In September, an advertisement with the headline “New Approval Ratings For President Trump Announced And It’s Not Going The Way You Think” targeted Facebook users in the United States who were over 40 and labeled as “very liberal” by the technology company.
“Regardless of what you think of Donald Trump and his policies, it’s fair to say that his appointment as president of the United States is one of the most…,” ran the text. “Learn more.”
At least some people who clicked on this come-on found their computers frozen. Their screens displayed a warning and a computer-generated voice informed them that their machine had been “infected with viruses, spywares and pornwares”, and that their credit card information and other personal data had been stolen – and offered a phone number to call to fix it.
Actually, the freeze was temporary, and restarting the computer would have unlocked it. But worried users who called the number would have been asked to pay to restore their access, according to computer security experts who have tracked the scam for more than a year.
Politics, provocation the bait
Russian disinformation is not the only deceptive political advertising on Facebook. The pitch designed to lure President Donald Trump’s critics is one of more than a dozen politically themed advertisements masking consumer rip-offs that ProPublica has identified since launching an effort in September to monitor paid political messages on the world’s largest social network. As the American public becomes ever more polarised along partisan lines, swindlers who used to capitalise on curiosity about celebrities or sports are now exploiting political passions.
“Those political ads, especially right now if you look at the United States, they are actually getting more clicks,” said Jérôme Segura, lead malware intelligence analyst at anti-malware company Malwarebytes. “Where there are clicks, there is going to be interest from bad guys.”
The advertisements, supplied by ProPublica readers through our Political Ad Collector tool, lured Facebook viewers with provocative statements about hot-button figures such as former President Barack Obama, Ivanka Trump, Fox News commentator Sean Hannity and presidential adviser Kellyanne Conway.
Clicking on the headline “Sponsors Pull out From His Show Over This?” – over a photo of Hannity with MSNBC commentator Rachel Maddow – led to a page styled to look like the Fox News website. It offered a free bottle of Testo-Max HD, which it described as a cure for erectile dysfunction, although it is not approved by the Food and Drug Administration. People who sign up for such free nostrums are typically asked to provide credit card information to pay for shipping and are then automatically charged almost $100 a month, according to reviews online.
Failing the challenge
Although these scams represent only a tiny fraction of the more than 8,000 politically themed advertisements assembled by the Political Ad Collector, they raise doubts about Facebook’s ability to monitor paid political messages. In each case, the advertisements ran afoul of guidelines Facebook has developed to curb misleading and malicious advertising. Many of the scams had also been flagged by users, fact-checking groups and cybersecurity services – even the Federal Trade Commission – long before they appeared on the social network.
Moreover, most of the sites may have warranted special attention because they had been registered within the 30 days before users sent them to our Political Ad Collector. Paul Vixie, co-founder of San Mateo, California-based computer security company Farsight Security, said new website domains are more likely to be shady, because fraudsters often shut sites down after days or even minutes and open new ones to stay ahead of authorities looking to catch them.
As the midterm elections heat up, such cons are likely to proliferate, along with more devious forms of information warfare. Facebook chief operating officer Sheryl Sandberg recently said in an interview with Axios that the social network had missed “more subtle” election interference in part because its security team had been focused on “the biggest threats” of malware and phishing – tricking people into revealing their personal information. Based on ProPublica’s findings, it is unclear if the world’s largest social network can handle either challenge.
Facebook officials told ProPublica that the company is trying to improve its ability to stop harmful advertising, including malware and frauds, but is aware some bad advertisements get through its defences. “There is no tolerable amount of malware on the site. The tolerance is zero, but unfortunately that’s not the same as zero occurrence,” said Rob Goldman, Facebook’s vice-president of ads. Goldman said of the 14 deceptive ads ProPublica had identified, 12 were removed by Facebook before ProPublica contacted the company in November. Facebook took down the other two after ProPublica alerted it to the advertisements.
He declined to identify the specific tools, such as computer virus databases or popular fact-checking website Snopes.com, that Facebook uses to inspect advertisements. “It’s bad if the bad guys learn how we enforce,” he said.
To be sure, malicious advertising– also called malvertising – likely will never be stopped fully, several cybersecurity researchers said. Segura said other internet advertisement companies, not just Facebook, showed similar lapses by letting such advertisements through. Still, the persistence of these advertisements on Facebook suggests the company does not have adequate oversight in place to stop problematic advertisements before they run.
Malvertising tactics that have been reported publicly “should be dealt with and done”, Segura said. Instead, they continue to show up – including in the Facebook advertisements collected by ProPublica – indicating that “the core issue hasn’t been addressed”, he said.
Traditionally, Facebook has been reluctant to manually review advertisements before they show up on its platform. In a recent video announcement outlining the company’s response to misleading political advertisements from Russia during the 2016 election, Facebook’s chief executive officer Mark Zuckerberg reiterated that stance. “Most ads are bought programmatically through our apps and website without an advertiser ever speaking to someone at Facebook,” he said. He cannot guarantee, he added, that Facebook will “catch all bad content” in its system. “We don’t check what people say before they say it and frankly, I don’t think society should want us to. Freedom means you don’t have to ask permission first, and that by default you can say what you want.”
Catching spam, clickbait
Under pressure from its users and lawmakers, Facebook has said it is trying to become more proactive, instituting rules to evaluate advertisements and posts and block or limit those it deems misleading.
The social networking giant has long had rules against fraudulent advertisements and those that lead people to “any software that results in an unexpected or deceptive experience”. Last year, it rolled out a policy to prevent “low quality or disruptive content” providers from placing advertisements, saying that advertisements should “link to landing pages that include significant and original content that is relevant” to the advertisement and that they should not “include deceptive ad copy that incentivises people to click”. In May, Facebook announced it had stepped up measures against “misleading, sensational and spammy” advertisements and posts. The company said it had used artificial intelligence to figure out which new pages shared on Facebook were likely to be low quality, which the company defined as having “little substantive content” or a lot of shocking or scummy advertisements. If its algorithms determined a post was likely to link to that sort of web page, it said, the post “may not be eligible” to be used in advertising.
Since 2014, Facebook has also intensified its efforts to crack down on so-called clickbait, which it says includes “headlines that intentionally leave out crucial information, or mislead people, forcing people to click to find out the answer”.
All the consumer rip-off advertisements recorded by ProPublica violated one or more of these rules.
It is unclear how many people have been cheated by such advertisements on Facebook. ProPublica’s sample is not random or representative, and the vast majority of politically themed advertisements ProPublica saw were legitimate. But what seems like a small annoyance for the social network can be a big headache for hundreds or thousands of people. For example, Facebook recently told lawmakers that only about 0.004% of the content on its news feed from June 2015 to August 2017 was related to the Russian Internet Research Agency’s influence campaign – but that meant 126 million Americans may have seen such items.
Tech support scams
The Facebook scams are the latest in a long line of deceptive campaigns using digital advertising technology, said Robyn Caplan, a researcher who studies algorithms and media at the New York-based Data & Society Research Institute.
They are “building off of really well-worn techniques with advertising in the ’90s”, she said. At that time, scammers started using techniques to manipulate search engine algorithms and promote their own pages. Clickbait and similar tactics arose as a way to entice web users.
On Facebook, though, hucksters can take their manipulation to the next level because the company gathers so much data about people and allows advertisers to target messages based on that data. So scammers can ensure their clickbait is seen by the people they think are most likely to fall for their outrageous headlines.
The political scam advertisements identified by ProPublica had certain traits in common. At least seven were associated with a scheme that sends readers to a web page containing a snippet of malicious computer code, or malware, to lock up the user’s computer. Those included the advertisement featuring Trump’s approval rating, as well as ones headlined “Ivanka Trump Has Actually Responded to Her Dad’s ‘Incestuous Comments’ About Her” – which were also targeted at “very liberal” people over 40 – and “This Barack Obama Quote About Donald Trump Is Absolutely Terrifying”, for which we could not identify the target audience.
Typically, after their computers are frozen, users are instructed to call a toll-free number. Our calls to that number in the weeks after the advertisements ran went unanswered, but people who track this particular hoax say the perpetrators usually ask for money or login information to fix the person’s machine.
These attacks, known as “tech support scams”, have been a common problem for several years, said Will Maxson, the assistant director of the division of marketing practices at the Federal Trade Commission who has been fighting them since 2013.
Maxson said when he started, the scammers called potential victims on the phone and claimed to be from Microsoft or Apple. They have since also adopted more sophisticated techniques, including the computer-locking code seen by ProPublica.
We could not figure out who was behind the technology support scams we found. The accounts used fake names such as Facts WorldWide and News Express. Website registrations for the sites used in the advertisements, which had addresses such as poolparty9.info and factsforyou.info, used a service that masked the actual address. Clues on one related site and in the malicious code pointed to people in India, but such details can be easy to fake, and attempts to contact the people went unanswered.
Facebook is not the only company to have overlooked the technology support scam. The advertisement about Trump’s approval rating used a known flaw in web-browsing software that can be exploited to eat up all available memory, making the computer freeze. This browser vulnerability was first reported in 2014 and has been used by tech-support fraudsters for about a year, Segura, the malware researcher, said. But Safari and Microsoft’s newest browser, Edge, were the only ones with a fix when the advertisements ran. A spokesman for Google, which makes the Chrome browser, said the company had introduced an “initial patch” for the bug in September but was still working on improving protections against the flaw. A spokesman for Mozilla, which makes the Firefox browser, said the organisation plans to fix the problem in an upcoming version.
Even if this flaw were fixed, there are other vulnerabilities that technology support fraudsters commonly use to lock up computers, such as trapping a user in a pop-up screen.
To hide their activities from Facebook’s automated scanning tools, almost all of the scammers used a technique called cloaking. Typically, cloaking involves running bad content only at certain times or to selected audiences, redirecting some people to a separate website, or automatically altering the content depending on who is looking. In August, Facebook issued a press release detailing how the company was using artificial intelligence to uncover cloaking.
One version of the advertisement about Trump’s approval ratings sent users to a site named poolparty9.info. When we first saw it on September 25, that site automatically funnelled many users to another site – more-updates.tech – which had the bad code to lock up their machines. When we rechecked the advertisement later, poolparty9.info was blank and did not send people anywhere else. Presumably, computer security experts told us, poolparty9 would have kept any Facebook scanners it detected on the same blank page, rather than referring them to more-updates.tech.
Cloaking also protected a set of advertisements proclaiming that Kellyanne Conway was leaving the White House. The reasons for her departure given in the linked article changed depending on the user’s choice of browser. In Firefox, the site said she quit her job to sell Allura Skin cream, but when an automated internet archiving service – similar to a tool that a company like Facebook might employ to scan advertisements – visited the same site, the story merely said Conway had left, and did not say what she planned to do.
ProPublica’s tool collected at least five different versions of the Conway-related advertisement. They linked to sites such as cashmillionaire.info and jumping-jimmies.info, which were registered using the email address firstname.lastname@example.org, according to DomainTools, a Seattle-based computer forensics service. These sites encourage visitors to sign up for a free trial of skin cream and ask for credit card information to pay only for shipping. But consumers are then charged nearly $100 automatically for each small vial of cream, according to Snopes.
Cloaking is supposed to trick companies like Facebook by showing them legitimate websites and pages. But in these cases, even the sites that were supposed to pass inspection actually violated Facebook’s rules against clickbait and low-quality content and could have indicated to Facebook that something was amiss.
Many of the decoy sites offered outlandish or false information. For example, another version of the Trump advertisement sent people to liveyourpassion9.info, which offered content such as “10 Fantastic and Bizarre Caterpillar Facts” and “10 Most Bizarre Planets You’ve Probably Never Heard Of”.
Most of the advertisements affiliated with the scam that locked people’s computers included links to Facebook pages, not just outside websites. While these Facebook pages may have been intended to enhance credibility, they typically posted either almost no content, or content that was just copied from elsewhere on the web. Many of the Facebook pages and the outside websites used for cloaking featured similar teasers, such as “GET ALL THE LATEST FACTS ALL OVER THE WORLD”. A Google search for that phrase turns up a handful of dubious Facebook pages and outside websites operating since June, suggesting that the scam was rolling months before ProPublica saw the advertisements this fall.
In addition, several of the decoy websites were associated with computer servers known to be problematic. DomainTools gave several of them a “risk score” that indicates they are worth further security review. One was classified as actively dangerous by an antivirus company nearly a month before ProPublica’s tool saw the advertisement.
Facebook failed to unveil the cloaking and detect the flimflams despite many prior specific warnings about the advertisements. Most notably, the Conway scam had been reported in May by Snopes, with which Facebook has partnered in an effort to block advertising by purveyors of fake news. Snopes found an overwhelming number of almost identical advertisements that falsely claimed Conway and other celebrities had started careers in skin care. Snopes pointed out that the free trials of skin care products could actually cost consumers almost $100. The Federal Trade Commission has fined advertisers for similar behaviour.
A Facebook page associated with another advertisement carried more than 100 comments from users warning that this was “fake fake fake” and “clearly a scam!”, including comments posted weeks before ProPublica gathered the advertisement. This advertisement, aimed at users who were over 18 and had recently been in Switzerland, trumpeted, “Anonymous shocks Donald Trump by revealing system which made him rich!” The advertisers claimed to offer access to a stock-trading scheme promoted by the hacker collective Anonymous. They sought a minimum deposit of $250 and said “our system will quadruple this in just 24 hours”. They described their system as “limited to binary options”, a scheme that involves betting on whether a stock or commodity will go above or below a certain price. The Federal Bureau of Investigation cited binary options earlier this year as a common vehicle for identity theft and other fraud.
“I just wonder why Facebook keeps suggesting these. This should be checked before actually sending this to people,” one Facebook user complained.
The audio file used in the Trump approval advertisement and other technology support scams to tell people that their computers were infected was flagged as a cybersecurity risk over a year ago. And one of the sites hosting the bad code, more-updates.tech, had been marked as malicious by a widely used service almost two weeks before our tool collected it.
Goldman, the Facebook official, would not specify which services Facebook relies on to tell it whether an advertisement might be a problem. He also said the company does not make decisions on an advertisement based on any one indicator.
Facebook users have been complaining for more than a year about fake political headlines leading to sites that locked their computers, according to a review of Facebook’s online help forums.
Cath Nelesen, an Arizona retiree, posted on such a help forum in October 2016, asking “how to stop a hack” that she had seen two times in one week. Nelesen, who describes herself as a “staunch Hillary supporter”, told ProPublica she clicked on an unbelievable link about the election. She did not recall exactly what it said but thought it may have falsely asserted that Hillary Clinton had been arrested.
She clearly remembered what happened next, though: “Immediately there was a message that I was infected by malware and needed to call an 800 number affiliated with Microsoft,” Nelesen said. Her son-in-law had worked for Microsoft, and had told her of swindlers claiming to be Microsoft technology support. So she realised it might be a hoax, but she did not know how to regain control of her computer.
“Finally I turned off and prayed,” she said. When she turned the computer back on, it worked – possibly due to the prayer, but more likely because the code that locked up the screen only works when the harmful webpage is open.
She complained to Facebook and received a generic answer about the importance of reporting problems and avoiding spam. “It was completely worthless to me,” Nelesen said. “You’d think if you report something to somebody the problem would stop, but that isn’t the way it goes. I wouldn’t depend on Facebook for any help.”
This article first appeared on ProPublica.