Link fraud happens on adtech platforms owned by Google, Microsoft, X, and reddit.
They each allow advertisers to spoof links with unverified "vanity URLs", laundering trust in their systems, while simultaneously deflecting blame onto advertisers when these mechanisms are exploited for fraud.
You can help raise awareness by resharing/rehosting my message on social media and reaching out to your elected government officials. The systemic enablement of link fraud by Big Tech needs to end.
Big Tech doesn't just enable fraud, they collect a lot of profit off of it, and it wouldn't even surprise me if they ran a lot of it. They don't even counter bots and spam posts in many cases any more, they stifle creator post views, they also ran several pphony crypto and NFT marketing campaigns themselves which all bilked millions of people, there is little trust left for these tech companies now, especially the social media companies. They literally run fraud havens.
Ads always have redirection involved, typically through a third party, to track ROI, conversions, etc. How the attackers take advantage of this is their redirection redirects to the real site if it's the Googlebot or from an IP range known to be owned/used by Google (or other filtering based on location, language, etc). If it's not, it redirects to the malicious site.
One solution is that the first hop in the chain has to match the domain of the display URL. That at least somewhat shows you can have a redirection that you control on the display domain. Of course, there could be an open redirect on that display domain, but those are becoming increasingly rare.
Work for a large retailer and we dealt with this a lot a year or two ago. Built custom monitoring to detect it and we sent gobs of data back to Google showing it happening. Still pops up every once in a while, but they've made some improvements in their detection/prevention.
I have tried Starbucks, Amazon, Target, Best Buy, Microsoft... none of them produce the result you're talking about.
I can't find a single sponsored result on Google for your search query.
Checking Jimmy John's, Subway, and Whole Foods, they are all seemingly targeted by shady non-official gift card checkers, which for all I know harvest gift cards. But none of these are sponsored, and only Whole Foods' target from Buyatab was a first result.
So I am still confused about a concrete, real example. Like I understand it exists, but maybe someone should share a real example.
target gift card balance
chilis gift card balance
kohls gift card balance
sephora gift card balance
… in each case, the first result was to the actual retailer. (I clicked it, just to be sure; in each case, I went to what appeared to be [retailer].com, and the legitimate site of the owner of that brand.) In each case, the result was an organic (i.e., non-ad) result; there were no ads on these queries. (I do not have an adblocker that would block these, but regardless, I went into private mode anyways, which is configured to disable uBlock.)
I guess I should have led with the statement that we dealt with this a lot 1-2 years ago and these aren't live currently. Unfortunately it was just mentioned at the end.
My post was more to illustrate an example of how this had been done in the past and briefly explain the tactics of how the threat actors were able to do it.
Look up gilimp, among many other examples. There was a malicious ad which used the real gimp.org display domain but redirected to a malicious gilimp.org when clicked.
To be fair, there are other companies that are not helping this problem. This is the legit official website for a MasterCard giftcard[0]. Seriously!?! Why is there a whole new fucking domain? Mastercard.com redirects to mastercard.us. That's weird enough but you're telling me we can't have mastercard.{com,us}/giftcard or giftcard.mastercard.{com,us}?
The reason I bring this up is because legitimate companies are teaching users bad behavior and it makes it difficult for them to develop good bullshit/spam detection. Let's even check these two websites and their whois: [1] [2]. What here tells me which one is legit? You might go check the cert and find "This website does not supply ownership information." in the blurb but unless you look at the actual cert it says the organization. So even legit companies are not making it easy to identify them. Or you might even get antagonistic behavior like target does[3], which will redirect you to a login page. Yes... a login page for a gift card... what a fucking joke. They act like they want their customers to get hacked.
I'm not saying Google and the social media companies are not responsible (they definitely have some) but just saying that the legitimate companies create an environment that makes it easy for spammers and scammers to deceive people. Normal people are not going to have the means to actually verify the validity of a website and legitimate websites aren't even making attempts to make this easy, arguably they are just creating more noise.
I recently had a small project to proxy through cloudfront, using our main TLD/SDL and route53, any website we were asked to proxy. I think it took me at most 3 days to automate that (counting the discussion, demand definition, and demos), and now we're able to proxy websites like that (who are created by partners or subcontractors) in minutes. 3 man-day is basically free for any company that use AWS or any public cloud imho, and that would help a lot.
But some people use services like ClickCease which helps mitigate click fraud (e.g. if your competitor clicks your ad over and over, ClickCease and similar services can automatically exclude their IP so they can’t click your ads.. or at least that’s the pitch)
Some of these services work by being the first hop in the redirect chain.
I was under the impression that Google whitelists services allowed to be used for redirects.
Too many people would complain if they just turned it on, watch the trackers fly by.
Since their customers are the people running the trackers and giving them money, they listen to the advertisers and not the cattle who are clicking on ads.
Sure, but right now any mid-level mangler can hire "bobs discount SEO, advertising, and snow clearing" to run some Google ads for them, and move on. If Bob has to get the manager to get approval from IT to subdesignate or add a CNAME or whatever they need, it's a huge additional friction.
I think many people think that advertising is "Kohl's goes to Google and buys an ad" - it's much more often Kohls hires an agency that hires an agency that manages a independent company that fills out the actual ads, and they all want to track their piece of the pie.
This hacker news comment citing a peer reviewed study from the other time this article was posted gives a concrete example of how someone might fraudulently lead someone to a different than expected link: https://t.ly/77r6z
Link fraud is a good thing because it undermines the advertising economy. Anything which causes consumers to mistrust and ignore advertising can only be a positive.
They each allow advertisers to spoof links with unverified "vanity URLs", laundering trust in their systems, while simultaneously deflecting blame onto advertisers when these mechanisms are exploited for fraud.
You can help raise awareness by resharing/rehosting my message on social media and reaching out to your elected government officials. The systemic enablement of link fraud by Big Tech needs to end.