Facebook Allowed Political Ads That Were Actually Scams And Malware
Reprinted with permission from ProPublica.
Update: This story has been updated to clarify Facebook’s ad-review process.
In September, an ad with the headline, “New Approval Ratings For President Trump Announced And It’s Not Going The Way You Think,” targeted Facebook users in the U.S. who were over 40 and labeled as “very liberal” by the tech company.
“Regardless of what you think of Donald Trump and his policies, it’s fair to say that his appointment as President of the United States is one of the most…,” ran the text. “Learn more.”
At least some people who clicked on this come-on found their computers frozen. Their screens displayed a warning and a computer-generated voice informed them that their machine had been “infected with viruses, spywares and pornwares,” and that their credit card information and other personal data had been stolen — and offered a phone number to call to fix it.
Actually, the freeze was temporary, and restarting the computer would have unlocked it. But worried users who called the number would have been asked to pay to restore their access, according to computer security experts who have tracked the scam for more than a year.
Russian disinformation isn’t the only deceptive political advertising on Facebook. The pitch designed to lure President Donald Trump’s critics is one of more than a dozen politically themed advertisements masking consumer rip-offs that ProPublica has identified since launching an effort in September to monitor paid political messages on the world’s largest social network. As the American public becomes ever more polarized along partisan lines, swindlers who used to capitalize on curiosity about celebrities or sports are now exploiting political passions.
“Those political ads, especially right now if you look at the U.S., they are actually getting more clicks,” said Jérôme Segura, lead malware intelligence analyst at anti-malware company Malwarebytes. “Where there are clicks, there is going to be interest from bad guys.”
The ads, supplied by ProPublica readers through our Political Ad Collector tool, lured Facebook viewers with provocative statements about hot-button figures such as former President Barack Obama, Ivanka Trump, Fox News commentator Sean Hannity and presidential adviser Kellyanne Conway.
Clicking on the headline, “Sponsors Pull out From His Show Over This?” — over a photo of Hannity with MSNBC commentator Rachel Maddow — led to a page styled to look like the Fox News website. It offered a free bottle of Testo-Max HD, which it described as a cure for erectile dysfunction, although it isn’t approved by the FDA. People who sign up for such free nostrums are typically asked to provide credit card information to pay for shipping and are then automatically charged almost $100 a month, according to reviews online.
Although these scams represent only a tiny fraction of the more than 8,000 politically themed advertisements assembled by the Political Ad Collector, they raise doubts about Facebook’s ability to monitor paid political messages. In each case, the ads ran afoul of guidelines Facebook has developed to curb misleading and malicious advertising. Many of the scams had also been flagged by users, fact-checking groups and cybersecurity services — even the Federal Trade Commission — long before they appeared on the social network.
Moreover, most of the sites may have warranted special attention because they had been registered within the 30 days before users sent them to our Political Ad Collector. Paul Vixie, the co-founder of San Mateo, California-based computer security company Farsight Security, said new website domains are more likely to be shady, because fraudsters often shut sites down after days or even minutes and open new ones to stay ahead of authorities looking to catch them.
As the midterm elections heat up, such cons are likely to proliferate, along with more devious forms of information warfare. Facebook Chief Operating Officer Sheryl Sandberg recently said in an interview with Axios that the social network had missed “more subtle” election interference in part because its security team had been focused on “the biggest threats” of malware and phishing — tricking people into revealing their personal information. Based on ProPublica’s findings, it’s unclear if the world’s largest social network can handle either challenge.
Facebook officials told ProPublica that the company is trying to improve its ability to stop harmful advertising, including malware and frauds, but is aware some bad ads get through its defenses. “There is no tolerable amount of malware on the site. The tolerance is zero, but unfortunately that’s not the same as zero occurrence,” said Rob Goldman, Facebook’s vice president of ads. Goldman said of the 14 deceptive ads ProPublica identified, 12 were removed by Facebook before ProPublica contacted the company in November. Facebook took down the other two after ProPublica alerted it to the ads.
He declined to identify the specific tools, such as computer virus databases or popular fact-checking website Snopes.com, that Facebook uses to inspect ads. “It’s bad if the bad guys learn how we enforce,” he said.
To be sure, malicious advertising — also called “malvertising” — likely will never be stopped fully, several cybersecurity researchers said. Segura said other internet ad companies, not just Facebook, showed similar lapses by letting such ads through. Still, the persistence of these ads on Facebook suggests the company doesn’t have adequate oversight in place to stop problematic ads before they run.
Malvertising tactics that have been reported publicly, “should be dealt with and done,” Segura said. Instead, they continue to show up — including in the Facebook ads collected by ProPublica — indicating that “the core issue hasn’t been addressed,” he said.
Traditionally, Facebook has been reluctant to manually review ads before they show up on its platform. In a recent video announcement outlining the company’s response to misleading political ads from Russia during the 2016 election, Facebook’s CEO Mark Zuckerberg reiterated that stance. “Most ads are bought programmatically through our apps and website without an advertiser ever speaking to someone at Facebook,” he said. He can’t guarantee, he added, that Facebook will “catch all bad content” in its system. “We don’t check what people say before they say it and frankly, I don’t think society should want us to. Freedom means you don’t have to ask permission first, and that by default you can say what you want.”
Under pressure from its users and lawmakers, Facebook has said it is trying to become more proactive, instituting rules to evaluate ads and posts and block or limit those it deems misleading.
The social networking giant has long had rules against fraudulent ads and those that lead people to “any software that results in an unexpected or deceptive experience.” Last year, it rolled out a policy to prevent “low quality or disruptive content” providers from placing ads, saying that ads should “link to landing pages that include significant and original content that is relevant” to the ad, and that they should not “include deceptive ad copy that incentivizes people to click.” In May, Facebook announced it had stepped up measures against “misleading, sensational and spammy” ads and posts. The company said it had used artificial intelligence to figure out which new pages shared on Facebook were likely to be low quality, which the company defined as having “little substantive content” or a lot of shocking or scammy ads. If its algorithms determined a post was likely to link to that sort of web page, it said, the post “may not be eligible” to be used in advertising.
Since 2014, Facebook has also intensified its efforts to crack down on so-called “clickbait,” which it says includes “headlines that intentionally leave out crucial information, or mislead people, forcing people to click to find out the answer.”
All the consumer rip-off ads recorded by ProPublica violated one or more of these rules.
It is unclear how many people have been cheated by such ads on Facebook. ProPublica’s sample is not random or representative, and the vast majority of politically themed ads ProPublica saw were legitimate. But what seems like a small annoyance for the social network can be a big headache for hundreds or thousands of people. For example, Facebook recently told lawmakers that only about 0.004 percent of the content on its news feed from June 2015 to August 2017 was related to the Russian Internet Research Agency’s influence campaign — but that meant 126 million Americans may have seen such items.
The Facebook scams are the latest in a long line of deceptive campaigns using digital ad technology, said Robyn Caplan, a researcher who studies algorithms and media at the New York-based Data & Society Research Institute.
They are “building off of really well-worn techniques with advertising in the ’90s,” she said. At that time, scammers started using techniques to manipulate search engine algorithms and promote their own pages. “Clickbait” and similar tactics arose as a way to entice web users.
On Facebook, though, hucksters can take their manipulation to the next level because the company gathers so much data about people and allows advertisers to target messages based on that data. So scammers can ensure their clickbait is seen by the people they think are most likely to fall for their outrageous headlines.
The political scam ads identified by ProPublica had certain traits in common. At least seven were associated with a scheme that sends readers to a web page containing a snippet of malicious computer code, or malware, to lock up the user’s computer. Those included the ad featuring Trump’s approval rating, as well as ones headlined “Ivanka Trump Has Actually Responded to Her Dad’s ‘Incestuous Comments’ About Her” — which were also targeted at “very liberal” people over 40 — and “This Barack Obama Quote About Donald Trump Is Absolutely Terrifying,” for which we couldn’t identify the target audience.
Typically, after their computers are frozen, users are instructed to call a toll-free number. Our calls to that number in the weeks after the ads ran went unanswered, but people who track this particular hoax say the perpetrators usually ask for money or login information to fix the person’s machine.
These attacks, known as “tech support scams,” have been a common problem for several years, said Will Maxson, the assistant director of the division of marketing practices at the Federal Trade Commission who has been fighting them since 2013.
Maxson said when he started, the scammers called potential victims on the phone and claimed to be from Microsoft or Apple. They have since also adopted more sophisticated techniques, including the computer-locking code seen by ProPublica.
We couldn’t figure out who was behind the tech support scams we found. The accounts used fake names such as Facts WorldWide and News Express. Website registrations for the sites used in the ads, which had addresses such as poolparty9.info and factsforyou.info, used a service that masked the actual address. Clues on one related site and in the malicious code pointed to people in India, but such details can be easy to fake, and attempts to contact the people went unanswered.
Facebook isn’t the only company to have overlooked the tech support scam. The ad about Trump’s approval rating used a known flaw in web-browsing software that can be exploited to eat up all available memory, making the computer freeze. This browser vulnerability was first reported in 2014 and has been used by tech-support fraudsters for about a year, Segura, the malware researcher, said. But Safari and Microsoft’s newest browser, Edge, were the only ones with a fix when the ads ran. A spokesman for Google, which makes the Chrome browser, said the company had introduced an “initial patch” for the bug in September but was still working on improving protections against the flaw. A spokesman for Mozilla, which makes the Firefox browser, said the organization plans to fix the problem in an upcoming version.
Even if this flaw were fixed, there are other vulnerabilities that tech support fraudsters commonly use to lock up computers, such as trapping a user in a pop-up screen.
To hide their activities from Facebook’s automated scanning tools, almost all of the scammers used a technique called cloaking. Typically, cloaking involves running bad content only at certain times or to selected audiences, redirecting some people to a separate website, or automatically altering the content depending on who is looking. In August, Facebook issued a press release detailing how the company was using artificial intelligence to uncover cloaking.
One version of the ad about Trump’s approval ratings sent users to a site named poolparty9.info. When we first saw it on Sept. 25, that site automatically funneled many users to another site — more-updates.tech — which had the bad code to lock up their machines. When we rechecked the ad later, poolparty9.info was blank and didn’t send people anywhere else. Presumably, computer security experts told us, poolparty9 would have kept any Facebook scanners it detected on the same blank page, rather than referring them to more-updates.tech.
Cloaking also protected a set of ads proclaiming that Kellyanne Conway was leaving the White House. The reasons for her departure given in the linked article changed depending on the user’s choice of browser. In Firefox, the site said she quit her job to sell Allura Skin cream, but when an automated internet archiving service — similar to a tool that a company like Facebook might employ to scan ads —visited the same site, the story merely said Conway had left, and didn’t say what she planned to do.
ProPublica’s tool collected at least five different versions of the Conway-related ad. They linked to sites such as cashmillionaire.info and jumping-jimmies.info, which were registered using the email address firstname.lastname@example.org, according to DomainTools, a Seattle-based computer forensics service. These sites encourage visitors to sign up for a free trial of skin cream and ask for credit card information to pay only for shipping. But consumers are then charged nearly $100 automatically for each small vial of cream, according to Snopes.
Cloaking is supposed to trick companies like Facebook by showing them legitimate websites and pages. But in these cases, even the sites that were supposed to pass inspection actually violated Facebook’s rules against clickbait and low-quality content and could have indicated to Facebook that something was amiss.
Many of the decoy sites offered outlandish or false information. For example, another version of the Trump ad sent people to liveyourpassion9.info, which offered content such as “10 Fantastic and Bizarre Caterpillar Facts” and “10 Most Bizarre Planets You’ve Probably Never Heard Of.”
Most of the ads affiliated with the scam that locked people’s computers included links to Facebook pages, not just outside websites. While these Facebook pages may have been intended to enhance credibility, they typically posted either almost no content, or content that was just copied from elsewhere on the web. Many of the Facebook pages and the outside websites used for cloaking featured similar teasers, such as “GET ALL THE LATEST FACTS ALL OVER THE WORLD.” A Google search for that phrase turns up a handful of dubious Facebook pages and outside websites operating since June, suggesting that the scam was rolling months before ProPublica saw the ads this fall.
In addition, several of the decoy websites were associated with computer servers known to be problematic. DomainTools gave several of them a “risk score” that indicates they are worth further security review. One was classified as actively dangerous by an antivirus company nearly a month before ProPublica’s tool saw the ad.
Facebook failed to unveil the cloaking and detect the flimflams despite many prior specific warnings about the ads. Most notably, the Conway scam had been reported in May by Snopes, with which Facebook has partnered in an effort to block advertising by purveyors of fake news. Snopes found an overwhelming number of almost identical advertisements that falsely claimed Conway and other celebrities had started careers in skin care. Snopes pointed out that the free trials of skin care products could actually cost consumers almost $100. The Federal Trade Commission has fined advertisers for similar behavior.
A Facebook page associated with another ad carried more than 100 comments from users warning that this was “fake fake fake” and “clearly a scam!,” including comments posted weeks before ProPublica gathered the ad. This ad, aimed at users who were over 18 and had recently been in Switzerland, trumpeted, “Anonymous shocks Donald Trump by revealing system which made him rich!” The advertisers claimed to offer access to a stock-trading scheme promoted by the hacker collective Anonymous. They sought a minimum deposit of $250 and said “our system will quadruple this in just 24 hours.” They described their “system” as “limited to binary options,” a scheme that involves betting on whether a stock or commodity will go above or below a certain price. The FBI cited binary options earlier this year as a common vehicle for identity theft and other fraud.
The audio file used in the Trump approval ad and other tech support scams to tell people that their computers were infected was flagged as a cybersecurity risk over a year ago. And one of the sites hosting the bad code, more-updates.tech, had been marked as malicious by a widely used service almost two weeks before our tool collected it.
Goldman, the Facebook official, would not specify which services Facebook relies on to tell it whether an ad might be a problem. He also said the company doesn’t make decisions on an ad based on any one indicator.
Facebook users have been complaining for more than a year about fake political headlines leading to sites that locked their computers, according to a review of Facebook’s online help forums.
Cath Nelesen, an Arizona retiree, posted on such a help forum in October 2016, asking “how to stop a hack” that she had seen two times in one week. Nelesen, who describes herself as a “staunch Hillary supporter,” told ProPublica she clicked on an “unbelievable” link about the election. She didn’t recall exactly what it said but thought it may have falsely asserted that Hillary Clinton had been arrested.
She clearly remembered what happened next, though: “Immediately there was a message that I was infected by malware and needed to call an 800 number affiliated with Microsoft,” Nelesen said. Her son-in-law had worked for Microsoft, and had told her of swindlers claiming to be Microsoft tech support. So she realized it might be a hoax, but she didn’t know how to regain control of her computer.
“Finally I turned off and prayed,” she said. When she turned the computer back on, it worked — possibly due to the prayer, but more likely because the code that locked up the screen only works when the harmful webpage is open.
She complained to Facebook and received a generic answer about the importance of reporting problems and avoiding spam. “It was completely worthless to me,” Nelesen said. “You’d think if you report something to somebody the problem would stop, but that isn’t the way it goes. I wouldn’t depend on Facebook for any help.”