Facebook
Allowed Political Ads That Were Actually Scams and Malware
In September, an ad with the headline, “New Approval Ratings For
President Trump Announced And It’s Not Going The Way You Think,” targeted
Facebook users in the U.S. who were over 40 and labeled as “very liberal” by
the tech company.
“Regardless of what you think of
Donald Trump and his policies, it’s fair to say that his appointment as
President of the United States is one of the most…,” ran the text. “Learn
more.”
To make American campaigns more transparent,
we’ve built a tool to display political ads that are rarely seen outside their
selected audience of Facebook users.
At least some people who clicked on
this come-on found their computers frozen. Their screens displayed a warning
and a computer-generated voice informed them that their machine had been
“infected with viruses, spywares and pornwares,” and that their credit card
information and other personal data had been stolen — and offered a phone
number to call to fix it.
Actually, the freeze was temporary,
and restarting the computer would have unlocked it. But worried users who
called the number would have been asked to pay to restore their access,
according to computer security experts who have tracked the scam for more than
a year.
This ad, which targeted Facebook
users in the U.S. who were over 40 and labeled as “very liberal” by the tech
company, led some people to a scam site that froze their computers and tried to
trick them into paying for bogus tech support.
Russian disinformation isn’t the
only deceptive political advertising on Facebook. The pitch designed to lure
President Donald Trump’s critics is one of more than a dozen politically themed
advertisements masking consumer rip-offs that ProPublica has identified since
launching an effort in September to monitor paid political messages on the
world’s largest social network.
As the American public becomes ever more polarized along partisan lines, swindlers who used to capitalize on curiosity about celebrities or sports are now exploiting political passions.
As the American public becomes ever more polarized along partisan lines, swindlers who used to capitalize on curiosity about celebrities or sports are now exploiting political passions.
“Those political ads, especially right now if you look at the U.S., they are actually getting more clicks,” said Jérôme Segura, lead malware intelligence analyst at anti-malware company Malwarebytes. “Where there are clicks, there is going to be interest from bad guys.”
The ads, supplied by ProPublica
readers through our Political Ad Collector tool, lured Facebook viewers with provocative
statements about hot-button figures such as former President Barack Obama,
Ivanka Trump, Fox News commentator Sean Hannity and presidential adviser
Kellyanne Conway.
Clicking on the headline, “Sponsors Pull out From His Show Over
This?” — over a photo of Hannity with MSNBC commentator Rachel Maddow — led to
a page styled to look like the Fox News website.
It offered a free bottle of Testo-Max HD, which it described as a cure for erectile dysfunction, although it isn’t approved by the FDA. People who sign up for such free nostrums are typically asked to provide credit card information to pay for shipping and are then automatically charged almost $100 a month, according to reviews online.
It offered a free bottle of Testo-Max HD, which it described as a cure for erectile dysfunction, although it isn’t approved by the FDA. People who sign up for such free nostrums are typically asked to provide credit card information to pay for shipping and are then automatically charged almost $100 a month, according to reviews online.
Another ad we collected led people
to a webpage styled to look like the Fox News site. The scam site falsely said
commentator Sean Hannity was hawking free trials of a pill called Testo-Max HD,
which it claimed could cure erectile dysfunction.
Although these scams represent only
a tiny fraction of the more than 8,000 politically themed advertisements
assembled by the Political Ad Collector, they raise doubts about Facebook’s
ability to monitor paid political messages.
In each case, the ads ran afoul of guidelines Facebook has developed to curb misleading and malicious advertising. Many of the scams had also been flagged by users, fact-checking groups and cybersecurity services — even the Federal Trade Commission — long before they appeared on the social network.
In each case, the ads ran afoul of guidelines Facebook has developed to curb misleading and malicious advertising. Many of the scams had also been flagged by users, fact-checking groups and cybersecurity services — even the Federal Trade Commission — long before they appeared on the social network.
Moreover, most of the sites may have
warranted special attention because they had been registered within the 30 days
before users sent them to our Political Ad Collector. Paul Vixie, the
co-founder of San Mateo, California-based computer security company Farsight
Security, said new website domains are more likely to be shady, because
fraudsters often shut sites down after days or even minutes and open new ones
to stay ahead of authorities looking to catch them.
As the midterm elections heat up,
such cons are likely to proliferate, along with more devious forms of
information warfare.
Facebook Chief Operating Officer Sheryl Sandberg recently said in an interview with Axios that the social network had missed “more subtle” election interference in part because its security team had been focused on “the biggest threats” of malware and phishing — tricking people into revealing their personal information. Based on ProPublica’s findings, it’s unclear if the world’s largest social network can handle either challenge.
Facebook Chief Operating Officer Sheryl Sandberg recently said in an interview with Axios that the social network had missed “more subtle” election interference in part because its security team had been focused on “the biggest threats” of malware and phishing — tricking people into revealing their personal information. Based on ProPublica’s findings, it’s unclear if the world’s largest social network can handle either challenge.
Facebook officials told ProPublica
that the company is trying to improve its ability to stop harmful advertising,
including malware and frauds, but is aware some bad ads get through its
defenses.
“There is no tolerable amount of malware on the site. The tolerance is zero, but unfortunately that’s not the same as zero occurrence,” said Rob Goldman, Facebook’s vice president of ads.
Goldman said of the 14 deceptive ads ProPublica identified, 12 were removed by Facebook before ProPublica contacted the company in November. Facebook took down the other two after ProPublica alerted it to the ads.
“There is no tolerable amount of malware on the site. The tolerance is zero, but unfortunately that’s not the same as zero occurrence,” said Rob Goldman, Facebook’s vice president of ads.
Goldman said of the 14 deceptive ads ProPublica identified, 12 were removed by Facebook before ProPublica contacted the company in November. Facebook took down the other two after ProPublica alerted it to the ads.
He declined to identify the specific
tools, such as computer virus databases or popular fact-checking website
Snopes.com, that Facebook uses to inspect ads. “It’s bad if the bad guys learn
how we enforce,” he said.
To be sure, malicious advertising —
also called “malvertising” — likely will never be stopped fully, several
cybersecurity researchers said. Segura said other internet ad companies, not
just Facebook, showed similar lapses by letting such ads through. Still, the
persistence of these ads on Facebook suggests the company doesn’t have adequate
oversight in place to stop problematic ads before they run.
Malvertising tactics that have been
reported publicly, “should be dealt with and done,” Segura said. Instead, they
continue to show up — including in the Facebook ads collected by ProPublica —
indicating that “the core issue hasn’t been addressed,” he said.
Traditionally, Facebook has been
reluctant to manually review ads before they show up on its platform. In
a recent video announcement outlining the company’s
response to misleading political ads from Russia during the 2016 election,
Facebook’s CEO Mark Zuckerberg reiterated that stance.
“Most ads are bought programmatically through our apps and website without an advertiser ever speaking to someone at Facebook,” he said. He can’t guarantee, he added, that Facebook will “catch all bad content” in its system.
“We don’t check what people say before they say it and frankly, I don’t think society should want us to. Freedom means you don’t have to ask permission first, and that by default you can say what you want.”
“Most ads are bought programmatically through our apps and website without an advertiser ever speaking to someone at Facebook,” he said. He can’t guarantee, he added, that Facebook will “catch all bad content” in its system.
“We don’t check what people say before they say it and frankly, I don’t think society should want us to. Freedom means you don’t have to ask permission first, and that by default you can say what you want.”
Under pressure from its users and
lawmakers, Facebook has said it is trying to become more proactive, instituting
rules to evaluate ads and posts and block or limit those it deems misleading.
After being contacted by ProPublica,
Facebook removed several anti-Semitic ad categories and promised to improve
monitoring.
The social networking giant has long
had rules against fraudulent ads and those that lead people to “any software
that results in an unexpected or deceptive experience.” Last year, it rolled
out a policy to prevent “low quality or disruptive content” providers from
placing ads, saying that ads should “link to landing pages that include
significant and original content that is relevant” to the ad, and that they
should not "include deceptive ad copy that incentivizes people to click.”
In May, Facebook announced it had stepped up measures against “misleading, sensational and spammy” ads and posts. The company said it had used artificial intelligence to figure out which new pages shared on Facebook were likely to be low quality, which the company defined as having “little substantive content” or a lot of shocking or scammy ads. If its algorithms determined a post was likely to link to that sort of web page, it said, the post “may not be eligible” to be used in advertising.
In May, Facebook announced it had stepped up measures against “misleading, sensational and spammy” ads and posts. The company said it had used artificial intelligence to figure out which new pages shared on Facebook were likely to be low quality, which the company defined as having “little substantive content” or a lot of shocking or scammy ads. If its algorithms determined a post was likely to link to that sort of web page, it said, the post “may not be eligible” to be used in advertising.
Since 2014, Facebook has also
intensified its efforts to crack down on so-called “clickbait,” which it says includes “headlines that intentionally
leave out crucial information, or mislead people, forcing people to click to
find out the answer.”
All the consumer rip-off ads
recorded by ProPublica violated one or more of these rules.
It is unclear how many people have
been cheated by such ads on Facebook. ProPublica’s sample is not random or representative,
and the vast majority of politically themed ads ProPublica saw were legitimate.
But what seems like a small annoyance for the social network can be a big headache for hundreds or thousands of people. For example, Facebook recently told lawmakers that only about 0.004 percent of the content on its news feed from June 2015 to August 2017 was related to the Russian Internet Research Agency’s influence campaign — but that meant 126 million Americans may have seen such items.
But what seems like a small annoyance for the social network can be a big headache for hundreds or thousands of people. For example, Facebook recently told lawmakers that only about 0.004 percent of the content on its news feed from June 2015 to August 2017 was related to the Russian Internet Research Agency’s influence campaign — but that meant 126 million Americans may have seen such items.
The Facebook scams are the latest in
a long line of deceptive campaigns using digital ad technology, said Robyn
Caplan, a researcher who studies algorithms and media at the New York-based
Data & Society Research Institute.
They are “building off of really
well-worn techniques with advertising in the ’90s,” she said. At that time,
scammers started using techniques to manipulate search engine algorithms and
promote their own pages. “Clickbait” and similar tactics arose as a way to
entice web users.
On Facebook, though, hucksters can
take their manipulation to the next level because the company gathers so much
data about people and allows advertisers to target messages based on that data.
So scammers can ensure their clickbait is seen by the people they think are
most likely to fall for their outrageous headlines.
The political scam ads identified by
ProPublica had certain traits in common. At least seven were associated with a
scheme that sends readers to a web page containing a snippet of malicious
computer code, or malware, to lock up the user’s computer.
Those included the ad featuring Trump’s approval rating, as well as ones headlined “Ivanka Trump Has Actually Responded to Her Dad’s ‘Incestuous Comments’ About Her” — which were also targeted at “very liberal” people over 40 — and “This Barack Obama Quote About Donald Trump Is Absolutely Terrifying,” for which we couldn’t identify the target audience.
Those included the ad featuring Trump’s approval rating, as well as ones headlined “Ivanka Trump Has Actually Responded to Her Dad’s ‘Incestuous Comments’ About Her” — which were also targeted at “very liberal” people over 40 — and “This Barack Obama Quote About Donald Trump Is Absolutely Terrifying,” for which we couldn’t identify the target audience.
Typically, after their computers are
frozen, users are instructed to call a toll-free number. Our calls to that
number in the weeks after the ads ran went unanswered, but people who track
this particular hoax say the perpetrators usually ask for money or login
information to fix the person’s machine.
These attacks, known as “tech
support scams,” have been a common problem for several years, said Will Maxson,
the assistant director of the division of marketing practices at the Federal
Trade Commission who has been fighting them since 2013.
When Facebook users clicked on some
of these fraudulent ads, they were taken to a page with a snippet of malicious
computer code, or malware, to freeze their computers. They were then instructed
to call a number for tech support, even though they could have unlocked the
screen by simply restarting the computer.
Maxson said when he started, the
scammers called potential victims on the phone and claimed to be from Microsoft
or Apple. They have since also adopted more sophisticated techniques, including
the computer-locking code seen by ProPublica.
We couldn’t figure out who was
behind the tech support scams we found. The accounts used fake names such as
Facts WorldWide and News Express.
Website registrations for the sites used in the ads, which had addresses such as poolparty9.info and factsforyou.info, used a service that masked the actual address. Clues on one related site and in the malicious code pointed to people in India, but such details can be easy to fake, and attempts to contact the people went unanswered.
Website registrations for the sites used in the ads, which had addresses such as poolparty9.info and factsforyou.info, used a service that masked the actual address. Clues on one related site and in the malicious code pointed to people in India, but such details can be easy to fake, and attempts to contact the people went unanswered.
Facebook isn’t the only company to
have overlooked the tech support scam. The ad about Trump’s approval rating
used a known flaw in web-browsing software that can be exploited to eat up all
available memory, making the computer freeze. This browser vulnerability
was first reported in 2014 and has been used by
tech-support fraudsters for about a year, Segura, the malware researcher, said.
But Safari and Microsoft’s newest
browser, Edge, were the only ones with a fix when the ads ran. A spokesman for
Google, which makes the Chrome browser, said the company had introduced an
“initial patch” for the bug in September but was still working on improving
protections against the flaw. A spokesman for Mozilla, which makes the Firefox
browser, said the organization plans to fix the problem in an upcoming version.
Even if this flaw were fixed, there
are other vulnerabilities that tech support fraudsters commonly use to lock up
computers, such as trapping a user in a pop-up screen.
To hide their activities from
Facebook’s automated scanning tools, almost all of the scammers used a
technique called cloaking.
Typically, cloaking involves running bad content only at certain times or to selected audiences, redirecting some people to a separate website, or automatically altering the content depending on who is looking.
In August, Facebook issued a press release detailing how the company was using artificial intelligence to uncover cloaking.
Typically, cloaking involves running bad content only at certain times or to selected audiences, redirecting some people to a separate website, or automatically altering the content depending on who is looking.
In August, Facebook issued a press release detailing how the company was using artificial intelligence to uncover cloaking.
One version of the ad about Trump’s
approval ratings sent users to a site named poolparty9.info.
When we first saw it on Sept. 25, that site automatically funneled many users to another site — more-updates.tech — which had the bad code to lock up their machines.
When we rechecked the ad later, poolparty9.info was blank and didn’t send people anywhere else. Presumably, computer security experts told us, poolparty9 would have kept any Facebook scanners it detected on the same blank page, rather than referring them to more-updates.tech.
When we first saw it on Sept. 25, that site automatically funneled many users to another site — more-updates.tech — which had the bad code to lock up their machines.
When we rechecked the ad later, poolparty9.info was blank and didn’t send people anywhere else. Presumably, computer security experts told us, poolparty9 would have kept any Facebook scanners it detected on the same blank page, rather than referring them to more-updates.tech.
The shady ads we saw used outrageous
headlines about political figures to lure people to click. Facebook said all
the ads violated at least one of its policies, including those against fraud
and malware.
Cloaking also protected a set
of ads proclaiming that Kellyanne Conway was leaving
the White House. The reasons for her departure given in the linked article
changed depending on the user’s choice of browser.
In Firefox, the site said she quit her job to sell Allura Skin cream, but when an automated internet archiving service — similar to a tool that a company like Facebook might employ to scan ads —visited the same site, the story merely said Conway had left, and didn’t say what she planned to do.
In Firefox, the site said she quit her job to sell Allura Skin cream, but when an automated internet archiving service — similar to a tool that a company like Facebook might employ to scan ads —visited the same site, the story merely said Conway had left, and didn’t say what she planned to do.
ProPublica’s tool collected at least
five different versions of the Conway-related ad. They linked to sites such as
cashmillionaire.info and jumping-jimmies.info, which were registered using the
email address freemoneyteam@hotmail.com, according to DomainTools, a
Seattle-based computer forensics service.
These sites encourage visitors to sign up for a free trial of skin cream and ask for credit card information to pay only for shipping. But consumers are then charged nearly $100 automatically for each small vial of cream, according to Snopes.
These sites encourage visitors to sign up for a free trial of skin cream and ask for credit card information to pay only for shipping. But consumers are then charged nearly $100 automatically for each small vial of cream, according to Snopes.
Cloaking is supposed to trick
companies like Facebook by showing them legitimate websites and pages. But in
these cases, even the sites that were supposed to pass inspection actually
violated Facebook’s rules against clickbait and low-quality content and could
have indicated to Facebook that something was amiss.
Many of the decoy sites offered
outlandish or false information. For example, another version of the Trump ad
sent people to liveyourpassion9.info, which offered content such as “10
Fantastic and Bizarre Caterpillar Facts” and “10 Most Bizarre Planets You’ve
Probably Never Heard Of.”
Most of the ads affiliated with the
scam that locked people’s computers included links to Facebook pages, not just
outside websites. While these Facebook pages may have been intended to enhance
credibility, they typically posted either almost no content, or content that
was just copied from elsewhere on the web.
Many of the Facebook pages and the outside websites used for cloaking featured similar teasers, such as “GET ALL THE LATEST FACTS ALL OVER THE WORLD.” A Google search for that phrase turns up a handful of dubious Facebook pages and outside websites operating since June, suggesting that the scam was rolling months before ProPublica saw the ads this fall.
Many of the Facebook pages and the outside websites used for cloaking featured similar teasers, such as “GET ALL THE LATEST FACTS ALL OVER THE WORLD.” A Google search for that phrase turns up a handful of dubious Facebook pages and outside websites operating since June, suggesting that the scam was rolling months before ProPublica saw the ads this fall.
In addition, several of the decoy
websites were associated with computer servers known to be problematic.
DomainTools gave several of them a “risk score” that indicates they are worth
further security review. One was classified as actively dangerousby an antivirus company
nearly a month before ProPublica’s tool saw the ad.
Facebook failed to unveil the
cloaking and detect the flimflams despite many prior specific warnings about
the ads. Most notably, the Conway scam had been reported in May by Snopes, with
which Facebook has partnered in an effort to block advertising by purveyors of
fake news.
Snopes found an overwhelming number of almost identical advertisements that falsely claimed Conway and other celebrities had started careers in skin care. Snopes pointed out that the free trials of skin care products could actually cost consumers almost $100. The Federal Trade Commission has fined advertisers for similar behavior.
Snopes found an overwhelming number of almost identical advertisements that falsely claimed Conway and other celebrities had started careers in skin care. Snopes pointed out that the free trials of skin care products could actually cost consumers almost $100. The Federal Trade Commission has fined advertisers for similar behavior.
A Facebook page associated with
another ad carried more than 100 comments from users warning that this was
“fake fake fake” and “clearly a scam!,” including comments posted weeks before
ProPublica gathered the ad.
This ad, aimed at users who were over 18 and had recently been in Switzerland, trumpeted, “Anonymous shocks Donald Trump by revealing system which made him rich!” The advertisers claimed to offer access to a stock-trading scheme promoted by the hacker collective Anonymous.
They sought a minimum deposit of $250 and said “our system will quadruple this in just 24 hours.” They described their “system” as “limited to binary options,” a scheme that involves betting on whether a stock or commodity will go above or below a certain price. The FBI cited binary options earlier this year as a common vehicle for identity theft and other fraud.
This ad, aimed at users who were over 18 and had recently been in Switzerland, trumpeted, “Anonymous shocks Donald Trump by revealing system which made him rich!” The advertisers claimed to offer access to a stock-trading scheme promoted by the hacker collective Anonymous.
They sought a minimum deposit of $250 and said “our system will quadruple this in just 24 hours.” They described their “system” as “limited to binary options,” a scheme that involves betting on whether a stock or commodity will go above or below a certain price. The FBI cited binary options earlier this year as a common vehicle for identity theft and other fraud.
Advertisers who trumpeted “Anonymous
shocks Donald Trump by revealing system which made him rich!” offered access to
what they portrayed as a stock-trading tool promoted by the hacker collective Anonymous.
They sought a minimum deposit of $250 and said “our system will quadruple this
in just 24 hours.”
The FBI has cited this type of scheme as a common vehicle for fraud and identity theft.
The FBI has cited this type of scheme as a common vehicle for fraud and identity theft.
“I just wonder why Facebook keeps
suggesting these. This should be checked before actually sending this to
people,” one Facebook user complained.
The audio file used in the Trump
approval ad and other tech support scams to tell people that their computers
were infected was flagged as a cybersecurity risk over a year ago. And one of the sites hosting the bad
code, more-updates.tech, had been marked as malicious by a widely used service
almost two weeks before our tool collected it.
Goldman, the Facebook official,
would not specify which services Facebook relies on to tell it whether an ad
might be a problem. He also said the company doesn’t make decisions on an ad
based on any one indicator.
Facebook users have been complaining
for more than a year about fake political headlines leading to sites that
locked their computers, according to a review of Facebook’s online help forums.
Cath Nelesen, an Arizona retiree,
posted on such a help forum in October 2016, asking “how to stop a hack” that
she had seen two times in one week. Nelesen, who describes herself as a
“staunch Hillary supporter,” told ProPublica she clicked on an “unbelievable”
link about the election. She didn’t recall exactly what it said but thought it
may have falsely asserted that Hillary Clinton had been arrested.
She clearly remembered what happened next, though: “Immediately there was a message that I was infected by malware and needed to call an 800 number affiliated with Microsoft,” Nelesen said. Her son-in-law had worked for Microsoft, and had told her of swindlers claiming to be Microsoft tech support. So she realized it might be a hoax, but she didn’t know how to regain control of her computer.
“Finally I turned off and prayed,”
she said. When she turned the computer back on, it worked — possibly due to the
prayer, but more likely because the code that locked up the screen only works
when the harmful webpage is open.
She complained to Facebook and
received a generic answer about the importance of reporting problems and
avoiding spam. “It was completely worthless to me,” Nelesen said. “You’d think
if you report something to somebody the problem would stop, but that isn’t the
way it goes. I wouldn’t depend on Facebook for any help.”
Jennifer Valentino-DeVries is a
reporter covering technology and public policy.
Jeff Larson is a reporter at ProPublica. @thejefflarson
Julia Angwin is a senior reporter at ProPublica.
From 2000 to 2013, she was a reporter at The Wall Street Journal, where she led
a privacy investigative team that was a finalist for a Pulitzer Prize in
Explanatory Reporting in 2011 and won a Gerald Loeb Award in 2010.
