I've spent ~15 years in online advertising and this sure isn't limited to just being a "Facebook scam".

This style of advertising called "incentivized co-registration" (co-reg / co-reg path) (1) has been a long running plague - as far back as 2008 the FTC penalized ValueClick ~$3m (2) for this exact same thing as it's deceptive.

On the front-end you've got Facebook, Microsoft, and Google (to name a few) making money hand over fist letting these co-reg paths buy their media.

(As an aside Bing is well known to be the loosest with regulating compliant advertising which is just sad given that it impacts the MSFT brand.)

On the back-end you've got brands like Netflix, Nokia, Guiness, GAP, etc etc that lend themselves to being on the co-registration path and offering a variety of offers like "Join our newsletter etc" so they can then market to the consumers that say yes.

Again, great in concept - fill out your information once to enter for a "prize" and then select brand offers that you're interested in.

The problem is that most of the guys running the actual paths - buying the media etc - are small affiliate marketers. These are one to five man teams that slap together a variety of these co-reg offers from the "legit" co-reg company APIs.

So you'll see the big co-reg companies bragging about how they power the USAToday.com registration process, but the reality is many of them make the bulk of their revenue through their API sets and affiliate programs, which they leave damn-near unregulated (unless put under the microscope).

So every now and again the FTC hammers a few of these small timers, but the reality is an affiliate - doing "ok" - can make anywhere from $10 - 100k/mo in profit just doing what I describe above - build some direct-response landing pages, pull brand offers from the co-reg company apis, and buy media from companies that love to sell it, and don't look too hard for reasons not to.

So anywho I love getting on my soapbox but it's insane how many huge companies benefit from these scams, and how simple it is for them to have deniability due to the ecosystem of using these small timers on the front end.

(1) A great breakdown of "what is" co-reg advertising http://www.coregmedia.com/demos/demo-pub.php

(2) FTC Settles w/ValueClick http://www.ftc.gov/opa/2008/03/vc.shtm

They aren't all co-registration sites. Some of the examples are CPA (cost-per-action), where submitting email, taking phone surveys, submitting zip, etc generate revenue for the site owner.

> So anywho I love getting on my soapbox but it's insane how many huge companies benefit from these scams, and how simple it is for them to have deniability due to the ecosystem of using these small timers on the front end.

The same structure drives multi-level marketing, off-shoring/outsourcing manufacturing/recycling/garbage-hauling to sweatshops/polluters/mafia, and the junk mortgage bubble / global financial crisis.

I'm glad to see this blogged about as it was on my todo list. I have numerous previous examples of this scam as well if people want to compare and contrast (free sunglasses [Oakleys], free headphones [Beats by Dr Dre], etc).

What annoys me most about this is the scam is only spread through exploiting human nature and not advanced technology. The code is literally almost exactly the same each time yet nothing has been done by Facebook to prevent it. Fingerprinting this is certainly not impossible (every example I've seen is formulaic and even starts the counter at 973) and I'm surprised Facebook doesn't have an advanced spam fighting arsenal that's effective against it.

Does anyone know what tools they use to combat this sort of thing? Machine learning would work really well here considering numerous past examples and the fact you're only interested in links that are spreading virally. Even if you needed a human being for final confirmation before blocking the site, you'd knock out a link once and it'd positively impact tens of thousands of people. I'd be shocked if using bit.ly and a few other obvious spammy redirects was all you needed to trick Facebook...

Hi, my name is Abe, and I'm an engineer at Facebook working on the team that prevents these kinds of scams from spreading on the site. As you suspect, we actually do have a bunch of tools that detect attacks like this (and others), but they're not perfect, and you never really see when they work, only when they don't.

In cases like this, you're right that there are often obvious content patterns. However, enforcing on or detecting those doesn't really scale, as they're trivial for the attacker to change. Instead, we try to focus on aspects of an attack that are much more expensive for the attacker to change. One component of our systems that detect this does involve looking at metadata about URLs, and running it through some machine learned classifiers (you're correct that simply using bit.ly is insufficient to stop us).

Regardless, we've taken care of this particular instance of the attack and are always working to systematically improve our detection and mitigation systems. Let me know if you're interested in helping us out in this effort!

Presumably the 'AL' country code test was included so the Albanian "John Smith" could/can examine the live website without being directed straight to Google.

Correct. The Woolworths one had checks for "IN" || "AU" else it would redirect to Google. That domain was registered to an Indian address.

I presume one of the purposes of the redirect is so that the person testing the add at Facebook never sees the scam.

What confuses me is the (relative) sophistication of some of these scams juxtaposed with some really shoddy website designs that scream "scam" to me.

When scammers and phishers learn to put together a semi respectable design or even simply copy the designs they are trying to imitate more precisely they would be far more successful.

I've always been curious about that as well.

Although it doesn't entirely answer your question, you might find this paper to be interesting: "Why do Nigerian Scammers Say They are from Nigeria?" http://research.microsoft.com/pubs/167719/whyfromnigeria.pdf

Or perhaps it is a worst is better type of thing and the crappier designs convert better for their purposes. Hmm.

possibly.

perhaps people more readily identify with a site written with the same spelling and grammar mistakes they use, and trust the site more over those "educated" sites where "proper grammar" and "correct spelling" are just lorded over you and rubbed in your face. the crap website might be a kind of kindred spirit, just waiting to befriend the intellectually downtrodden.

Ugly designs can convert better in some situations, and the people making these sites are very likely tuning their sites to convert the best. Also, by making things unattractive to you, the scammers can filter for the people more likely to fall into their trap.

Most scams might have a terrible success rate, but the scammers still make a lot of money. Over $80mil in scam losses were reported to the Australian Government last year, s surprising amount were from Nigerian style scams and the like that you'd think nobody would fall for. For every person that is willing to send money via western union to some guy in Nigeria, there would be thousands who would click through these links.

2011 Scam report by Australian Government is here: http://www.accc.gov.au/content/index.phtml/itemId/1039349 I've passed your research onto the authors of this report, thanks for sharing it.

I have seen probably 5 or 6 Facebook friends fall for this one. The typical profile is of a mother who isn't very tech savvy but likes the idea of free stuff.

The redirects are generating fake ad clicks for the scammer, it's very common and probably the main source of revenue for this "campaign".

Nope. Can't get paid to redirect to a (2nd) url but still have that (2nd) url redirect to somewhere else. They tend to redirect to another url/company when they don't have an offer to send to that IP address sometimes too.

The "scammer" is making money off the submits and not the clicks.

I've seen this scam while in Android apps and like to click the ad every now and again just to cost them a little more money (though it is a shame it is not easy to report as a better alternative).

But a marketeer I recommend looking at scam email/ads from a professional POV. Quite often they are great examples of marketing and how to communicate effectively. Just please apply this to a more honest motive.

Can someone break down how the scammers are making money on this? Think of me as a complete idiot ;)

It seems that they are simply affiliates of these various sites and get a small percentage for signups? Is that correct? how much can they reasonably hope to make from something like this?

It looks not like a scam-taking-your-money-away, but rather as a scam-register-for-a-fake-prize-and-we-get-paid-by-affiliate type. So it is less harmful, that's why I am not sure if "scam" word is appropriate. But it definitely waste time and might put bunch of spyware on your machine while you are going through this process.

Companies usually pay per lead $x amount. Most often you see them in the form of email submits, where if you "just put in your email" you will get a target giftcard. A successful email might yield you $.25 depending on the offer.

I think you should blur the names in the Customer Outrage section.

It's unlikely an entire race "sucks at programming." It's a skill like any other and can be learned to varying degrees.