[HN Gopher] Big Tech's role in enabling link fraud
___________________________________________________________________
Big Tech's role in enabling link fraud
Author : Sephr
Score : 44 points
Date : 2024-01-15 18:01 UTC (4 hours ago)
(HTM) web link (eligrey.com)
(TXT) w3m dump (eligrey.com)
| Sephr wrote:
| Link fraud happens on adtech platforms owned by Google,
| Microsoft, X, and reddit.
|
| They each allow advertisers to spoof links with _unverified_
| "vanity URLs", laundering trust in their systems, while
| simultaneously deflecting blame onto advertisers when these
| mechanisms are exploited for fraud.
|
| You can help raise awareness by resharing/rehosting my message on
| social media and reaching out to your elected government
| officials. The systemic enablement of link fraud by Big Tech
| needs to end.
| baxtr wrote:
| Thanks. It would be great if you could provide some concrete
| examples. I have read the article but still don't really
| understand how this works.
|
| Examples help to explain it to other people who need to know.
| TimPC wrote:
| Basically any URL shortener would be an example.
| MOARDONGZPLZ wrote:
| This hacker news comment citing a peer reviewed study from
| the other time this article was posted gives a concrete
| example of how someone might fraudulently lead someone to a
| different than expected link: https://t.ly/77r6z
| lainga wrote:
| also: _October 2009_ : https://t.ly/pol9a
| strictnein wrote:
| Search: [retailer] gift card balance
|
| Ad shows up: Text: Check Your [Retailer]
| Gift Card Display URL: https://www.[retailer].com/
|
| Click the ad, get redirected to the malicious site:
| https://www.[retailer]-gift-card.com/
|
| Ads always have redirection involved, typically through a
| third party, to track ROI, conversions, etc. How the
| attackers take advantage of this is their redirection
| redirects to the real site if it's the Googlebot or from an
| IP range known to be owned/used by Google (or other filtering
| based on location, language, etc). If it's not, it redirects
| to the malicious site.
|
| One solution is that the first hop in the chain has to match
| the domain of the display URL. That at least somewhat shows
| you can have a redirection that you control on the display
| domain. Of course, there could be an open redirect on that
| display domain, but those are becoming increasingly rare.
|
| Work for a large retailer and we dealt with this a lot a year
| or two ago. Built custom monitoring to detect it and we sent
| gobs of data back to Google showing it happening. Still pops
| up every once in a while, but they've made some improvements
| in their detection/prevention.
| Nextgrid wrote:
| > One solution is that the first hop in the chain has to
| match the domain of the display URL
|
| Does anyone know why this isn't the default? I can't think
| of any legitimate reason why a brand _wouldn 't_ want to
| have their true domain displayed?
|
| If they want to redirect to a third-party they can
| implement it on their own website.
| bombcar wrote:
| Too many people would complain if they just turned it on,
| watch the trackers fly by.
|
| Since their customers are the people running the trackers
| and giving them money, they listen to the advertisers and
| not the cattle who are clicking on ads.
| Nextgrid wrote:
| But you can still have trackers? You can still link to a
| unique URL on your own domain, and you can still pass
| query params to your spyware of choice?
| bombcar wrote:
| Sure, but right now any mid-level mangler can hire "bobs
| discount SEO, advertising, and snow clearing" to run some
| Google ads for them, and move on. If Bob has to get the
| manager to get approval from IT to subdesignate or add a
| CNAME or whatever they need, it's a huge additional
| friction.
|
| I think many people think that advertising is "Kohl's
| goes to Google and buys an ad" - it's much more often
| Kohls hires an agency that hires an agency that manages a
| independent company that fills out the actual ads, and
| they all want to track their piece of the pie.
| nradov wrote:
| Link fraud is a good thing because it undermines the
| advertising economy. Anything which causes consumers to
| mistrust and ignore advertising can only be a positive.
| dimask wrote:
| Moreover, such links can be used to evade email filters that
| companies usually employ [1]. Combined with the habit of these
| corporate email services to obfuscate links "for safety", it can
| make it much easier to get tricked into being phished.
|
| [1] https://www.bleepingcomputer.com/news/security/linkedin-
| smar...
| charcircuit wrote:
| >Google's policy is that both display and landing page URLs
| should be within the same website. This means that the display
| URL in your ad needs to match the domain that visitors land on
| when they click on your ad.
|
| https://support.google.com/google-ads/answer/6246601?hl=en
|
| The author paints the picture that bad actors can just use any
| URL when that does not seem to be the case.
| strictnein wrote:
| See my comment here on how they get around that:
|
| edit: https://news.ycombinator.com/item?id=39006581
| sokoloff wrote:
| You meant to link to:
| https://news.ycombinator.com/item?id=39006581
| strictnein wrote:
| Oops. Yep, thanks!
| Sephr wrote:
| > This means that the display URL in your ad needs to match the
| domain that visitors land on when they click on your ad.
|
| This policy is fundamentally impossible to implement without
| domain ownership verification. 'It is against our policy' isn't
| exactly a good excuse when said policy isn't technically
| enforceable.
|
| Google practices sampled URL resolution (which is insufficient
| as explained in my blog post) and does not currently require
| domain ownership verification for the use of vanity URLs.
| andersa wrote:
| I don't get it. Solving this is trivial. Simply display the
| url that the ad links to. Why the hell is it configurable?
___________________________________________________________________
(page generated 2024-01-15 23:00 UTC)