Hacker News new | past | comments | ask | show | jobs | submit login
Big Tech's role in enabling link fraud (eligrey.com)
135 points by Sephr 11 months ago | hide | past | favorite | 51 comments



It amazes how many blatantly fraudulent spam twitter accounts there are, with links not even masked behind url shorteners. Every single day I get these accounts liking random comments of mine and these are so bad they can be caught by naive bayes filtering. Here's some examples[0] that all have a ".click" domain and their bios are very clearly spammy.

But I think my favorite is that I have messages that Twitter classified as spam, and that I have reported these profiles, but months later they still exist. Profiles that are even clones![1] What's even more funny is that when I originally got the message from this person twitter would suggest similar profiles and I could see 30 others with the exact same profile picture, all created in the same month, all without any activity, and all with the same pattern of name + random number string.

I agree with the article's point, but I just want to point out here that there's even a far lower bar that these platforms are failing to achieve. If I'm reporting 5 people a week and those profiles still exist months later, clearly the platform is doing something wrong.

[0] https://twitter.com/Eleanor1541800, https://twitter.com/Eva626692385410, https://twitter.com/Serenity1260229

[1] https://twitter.com/ReneeYoung71651, https://twitter.com/Jessica77414656, https://twitter.com/Jessica43172228


YouTube had this same issue for years to the point where various creators had scripts they would run constantly to clean the spam out of their video comments using very simple filters. It's amazing the apathy that big tech companies have to this sort of problem.

Wonder why HN doesn't have the same spam problem? Because Dang actually cares about the site's content quality and not about quarterly user growth :)


Yep I've encountered so so many of these too. It's amazing how obvious they are even to the most primitive filter, so I'm just at a complete loss as to why X/Twitter is so disincentivized to fix it ... especially given Elon's spiel about removing bots from the platform.


Yeah I've never had much faith in Elon. Always seems to care more about what is said than what is done. I'm just surprised people still believe him considering he's promised so much and delivered so little. I mean not that he hasn't done stuff, but he promises far more. But I guess he's the richest man alive and I'm not, so what do I know.


Quite a lot of them even have blue ticks, meaning they're paying for the privilege.

It all stems from the "free speech" unwillingness to ban accounts, and gutting the account-banning teams. As well as the very real problem that some of the big grifters that he loves on the platform also love their inflated follower counts.


Let's be clear though, the platform is not a platform of free speech as in 1st Amendment free speech. Actually I'm not sure what definition it falls under because they don't allow threads, they don't allow you to see posts without logging in (though s/twitter.com/nittern.net solves that?!), and it seems to have just become a pay to speak platform (or maybe I'm soft-shadow banned for reporting so many accounts). I'm not sure under what metric this Twitter is better than the one before.


If you take free speech to its extreme spam filters should be taken down, no?

Ofcourse no actual real life user wants to inundated with spam, scams and advertising.


I don't think Elon cares about those profiles. The more activities the better


He paid good money for all those Twitter profiles, only fair to expect him to want to have all of them around.


It’s interesting because he originally said he was buying Twitter because of the bots, and then later tried to nuke the deal claiming the proliferation of bots had created a material change in the business.. either way you’d expect that to be a priority for him to fix.

I think he believed it would be an easy project and a funny meme to own it, and it will soon be repossessed by Morgan Stanley.


Link fraud happens on adtech platforms owned by Google, Microsoft, X, and reddit.

They each allow advertisers to spoof links with unverified "vanity URLs", laundering trust in their systems, while simultaneously deflecting blame onto advertisers when these mechanisms are exploited for fraud.

You can help raise awareness by resharing/rehosting my message on social media and reaching out to your elected government officials. The systemic enablement of link fraud by Big Tech needs to end.


Big Tech doesn't just enable fraud, they collect a lot of profit off of it, and it wouldn't even surprise me if they ran a lot of it. They don't even counter bots and spam posts in many cases any more, they stifle creator post views, they also ran several pphony crypto and NFT marketing campaigns themselves which all bilked millions of people, there is little trust left for these tech companies now, especially the social media companies. They literally run fraud havens.


Thanks. It would be great if you could provide some concrete examples. I have read the article but still don’t really understand how this works.

Examples help to explain it to other people who need to know.


Search: [retailer] gift card balance

Ad shows up:

   Text: Check Your [Retailer] Gift Card
   Display URL: https://www.[retailer].com/
Click the ad, get redirected to the malicious site: https://www.[retailer]-gift-card.com/

Ads always have redirection involved, typically through a third party, to track ROI, conversions, etc. How the attackers take advantage of this is their redirection redirects to the real site if it's the Googlebot or from an IP range known to be owned/used by Google (or other filtering based on location, language, etc). If it's not, it redirects to the malicious site.

One solution is that the first hop in the chain has to match the domain of the display URL. That at least somewhat shows you can have a redirection that you control on the display domain. Of course, there could be an open redirect on that display domain, but those are becoming increasingly rare.

Work for a large retailer and we dealt with this a lot a year or two ago. Built custom monitoring to detect it and we sent gobs of data back to Google showing it happening. Still pops up every once in a while, but they've made some improvements in their detection/prevention.


I have tried Starbucks, Amazon, Target, Best Buy, Microsoft... none of them produce the result you're talking about.

I can't find a single sponsored result on Google for your search query.

Checking Jimmy John's, Subway, and Whole Foods, they are all seemingly targeted by shady non-official gift card checkers, which for all I know harvest gift cards. But none of these are sponsored, and only Whole Foods' target from Buyatab was a first result.

So I am still confused about a concrete, real example. Like I understand it exists, but maybe someone should share a real example.


This was a concrete example. I didn't know what "vanity URL" meant here, I read the concrete example, and now I do.


… but can you give an example?

I tried:

  target gift card balance
  chilis gift card balance
  kohls gift card balance
  sephora gift card balance
… in each case, the first result was to the actual retailer. (I clicked it, just to be sure; in each case, I went to what appeared to be [retailer].com, and the legitimate site of the owner of that brand.) In each case, the result was an organic (i.e., non-ad) result; there were no ads on these queries. (I do not have an adblocker that would block these, but regardless, I went into private mode anyways, which is configured to disable uBlock.)


I guess I should have led with the statement that we dealt with this a lot 1-2 years ago and these aren't live currently. Unfortunately it was just mentioned at the end.

My post was more to illustrate an example of how this had been done in the past and briefly explain the tactics of how the threat actors were able to do it.


Look up gilimp, among many other examples. There was a malicious ad which used the real gimp.org display domain but redirected to a malicious gilimp.org when clicked.


> Click the ad, get redirected to the malicious site: https://www.[retailer]-gift-card.com/

To be fair, there are other companies that are not helping this problem. This is the legit official website for a MasterCard giftcard[0]. Seriously!?! Why is there a whole new fucking domain? Mastercard.com redirects to mastercard.us. That's weird enough but you're telling me we can't have mastercard.{com,us}/giftcard or giftcard.mastercard.{com,us}?

The reason I bring this up is because legitimate companies are teaching users bad behavior and it makes it difficult for them to develop good bullshit/spam detection. Let's even check these two websites and their whois: [1] [2]. What here tells me which one is legit? You might go check the cert and find "This website does not supply ownership information." in the blurb but unless you look at the actual cert it says the organization. So even legit companies are not making it easy to identify them. Or you might even get antagonistic behavior like target does[3], which will redirect you to a login page. Yes... a login page for a gift card... what a fucking joke. They act like they want their customers to get hacked.

I'm not saying Google and the social media companies are not responsible (they definitely have some) but just saying that the legitimate companies create an environment that makes it easy for spammers and scammers to deceive people. Normal people are not going to have the means to actually verify the validity of a website and legitimate websites aren't even making attempts to make this easy, arguably they are just creating more noise.

[0] https://www.mastercardgiftcard.com/

[1] https://www.walmart.com/account/giftcards/balance -- https://www.whois.com/whois/walmart.com

[2] https://www.walmartgift.com/wmgift -- https://www.whois.com/whois/walmartgift.com

[3] https://www.target.com/guest/gift-card-balance


I recently had a small project to proxy through cloudfront, using our main TLD/SDL and route53, any website we were asked to proxy. I think it took me at most 3 days to automate that (counting the discussion, demand definition, and demos), and now we're able to proxy websites like that (who are created by partners or subcontractors) in minutes. 3 man-day is basically free for any company that use AWS or any public cloud imho, and that would help a lot.


> One solution is that the first hop in the chain has to match the domain of the display URL

Does anyone know why this isn't the default? I can't think of any legitimate reason why a brand wouldn't want to have their true domain displayed?

If they want to redirect to a third-party they can implement it on their own website.


I’m pretty sure it is the default.

But some people use services like ClickCease which helps mitigate click fraud (e.g. if your competitor clicks your ad over and over, ClickCease and similar services can automatically exclude their IP so they can’t click your ads.. or at least that’s the pitch)

Some of these services work by being the first hop in the redirect chain.

I was under the impression that Google whitelists services allowed to be used for redirects.


Too many people would complain if they just turned it on, watch the trackers fly by.

Since their customers are the people running the trackers and giving them money, they listen to the advertisers and not the cattle who are clicking on ads.


But you can still have trackers? You can still link to a unique URL on your own domain, and you can still pass query params to your spyware of choice?


Sure, but right now any mid-level mangler can hire "bobs discount SEO, advertising, and snow clearing" to run some Google ads for them, and move on. If Bob has to get the manager to get approval from IT to subdesignate or add a CNAME or whatever they need, it's a huge additional friction.

I think many people think that advertising is "Kohl's goes to Google and buys an ad" - it's much more often Kohls hires an agency that hires an agency that manages a independent company that fills out the actual ads, and they all want to track their piece of the pie.


Thank you. I'm also trying to follow your example.

In your scenario, the attacker is creating ads pretending to be the [retailer]?


This hacker news comment citing a peer reviewed study from the other time this article was posted gives a concrete example of how someone might fraudulently lead someone to a different than expected link: https://t.ly/77r6z


also: October 2009 : https://t.ly/pol9a


Aaaaaah… so it’s basically Rickrolling someone. Got it!


Basically any URL shortener would be an example.


Link fraud is a good thing because it undermines the advertising economy. Anything which causes consumers to mistrust and ignore advertising can only be a positive.


If you can’t beat them, join them and insidiously undermine them.


One terrible version here in NL were free to call phone numbers starting with 0800 usually followed by 4 digits. Google allowed to spoof those and point them at 1 euro per minute phone numbers. They just redirected to the free number. Lots of people I know got weird phone bills for numbers they've never seen before. For some of these, during rush hour, 20-30 min waiting time is normal.

A 2022 law now forbids people with paid numbers to redirect to 0800 free to call numbers.

I'm really curious how much money this google scam made. If I know 5 people who spend 20-40 euro on it there must be many thousands of victims.

The ads spoofed things like the tax office. First thing in the morning that number alone gets thousands of calls. One just types "tax office phone" (in dutch) in the search box and the ad says 0800-0543 You click on it and get the tax office. You might have to wait a bit because they are very patient and try to answer all your questions to the best of their ability, put you on hold to ask around etc Some people must repeatedly call the number for more than a hour in the same month. They wont notice anything until the bill comes in.


Twitter enables this through not checking the account in a URL... a simple fix would be to actually respect the Twitter URL components, if the account doesnt match the linked tweet, don't redirect...

Right now you can spoof (just as far as the URL displayed in an anchor tag) the account to be whatever you like:

Example:

https://twitter.com/elonmusk/status/1745190441539293271

This will redirect you to the following, but as content within a tweet, it will look like a legit post from Elon. Crypto-scams are using this in every single post.

https://twitter.com/ElonMuskAOC/status/1745190441539293271


>Google's policy is that both display and landing page URLs should be within the same website. This means that the display URL in your ad needs to match the domain that visitors land on when they click on your ad.

https://support.google.com/google-ads/answer/6246601?hl=en

The author paints the picture that bad actors can just use any URL when that does not seem to be the case.


> This means that the display URL in your ad needs to match the domain that visitors land on when they click on your ad.

This policy is fundamentally impossible to enforce without domain ownership verification. 'It is against our policy' isn't exactly a good excuse when said policy isn't technically enforceable.

Google practices sampled URL resolution (which is insufficient as explained in my blog post) and does not currently require domain ownership verification for the use of vanity URLs.


I don't get it. Solving this is trivial. Simply display the url that the ad links to. Why the hell is it configurable?


Because disallowing those link redirection services would hurt the platform's profits by adding friction for advertisers. Link fraud makes them more money and they aren't punished for it.

These platforms operate more like oligarch crime lords than friends of society. There's no "free market" solution to fleecing the public, it's lucrative and all the players participate in it.


There is either a fraudulent market or a regulated market. Or a fraudulently regulated one.

Actual free market is a myth.


If browsers can load content from a different place than what they display someone is going to use that.


See my comment here on how they get around that:

edit: https://news.ycombinator.com/item?id=39006581



Oops. Yep, thanks!


Moreover, such links can be used to evade email filters that companies usually employ [1]. Combined with the habit of these corporate email services to obfuscate links "for safety", it can make it much easier to get tricked into being phished.

[1] https://www.bleepingcomputer.com/news/security/linkedin-smar...


I dislike spam as much as the next person, but the article makes some serious leaps. Demanding that the governments regulate hyperlinks while decrying "regulatory capture" feels like a non-sequitur. Moreover, it isn't immediately clear how vanity URLs or redirects are part of regulatory capture. However, it is easy to see how inviting regulation of hyperlinks could lead to regulatory capture.


I'm demanding that existing laws be enforced. Adtech has created a system that systemically enables normal fraud in the context of links. This is not a unique concept, nor does not require any new regulations or laws to address.

Big Tech is deflecting blame by pretending that these problems (that they also made) cannot be solved. Government agencies believe these claims, which results in situations like the FBI asking you to install an adblocker.


"I anticipate that the US federal government may start requiring adblockers on all federal employee devices at some point in the future."


Was the previous submission at https://news.ycombinator.com/item?id=38916266 a draft for this article? That article has formatting errors (Helvetica text) and is not in the site's article index.


Yes. My original draft addressed too many issues at once and didn't receive enough engagement on HN. I re-drafted it to be easier to understand the key points. The improved accessibility seems to have helped.

Also, thank you for noting the formatting error in my previous article. I just fixed it.


Fraud is one thing, but be warned, any anti-fraud measurements can be also used for speech censorship.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: