Cybercrime abuses Facebook paid advertisements

A reading of an interesting study on the criminal abuse of Facebook’s Paid “Sponsor Ads” system to deliver nefarious websites to the users.

In the last weeks I presented on an interesting study of the techniques adopted by the cybercriminals organizations to abuse of the popular social network Facebook. The researchers Frank Angiolelli, Eric Feinberg, Ian Malloy issued a follow up on the analysis they presented titled “Facebook Paid Advertisements to Defraud“, it is an interesting study that analyze with you in this post.

Facebook, and any other social media platforms, offer a multitude of opportunity for cybercrime that could exploit the numerous services they provide, in particular the study evaluate how organized cybercriminals are leveraging Facebook’s Paid “Sponsor Ads” system to deliver nefarious websites to the user of the social network.

“These cybercriminals are paying Facebook to obtain sponsored advertisement space which is presented to the user without request or choice

The investigation revealed that coordinated groups using multiple brand names in a mass distribution system affecting the entire ecosystem.

It has been estimated that every single user was presented with as many as 20 unique fraud advertisements in an 8 hour period on Facebook, as well as multiple repeat fraud websites. The Facebook frauds are managed through masses of redirector sites owned by ascribable groups employing varying evasive techniques to redirect users to their fraudulent content.

“The payment methods being employed by these websites are tied to numerous reports of fraud.Users who are tricked by a Paid Sponsored Advertisement send their money to nefarious groups with no recourse. There are two primary types of advertisements, a “root” website and a “zombie redirector” which equates to a farm of websites that can be submitted to Facebook. The root nefarious websites holds the actual content being delivered to the user.”

The researchers collected evidence that many fraudulent activities are attributable to Chinese actors that anyway adopted different techniques for bot management. Most of the content delivery sources are Chinese CDN networks

  • CNZZ and 51.la are the most frequent CDN networks employed
  • A majority of these websites have been developed using Chinese versions of software
  • The code replication techniques are published under what appear to be Chinese names
  • The registrars, outside of Godaddy, are primarily Chinese registrar technology companies.
  • The genesis of this has Chinese origins – We intend to expand on this in our next paper

One of the most interesting aspect of the research is the system developed by cyber security expert Frank Angiolelli, that was able to automatically identify fraudulent content among  a mass of legitimate sites while tracking correlation data.

The team of researchers identified a body of 225 individual counterfeit paid advertisements in an increasing exponential frequency curve commiserate with the resources assigned during a three week period.

“The result is that in mere seconds, 95%+ fraudulent sites were identified while tracking and trending the hosting, registrars and software origins. False positives on legitimate websites during the study period started at >0.9% and decreased exponentially as the data set expanded. Only 2% of the nefarious websites seen in this study had been seized, and the pattern of replication we uncovered proves that advanced methods employed by this team are successful countermeasures to address this problem. ” states the report.

The most popular registrar found during the investigation is “Godaddy”, which is primarily used to register pseudo-random Zombie Redirector sites. Outside of Godaddy, the remainders are mostly Chinese technology companies, with some notable exceptions. Cybercriminals are using mainly US hosting companies to deliver their fraudulent content.

The criminal conduct evidenced in the report will fall directly to the intellectual property owners, but also the same social network Facebook will lose in reputation, in the short term damage the information collected by the researchers portend a concerning increase for fraudulent advertisements. The phenomena are not interested only to Facebook, once deployed proper countermeasures fraudsters will abandon the popular social network for another vector.

Read the report for further information on Facebook paid advertisements.

Pierluigi Paganini

(Security Affairs – Facebook paid advertisements, Facebook, social network)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco warns of password-spraying attacks targeting Secure Firewall devices

Cisco warns customers of password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services…

1 hour ago

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

5 hours ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

19 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

1 day ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

2 days ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

This website uses cookies.