When Google got into advertising, they were relaxed about what ads they accepted. They happily ran just about any advert. But then two things happened.
1) the scammers came.
2) governments started holding Google accountable for running ads for online gambling and prescription medication. Google (and Microsoft and Yahoo) had to pay large fines for running ads for products and companies that governments saw as illegal.
As the years passed, Google has become ever more restrictive in what ads it will run. To the point where trigger-happy Google Adwords staff whose job is to approved ads reject many ads that are actually fine.
I think Facebook will go down the same path.
My main product is software used by poker players to track and analyse their winnings and losses. I haven't been able to advertise on Google for years, because the ad reviewers see the word 'poker' and demand proof that I am certified to running a gambling company in the locales I'm advertising in. I've given up trying to argue my case to Google that just because my product has the word 'poker' in the title doesn't mean I'm running a casino!
Facebook, however, still approves my adverts within a few hours. I'm expecting this to stop as Facebook tightens up after a few large government fines.
I have a lot of experience with the Facebook ad approval process from a stint running affiliate ads on the platform many years ago.
I was able to discover an oddity in the approval process, that created an arbitrage opportunity for me that was quite lucrative in the online dating space.
This was very nice since I had just finished college in 2008 and the global economy and job market stood in ruins all around me, and I really, really didn't want to get a 9-5 job.
My efforts were very tame (and within Facebook guidelines) compared to what other affiliates engaged in. At one end were cloaking scripts based on geolocation. Facebook ad reviewers were sent to one landing page, and visitors to another shadier and more profitable one.
But even more egregious, an affiliate acquaintance I met once bribed a Facebook employee, who set his account to autoapprove any ad he wanted. He used this to advertise Google Is Hiring: Work from Home credit card rebill offers. He told me he made $80,000 in the four days it took Facebook to discover it.
It was a cat and mouse game between Facebook and the affiliates in those days. This was after a short period where Facebook itself allowed these credit card rebills to be advertised on the site.
Affiliate marketing was a nice cash infusion for me at the time, but I am glad to have walked away from what is really the bottom of the barrel in the internet marketing world.
Ha, that reminds me of the cas where one of our advertiser's creatives kept getting disapproved by Google's creative approval process. The ad was for a family hotel somewhere in Germany. It took a while to find out why the creative got disapproved. After quite a bit of back and forth with our technical account manager, they finally told us because the landing page contained the word "casino". Except it's a German-language website, and in German, that word can have different meanings than just being gambling-related. And that family hotel most certainly did not provide any gambling facilities.
Facebook's ad platform is very mature, it was launched in 2007.
I think Facebook is able to let more questionable stuff run in part because the micro-targeting makes it easy to disperse bad stuff to narrowly targeted audiences. On Google, investigators could search well known pharmaceutical terms and it was plain as day the advertisers were breaking US law. It is kind of like putting crack for sale in your storefront window verse in the back behind a maze of doors.
From what I have heard first hand, Facebook's platform was much more difficult initially and now is more lax. This could be in part the sheer scale of their ad network and the difficulty in policing it, or everyone figured out which loopholes Facebook couldn't plug without screwing up their quarterly numbers.
Generally, the older an advertising platform the less mature it is. DFP is horrid and Liverail is a bit better than AdJuggler but less sophisticated than AOL's or SpotX.
Regarding Google AdWords, the scrutiny depends on your size. I am seeing a lot of ad scams in big companies. For example, looking for fiber optic Internet on an ISP without the offering and ending up on a fake landing page. Example (in Spanish): http://suscripcion.fibertel.com.ar/Servicio-Fibertel-12Megas... (from the query fibertel fibra optica)
Considering that Facebook lets you set the display domain separately from the actual link domain, this behavior seems entirely intentional. Convincing people to click on ads (by lying wholesale, in this case) is a crucial element of Facebook's business model.
This does seem like they're trading long-term trust for short-term profits - users will click on fewer and fewer sponsored posts as the number of deceitful posts like this increase.
I think the case for this is to be robust for the many legitimate ways that online marketers use ads and create landing pages.
Often marketing platforms (like Hubspot or whatever) lets you create multiple landing pages which might all be on a subdomain(s) to rather than handing full control of the root domain to the platform. In these cases, you wouldn't want pages.ctvnews.com to appear as the display domain.
Also not to mention the myriad of services and ways that act as a middleman for the click, in the same way that the link display on Twitter appears as ctvnews.com but it's actually a t.co link
Marketers can buy domains if they won't want to display a sub domain, and Facebook can check the final destination landing page. I mean, they already do! Every time you make a new ad they scrape the final destination for meta tags and content.
The issue is that they are hosting their pages on a 3rd party platform (HubSpot, Pardot, Unbounce, &c) and don't want to point root DNS at the landing page host or put bounce pages TO landing pages from the main site. They just wanna set up a pages. cname and run with it.
>For unsophisticated advertisers (i.e. with no referrer log analysis)
In that case most advertisers are unsophisticated. Even the biggest ad-networks/retargeting/tracking solutions all depend on redirect via their servers to their end customer.
I am constantly disappointed with the technical knowledge and understanding display by our advertising partners. A large number of them have almost zero understand of how the internet work. Of cause part of the problem is that as a developer you're inclined to point out that something won't work because it won't work 100% of the time. That a useless answer for the advertising department and you end up with duct taped solution that works well enough, but of cause create their own set of problems.
I've worked with multiple retargeting company and advertisement departments in the past, and I got the exact same conclusion. Most of the time the people in charge of "digital innovation" or "e-marketing" have absolutely no idea of what's going on behind the curtains. Even worse, their whole pricing model (ctr, conversions, ...) is hanging on broken solutions that "work most of the time". So, needless to say you often have to alter numbers/rates manually in AB testing reports to let them have clean numbers they can sale. Even if every tech knows how much bullshit is flowing in this industry, it's way easier to let the big ones have what they want than argue about how everything is broken (especially when you don't necessarily have a way to fix it).
I secretly suspect they -at least- know, but prefer to sweep these issue under the rug and that's why they prefer to involve as little technical people as possible. And that's why I don't work in this industry anymore and I won't come back to it until they've all burnt to the ground.
We currently have an issue where the company that handle our ad-tracking/referral payout track and want payment for the same orders multiple time. They honestly doesn't seem to understand the issue, customer will, sometimes, return to the conversion page (checkout-success page) multiple times, because people are just weird like that.
The fix is super simple: Their tracking pixel receive our order number, all they need to do is accept that it's unique and just tracking the first occurrence. Part of their problem is of cause that they switch to a new platform and didn't migrate any data.
Because many of the amount are so small, they just accept a ton of errors and as you say: "sweep these issues under the rug" because it's just a few cents so who cares. But it adds up.
I guess it'd be just downright impossible for one of Facebook's 10,000 employees to handle some bitly level analytics in order to counter rampant fraud.
or just ban those all together, no smart marketer wants others to see their stats, they should probably own their own domain or other tool that can do this type of analytics for them if they want such data.
Sadly this is likely the truth. Advertising is a unique business model that relies on thinking up increasingly creative ways of tricking users. When linkbait no longer works, lie about the source.
I was more referring to the fact that any given form of advertising basically fails by default after a certain time when people adapt to ignore it. The business therefore relies on continuously coming up with new ways to sneak content in to people's heads.
And all the scams revolve around pitching something that they aren't. Which is to say they require misleading "advertising" (or more generally - marketing).
Facebook already checks the URLs people link to for a final destination, they scrape metadata like title, photos, description. They need to add and enforce a rule like Google's.
I discovered something quite similar to this several months ago and tried to submit it as a bug report. One can easily make the display URL of any shared post be anything they choose (screenshot of spoofed whitehouse.gov link [1] and techcrunch.com link [2]), while the link actually goes to any site the user wants. I was told, quite simply, that it wasn't a bug. No one seems to care about the implications of this.
Well no, they do care about the implications. The implication being that by cutting out fraudulent but paying users, they will have fewer paying users.
Advertisers and the networks that serve them will never be on the consumer's side. If a consumer wanted to do what an advertiser wanted, the advertiser would be out of work. It's all subversion.
> Advertisers and the networks that serve them will never be on the consumer's side.
This is a danger, but in an optimal system, one that doesn't come into play. Advertisers pay for eyeballs, eyeballs are there because they haven't been driven away from the product by ads that ruin the experience.
Oh, and it gets worse in the shameless-clickbait category.
I've see frequently (and have documented) numerous cases of ads implying that a famous person has died (e.g. Sly Stallone, The Rock, Lamar Odom, Colin Kaepernick), luring clicks for details.
But what really disgusts me is the "Suggested Post" mechanism. In the past week alone, I've had "Suggested Posts" from people selling obviously counterfeit merchandise and sites that claim to be the "Official NHL/NBA/MLB Store", when they are not. And these include plain text that should be simple to parse and check, if they cared. (A more complicated strategy to catch is when the bogus claims are only in text within the ad image, like the oft-posted phony Ray-Ban Official Site.)
And Facebook (and especially the ad network who made the ad) makes money for every sucker served.
It still works the exact same way, except prepaid cards won't take you far at several thousand dollar spend per day per account. Residential IPs are needed and FB accounts with history (hint: have a look at craigslist). Also pre-warming the white hat ads can cost several thousand $. And yes - those can become the biggest spenders on FB.
Is it just me, or do other people actually LOVE this new trend of plugging your product/work/yourself through interesting blog posts? Like, I don't care how much $$$ this guy could spend on advertising --- this blog post is certainly far more effective in getting me to buy the product. I learned something, I was entertained, I now "trust" this individual, I got a great demo of the product's use... love it!
I hate ads and sponsored content but, like you, I loved this article. It's an easy read and the product doesn't play a fundamental role in the technical analysis or getting the message across. It's not shoved in my face. I learned something new (ad fraud on Facebook) and became aware of this guy's product without hating the process. Good balance.
One could argue that it's a huge piece to get a one-liner across, but I feel that's true about a lot of news stories, so base rate fallacy applies.
In general I don't mind the idea but this article sounded forced. I don't think I needed a run down of how their product worked to be told that Facebook lets advertisers pick a display URL that doesn't have to be related to the target URL.
If they just said that and put the ad target to their domain I wouldn't have minded.
* I used to use just uBlock origin, but things work so much better with privacy badger. There must be some kind of code to indicate "yeah, yeah, you're tracking me so well" because I don't get nearly as many broken sites. Third party comments don't work (like disqus), but HN is about the only place comments add value.
Fraud, malware, deceit unwanted intrusions are reasons to block all advertising. Facebook or otherwise, they are becoming the norm. We see this over and over again. It is past time to take a stand.
On a related note. Does anyone know whether or not there are advertising groups that provide single line, vetted ads (single line could be small non-intrusive ads) to be embedded into a site rather than injected from an ad network? There has to be SOME good actor providing single line unobtrusive ads like the old google ads.
FB should really be doing a bit more review when displaying popular websites - flag them for quick further review. For instance, how many legit CNN accounts do they have?
But this seems to be the norm. Google displays highly misleading ads, especially on mobile. I see fake virus scans, "fix battery issues" and other junk. Google's main search ads had malware downloads, even for popular things like Skype. (And Chrome?)
Microsoft's store had many misleading apps, including fake Netflix apps. It took several interactions between MS and Netflix to get that sorted, and MS still ran fake apps (paid!) for popular software and movies. MS wouldn't even deal with ISVs that complained. Hell, the Windows Store even carried a fake version of Windows at one point! They didn't (don't) verify any details, such as publisher name. For a while, typing "Facebook" into the Start Menu brought up a fake FB app. This should put W10's invasiveness into new light: MS is not competent when it comes to this kind of stuff.
I do wonder how much money this stuff brings in. Is it a significant percent of business for these companies? It can't just be simple incompetence -- in MS's case, they sometimes paid for the junk apps.
I'm still sort of surprised that this junk can make enough money for people to advertise it though. Guess even 20 years after the net started getting popular, there's still enough unsavvy people to scam.
Why isn't Facebook doing domain verification for the display domain? There are plenty of ways (email to well-known account, DNS records, etc.) to verify domain ownership. Google is doing that and I'm sure plenty people at Facebook are familiar with the concept.
From a legal perspective, I wonder if the legitimate sites can sue Facebook over that, or if there's a case for class action on behalf of users.
In any case, I don't buy any arguments that claim this is intentional to help actual advertisers or an oversight. From a security standpoint this is a spoofing tool and without any kind of validation or verification it should be clear what this tool is being used for. Facebook's in the business of collecting and analyzing data, and I'm sure they know very well that it's being misused.
is, for one thing, not robust against cloaking (if malicious advertisers see the request coming from a Facebook IP, they might actually redirect to the displayed domain).
this is a shared service and the operators of this service have gotten pretty good at catching FB when they do this... they will just add the last 10 IPs that saw the banned ad, to their list of IPs to only show a "safe" page to. then everyone paying into the service has that rule.
Like you say it could be circumvented, but facebook doesn't try even that (the blog author tried it himself/herself and didn't need any circumvention techniques)
He clearly states that security is about raising the bar as high as you can. You can't build a bulletproof system, but you can make systems that are not trivial to game.
They can detect that a redirect has happened, but not the logic that determined which destination to display. If a redirect happens no matter what (this is very, very common for advertisement landing pages to track campaign visibility) then the presence of one is not necessarily malicious.
Because the actual URL is often some metrics or ad-billing service which is supposed to redirect to the target. This is quite common on Google as well as on Facebook.
While this is a good answer to the people saying "clearly facebook is trying to abet fraud by making these fields independent of each other", there is no technical reason why you couldn't parse the target URL from the actual one -- it's easy to hit the actual URL and parse the redirect you receive.
That opens you up to a URL which redirects you somewhere trustworthy when you check it but redirects later ad-clickers somewhere shady when they check it; mitigating that is harder but approachable.
I wonder if Google sample checks where those redirects go. They usually do seem to end up where they're supposed to.
The problem with checking them is that if you make the check look just like a normal click-through, the advertiser gets billed for a click by their ad broker.
Correct. While we do use Facebooks tracking for ads placed on Facebook, traffic from all other source is piped through a partner that does referral tracking and ensure that we aren't paying out commission to more than one referrer per sale. I easily imaging someone wanting to funnelling everything through one advertising/tracking partner for simplicity.
Facebook needs to ensure that their setup works in a way that the rest of the business expects. What Facebook seems to lack is the resources and dedication of Google to find the fraudulent ads.
It could also mean that the fraudster made enough money and decided to bail on the campaign and tear down all of their infrastructure. Tough to confirm either way.
Or the ads simply did not generate a positive ROI. I have read that Facebook advertising (especially for US traffic) is very expensive and tends to not convert well. I often see people run Facebook ads for non-scammy purposes (for example three months ago James Altucher ran Facebook ads for his books, and those ads are gone) and then pull them down , presumably because the conversion is crud. No one ever pulls a successful advertising campaign because they 'made enough money'.
This. It's all fine and well he's getting lots of clicks but is he actually converting them to revenue? If all he's doing is an ad arbitrage mode (i.e. Hope visitors click on Adsense ads) he's doomed because that will never succeed.
To both you and the parent... I can promise you he made money. Affiliate advertising is rampant on Facebook because of how profitable it is. They do anton of shady things because Facebook actively tried to shut them down. This person is 't doing view arbitrage, theyre clearly doing affiliate marketing and I know it accounts for no less than several hundred million per year in revenue for Facebook.
I've done my share of affiliate marketing in various channels, and Facebook was by far the least successful for me. The guy in this piece doesn't seem to be targeting based on fans of that supplement, or something very targeted. He'd be lucky to get a 1% conversion rate. If I was a betting man, I'd wager it wasn't successful at all. He'd have better luck targeting keywords in Adwords, and preventing those ads from being seen in the city the supplement makers are based at, or something sneaky.
Usually infomercial type blog posts like this turn me off both the content and the product, but this is a pretty great example of how to pimp your product through genuinely interesting content. I've rarely seen it done this well.
I've been running ads for a bit now on Facebook. Compared to googles ad stack, Facebook's feels definitely more unrefined, to say the least, than Google's. Sometimes basic things on Facebook's platform simply do not work.
Their ad approval process is random. I've had ad's that were not approved, resubmit for "automatic" approval. (Keep trying till it passes into the sample group of Auto-Approve, it's an older account?)
All that said... I know Facebook was under pressure after their IPO to get revenue coming. They've figured out now how to monetize their traffic base and marketers are flocking to their platform. I expect that over time you're going to see slow tightening of their policies, especially as marketers learn to exploit it. It's still impossible to get someone on the phone from Facebook if you have a problem and though you can generate very low cost CPA actions from facebook, it's dangerous to bet big on them right now as this article points out, change is going to have to come.
Actually having been at Google and later at a search engine dealing with people trying to do these sorts of games, the FTC in particular is pretty active in this space as are the various states attorney generals. And there are liability issues which have been litigated several times, the biggest one I know of being the Canadian Pharmacy ads on Google, where fines are paid and the user experience is damaged.
So I am pretty confident that they don't allow this stuff on purpose just for profits. I can believe they are slowly walking up the learning curve of how they can be defrauded, and it is slow. You have to train a lot of people. But it gets better. Now if I were in a leadership position in Facebook's advertising group this would be on my list of top priorities to get done.
Here's another "bug" I noticed today: if your browser window is "too narrow", for example because you're using that widescreen to have two windows open at once, you get a horizontal scrollbar and ads display like this:
Yes, someone's being charged for an ad where even if I scroll I can only see a few pixels on the left. If I make the window a bit narrower I don't see it at all, but it's presumably still an "impression".
I've been seeing an uptick in the number of spam relays coming from Facebook attempting to use Neocities for the landing page (or often times a redirect to a landing page elsewhere). We shut the sites down very quickly and the scammer finds a slower and less responsible service eventually. Still, Facebook needs to take better action here to deal with spammers and it's definitely gotten worse lately. They have a ton of money, no excuses here.
Perhaps we can also do an education campaign so that people don't think buying dick pills from scrambled domain names is a good idea. A Youtube video ad starring Ron Jeremy with the motto "Size Doesn't Matter".
Laughed way too hard at the code suggestion. Fantastic write up.
Genuinely shocking that Facebook allows such an easy loophole undetected. Or maybe they know it.
there are similar loopholes in other ad networks, if you want to play in those sorts of things. this is not a unique problem, its just that facebook is the largest and most obvious target. Those that made their money when it was much easier are selling off their knowledge, nowadays thats more lucrative then playing the cat and mouse game.
These ads are appearing on more reputable news sites, but for things like gambling. The story line is almost always about a guy who is left by his woman and he gets revenge by winning big. There are a list of "Facebook" comments, and they make sure a few of them state that it's a scam, which makes it look more legit.
I see a lot of posts suggesting what FB should do about this (as if they have incentives to change things; they don't) but perhaps we should focus on informing end users about the dangers of ads and how to properly use an ad-blocker. What would really be great is for the tech community to provide solutions that regular non-techie users can use. For example, if Firefox started bundling anti-ad functionality into its browser.
The age of debating whether ads are acceptable or not is long passed; ads are not acceptable because they are malware. Period. We should be teaching people how to avoid malware and that means avoiding all ads. How can we expect FB to fix this problem when they are causing the problem and they are profiting from it? On the other hand, putting ad blocking technology into the next Firefox would not only fix a huge chunk of the problem, but also send a clear message from a huge fraction of web users that malware is not acceptable in any form, including in ad form. I can't think of a better solution.
I recently got an ad from the same vendor that lead to the same landing page. Only the ad caption had to do with Sylvester Stallone "revealing his dark secret" in my case. I never click these things but the "cnn.com" part fooled me.
I surprised that so far in the comments, no one has brought up the R word. "Revenue" How much revenue is fb getting for allowing this? Their income has suddenly jumped dramatically in the last few years. 26K Clicks is pretty good income imho.
facebook is rife with this kind of stuff, there are whole business' setup(that also advertise on facebook) to help you skirt this stuff.
i know a number of people that play in the space spending 6 figures a month doing this... they wouldnt be hard to catch, if you tried, but why would facebook want to get rid of that revenue until absolutely forced to? and imagine, i only know a handful of them.
1) the scammers came.
2) governments started holding Google accountable for running ads for online gambling and prescription medication. Google (and Microsoft and Yahoo) had to pay large fines for running ads for products and companies that governments saw as illegal.
As the years passed, Google has become ever more restrictive in what ads it will run. To the point where trigger-happy Google Adwords staff whose job is to approved ads reject many ads that are actually fine.
I think Facebook will go down the same path.
My main product is software used by poker players to track and analyse their winnings and losses. I haven't been able to advertise on Google for years, because the ad reviewers see the word 'poker' and demand proof that I am certified to running a gambling company in the locales I'm advertising in. I've given up trying to argue my case to Google that just because my product has the word 'poker' in the title doesn't mean I'm running a casino!
Facebook, however, still approves my adverts within a few hours. I'm expecting this to stop as Facebook tightens up after a few large government fines.