Cybercrime abuses Facebook paid advertisements

A reading of an interesting study on the criminal abuse of Facebook’s Paid “Sponsor Ads” system to deliver nefarious websites to the users.

In the last weeks I presented on an interesting study of the techniques adopted by the cybercriminals organizations to abuse of the popular social network Facebook. The researchers Frank Angiolelli, Eric Feinberg, Ian Malloy issued a follow up on the analysis they presented titled “Facebook Paid Advertisements to Defraud“, it is an interesting study that analyze with you in this post.

Facebook, and any other social media platforms, offer a multitude of opportunity for cybercrime that could exploit the numerous services they provide, in particular the study evaluate how organized cybercriminals are leveraging Facebook’s Paid “Sponsor Ads” system to deliver nefarious websites to the user of the social network.

“These cybercriminals are paying Facebook to obtain sponsored advertisement space which is presented to the user without request or choice“

The investigation revealed that coordinated groups using multiple brand names in a mass distribution system affecting the entire ecosystem.

It has been estimated that every single user was presented with as many as 20 unique fraud advertisements in an 8 hour period on Facebook, as well as multiple repeat fraud websites. The Facebook frauds are managed through masses of redirector sites owned by ascribable groups employing varying evasive techniques to redirect users to their fraudulent content.

“The payment methods being employed by these websites are tied to numerous reports of fraud.Users who are tricked by a Paid Sponsored Advertisement send their money to nefarious groups with no recourse. There are two primary types of advertisements, a “root” website and a “zombie redirector” which equates to a farm of websites that can be submitted to Facebook. The root nefarious websites holds the actual content being delivered to the user.”

The researchers collected evidence that many fraudulent activities are attributable to Chinese actors that anyway adopted different techniques for bot management. Most of the content delivery sources are Chinese CDN networks

• CNZZ and 51.la are the most frequent CDN networks employed
• A majority of these websites have been developed using Chinese versions of software
• The code replication techniques are published under what appear to be Chinese names
• The registrars, outside of Godaddy, are primarily Chinese registrar technology companies.
• The genesis of this has Chinese origins – We intend to expand on this in our next paper

One of the most interesting aspect of the research is the system developed by cyber security expert Frank Angiolelli, that was able to automatically identify fraudulent content among  a mass of legitimate sites while tracking correlation data.

The team of researchers identified a body of 225 individual counterfeit paid advertisements in an increasing exponential frequency curve commiserate with the resources assigned during a three week period.

“The result is that in mere seconds, 95%+ fraudulent sites were identified while tracking and trending the hosting, registrars and software origins. False positives on legitimate websites during the study period started at >0.9% and decreased exponentially as the data set expanded. Only 2% of the nefarious websites seen in this study had been seized, and the pattern of replication we uncovered proves that advanced methods employed by this team are successful countermeasures to address this problem. ” states the report.

The most popular registrar found during the investigation is “Godaddy”, which is primarily used to register pseudo-random Zombie Redirector sites. Outside of Godaddy, the remainders are mostly Chinese technology companies, with some notable exceptions. Cybercriminals are using mainly US hosting companies to deliver their fraudulent content.

The criminal conduct evidenced in the report will fall directly to the intellectual property owners, but also the same social network Facebook will lose in reputation, in the short term damage the information collected by the researchers portend a concerning increase for fraudulent advertisements. The phenomena are not interested only to Facebook, once deployed proper countermeasures fraudsters will abandon the popular social network for another vector.

Read the report for further information on Facebook paid advertisements.

Pierluigi Paganini

(Security Affairs – Facebook paid advertisements, Facebook, social network)