Chinese origins – We intend to expand on this in our next paper

Facebook fraud organization structure

One of the most interesting aspect of the research is the system developed by cyber security expert Frank Angiolelli, that was able to automatically identify fraudulent content among  a mass of legitimate sites while tracking correlation data.

The team of researchers identified a body of 225 individual counterfeit paid advertisements in an increasing exponential frequency curve commiserate with the resources assigned during a three week period.

“The result is that in mere seconds, 95%+ fraudulent sites were identified while tracking and trending the hosting, registrars and software origins. False positives on legitimate websites during the study period started at >0.9% and decreased exponentially as the data set expanded. Only 2% of the nefarious websites seen in this study had been seized, and the pattern of replication we uncovered proves that advanced methods employed by this team are successful countermeasures to address this problem. ” states the report.

The most popular registrar found during the investigation is “Godaddy”, which is primarily used to register pseudo-random Zombie Redirector sites. Outside of Godaddy, the remainders are mostly Chinese technology companies, with some notable exceptions. Cybercriminals are using mainly US hosting companies to deliver their fraudulent content.

Facebook fraud domains

The criminal conduct evidenced in the report will fall directly to the intellectual property owners, but also the same social network Facebook will lose in reputation, in the short term damage the information collected by the researchers portend a concerning increase for fraudulent advertisements. The phenomena are not interested only to Facebook, once deployed proper countermeasures fraudsters will abandon the popular social network for another vector.

Read the report for further information on Facebook paid advertisements.

Pierluigi Paganini

(Security Affairs – Facebook paid advertisements, Facebook, social network)


facebook linkedin twitter

Cybercrime Facebook Facebook paid advertisements frauds social media Social Network

you might also like

Pierluigi Paganini June 25, 2025
Hackers deploy fake SonicWall VPN App to steal corporate credentials
Read more
Pierluigi Paganini June 25, 2025
Mainline Health Systems data breach impacted over 100,000 individuals
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Hackers deploy fake SonicWall VPN App to steal corporate credentials

    Hacking / June 25, 2025

    Mainline Health Systems data breach impacted over 100,000 individuals

    Data Breach / June 25, 2025

    Disrupting the operations of cryptocurrency mining botnets

    Malware / June 25, 2025

    Prometei botnet activity has surged since March 2025

    Cyber Crime / June 25, 2025

    The U.S. House banned WhatsApp on government devices due to security concerns

    Mobile / June 24, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT